Regardless of whether a business in Malaysia chooses an in-house or external Data Protection Officer (DPO), they are required to officially inform the Department of Personal Data Protection (PDPD) of the appointment.
This requires the businesses to do two things:
- Issue an official DPO appointment letter
- Register themselves and their DPO on the PDPD portal
Having completed the process on behalf of our clients, we’ve prepared a step-by-step guide to help businesses appointing internally to ensure the registration is done in full compliance with PDPD requirements, including a free editable DPO appointment letter.
Step 1: PDPD portal registration page
The first step is to go to the official PDPD registration portal.
You will be asked to confirm if your organisation:
- processes personal data of more than 20,000 individuals
- stores financial, biometric, or health data of more than 10,000 individuals
- carries out regular and systematic monitoring of personal data
Answering “No” to all thresholds means your organisation does not currently need to register a DPO.
if you answer “Yes” to even one, the system will confirm that registration is required and prompt you to proceed.
Step 2. Account sign-up
You will arrive at the sign-up form where you must provide:
- organisation name
- official DPO email address
- a strong password following PDPD’s criteria
Step 3. Complete and submit form
After filling in the organisation name, DPO email, and password, click Submit.
Step 4. Account registration confirmation
If your details are accepted, you will see a pop-up confirming that the DPO account registration was successful. The portal will prompt you to check the DPO’s email inbox for a verification email.
Step 5. Verification email
You will receive an email with an activation link that is valid for 24 hours.
Make sure to click it promptly or the application will expire and you will need to start again.
Step 6. Email successfully verified
Once you have clicked the verification link, the portal confirms that your email has been successfully verified. You can now log into the system using your registered email and password.
Step 7. TAC email
For added security, the portal uses a TAC code (similar to online banking). A 6-digit TAC will be sent to the registered DPO email. This code is only valid for 5 minutes, so you will need to retrieve it quickly.
Step 8. Enter TAC number
After entering the TAC number, the system will allow you to complete your login.
Step 9. Dashboard view
You will then arrive at your organisation’s dashboard. From here, you can manage both your organisation’s information and your DPO’s details.
Step 10. Update organisation details
Click on “Kemaskini” to update your organisation’s particulars in the system.
Step 11. Add DPO Details
Next, click on Tambah DPO to input the appointed DPO’s information and provide:
- officer’s name, nationality, IC/passport number
- contact details
- appointment status and date
- supporting documents (e.g. Letter of Appointment, qualifications, etc.)
Step 12. Final confirmation
Once everything is submitted, you will receive a confirmation notice acknowledging the registration of your organisation’s DPO.
This is the final step, keep this confirmation for your compliance records.
Practical tips and best practices
Do an internal assessment first
Coordinate with your IT or legal team to confirm whether your organisation meets any of the thresholds. Keep a written record of your assessment — especially if you conclude that registration is not required — as this supports your decision and can help address any queries during an audit.
Use a dedicated email for your DPO
Under the DPO Appointment Guideline, the DPO must have an official email that is:
- actively monitored
- used exclusively for PDPD communications
- separate from personal or work emails
Verify your login credentials carefully
Double-check the email and password before submission — these will serve as your official login credentials for all future access to the DPO record.
Prepare a formal Letter of Appointment (LOA)
This document is mandatory. The LOA should clearly specify the:
- term of appointment (consistent with what you enter in the system)
- DPO’s duties and responsibilities
If the DPO has attended any relevant training or holds a certification, include the course details and certificate as supporting documents to demonstrate competency and readiness.
Sample DPO appointment letter
Private & Confidential
Date:
From:
(Registration No.: )
To:
(NRIC No.: )
Re: Appointment as Data Protection Officer (DPO)
1. Appointment:
We,
(Registration No.: ) (“Organisation”) hereby appoint
(NRIC No.: )
to be the Organisation’s Data Protection Officer (“DPO”) pursuant to the Personal Data Protection Act 2010 (Act 709) and related guidelines.
2. Term:
This appointment shall commence on and shall continue for a term of twenty-four (24) months until . The appointment may be renewed for such further period as may be mutually agreed in writing by the Parties prior to its expiry.
3. Duties & Obligations:
- Act as the primary contact person for all personal data protection compliance matters, including:
- Facilitating communication between data subjects and the Organisation regarding the processing of their personal data and their rights; and
- Liaising with the Personal Data Protection Commissioner on behalf of the Organisation.
- Advise and support the Organisation on compliance with the Personal Data Protection Act 2010 and related guidelines.
- Assist in developing, implementing and monitoring the Organisation’s data protection policies and practices.
- Perform such other responsibilities as may be reasonably required to ensure compliance with applicable data protection laws and regulations.
4. Support and Responsibility:
- The Organisation shall provide the DPO with adequate support, access, resources, and infrastructure as may be reasonably necessary to facilitate the performance of the duties and obligations set out above.
- The Organisation agrees and acknowledges that ultimate responsibility for compliance with the Personal Data Protection Act 2010 and related guidelines shall remain with the Organisation in our capacity as data controller or data processor, as the case may be.
5. Contact Details of the DPO:
- Name:
- Designated email address:
- Mobile phone number:
The DPO shall promptly inform the Organisation of any changes to his contact details to ensure that the information remains current and accessible at all times, in line with the accountability requirements under the Personal Data Protection Act 2010.
Yours faithfully,
__________________________
Name:
NRIC No./Passport No:
Designation:
Email Address:
Acceptance and Acknowledgement
I, the undersigned, acknowledge and accept my appointment as the DPO in accordance with the terms stated above.
__________________________
Name:
NRIC No:
Email Address:
Book a free DPO readiness consultation
Registering your DPO through the PDPD portal is a key first step toward compliance with Malaysia’s updated PDPA framework.
But true compliance goes beyond registration, it’s about ensuring your appointed DPO is:
- Competent – trained and familiar with PDPA obligations
- Independent – able to act without conflict of interest
- Properly resourced – given the authority and tools to monitor compliance effectively
If you need support with registering your DPO, preparing the appointment documents, or would like to explore outsourcing or appointing a backup DPO, feel free to reach out to us.
