DBN Guideline

When must a personal data breach be notified to the regulator and affected data subjects?

A data controller must notify a personal data breach to both the Commissioner andaffected data subjects if it causes or is likely to cause “significant harm”, which includes a risk for any of the following:

• physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
• misuse of personal data for illegal purposes;
• compromise of sensitive personal data;
• combination of personal data with other personal information that could potentially enable identity fraud; or
• (for the purpose of notification to the Commissioner only) a breach of “significant scale”, i.e. involving more than 1,000 affected data subjects.

What is the timeframe to make data breach notifications?

The timeframe for notifications is as follows:

• Notification to the Commissioner: as soon as practicable and within 72 hours from the occurrence of the breach. If notificationfails to be made to the Commissioner within 72 hours, a written notice detailing the reasons for the delay and providing supporting evidence must be submitted; and
• Notification to affected data subjects: without unnecessary delay and within seven days of notifying the Commissioner.

What are the other key obligations related to personal data breaches?

A data controller should:

• DPA:  contractually obligate its data processor to promptly notify it of a data breach and to provide it with all reasonable and necessary assistance to meet its data breach notification obligations;
• Management and response plans: put in place adequate data breach management and response plans;
• Training: conduct periodic training as well as awareness and simulation exercises to prepare its employees for responding to personal data breaches;
• Breach assessment and containment: act promptly as soon as it becomes aware of any personal data breach to assess, contain, and reduce the potential impact of the data breach, including taking certain containment actions (such as isolating compromised systems) and identifying certain details about the data breach in its investigation; and
• Record-keeping: maintain a register of the personal data breach for at least two years to document the prescribed information about the data breach.

DPO Guideline

Who are required to appoint DPOs?

An organisation, in the role of either a data controller or a data processor, is required to appoint a DPO if its processing of personal data involves:

• personal data of more than 20,000 data subjects;
• sensitive personal data including financial information of more than 10,000 data subjects; or
• activities that require “regular and systematic monitoring” of personal data.

Who can be appointed as DPOs?

DPOs may be appointed from among existing employees or through outsourcing services based on a service contract. They must:

• Expertise: demonstrate a sound level of prescribed skills, qualities and expertise;
• Language: be proficient in both Malay and English languages; and
• Residency: be either resident in Malaysia or easily contactable via any means.

What are the other key obligations related to DPO appointments?

A data controller required to appoint a DPO should:

• Notification: notify the Commissioner of the appointed DPO and their business contact information within 21 days of the DPO appointment;
• Publication: publish the business contact information of its DPO through:

• its website and other official media;
• its personal data protection notices; or
• its security policies and guidelines; and
• Record-keeping: maintain records of the appointed DPO to demonstrate compliance.

A data processor required to appoint a DPO should comply with the publication and record-keeping obligations above in relation to its DPO.

Next Steps The new guidelines represent a significant step in the implementation of the newly introduced data breach notification and DPO appointment requirements. All organisations subject to the PDPA, whether data controllers or processors, should carefully review the guidelines and take steps to ensure compliance by 1 June 2025. This includes updating relevant internal policies (such as data breach response plans and record-keeping and training policies) and contracts with data processors to align with the guidelines. Additionally, organisations should assess whether a DPO appointment is necessary and, if so, be prepared to complete the appointment and notification processes and update their privacy notices, websites and other media to include DPO information.

March 2023 saw the launch of the European Data Protection Board’s (EDPB’s) second coordinated enforcement action (CEF 2023), which focused on the designation and position of Data Protection Officers (DPOs). Data Protection Authorities (DPAs) across the EEA have launched coordinated investigations into this topic. In particular, DPA’s have been investigating whether DPOs have the position in their organisations required by Art. 37-39 GDPR and the resources needed to carry out their tasks.

On 17 January 2024, the EDPB adopted a report on the findings of supervisory authorities participating in the CEF 2023. In particular, the report analyses the challenges faced by DPOs and organisations that have designated a DPO, and how these may impact compliance with data protection laws. The report also includes recommendations that organisations, DPO’s and supervisory authorities may take into account to address these challenges.

Challenges faced by DPOs

Although the EDPB’s report recognises positive findings for many DPOs, it concludes that a number of DPOs still face obstacles, including:

• an absence of designation of a DPO, even where appointment is mandatory;
• insufficient resources allocated to the DPO;
• insufficient expert knowledge and training of the DPO;
• DPOs not being fully or explicitly entrusted with the tasks required under  data protection law;
• conflict of interests and lack of independence of the DPO; and
• a lack of reporting by the DPO to the organisations’ highest management level; and
• a requirement for further guidance from supervisory authorities.

Recommendations to address these challenges

In order to address the challenges identified, the report lists recommendations for organisations, DPOs and DPAs, these include:  

• encouraging DPAs to raise awareness amongst organisations of their obligation to appoint a DPO, through the promotion of existing guidance and enforcement actions, and providing further guidance, additional training materials and training sessions that could help a DPO navigate complex issues; and

• encouraging organisations to ensure DPOs have sufficient resources to properly exercise their function and are given sufficient opportunities, time and resource to refresh their knowledge and learn about the latest developments.

EDPB conclusions

Despite the challenges identified in the report, the EDPB concludes that the overall results of the survey are encouraging, with the majority of DPOs confirming that they receive regular training and have the necessary skills and knowledge to do their job. However, the report emphasises the need to strengthen the role and recognition of DPOs, in order to ensure compliance with data protection laws.

The report also recognises that the role of the DPO seems to be changing in practice, with DPOs being tasked with key roles under new EU legislation  – introduced as part of the EU Data Strategy –  such as the AI Act, the Digital Services Act, the Digital Market Act and the Data Act. The EDPB concludes that organisations will need to consider how DPOs are tasked, utilised and supported, to ensure that these new roles avoid issues such as conflicts of interests or insufficient resources at the disposal of the DPOs.

The EDPB has confirmed that the CEF 2024 action will focus on the implementation of the right of access by data controllers.

On 15 March 2023, the French Supervisory Authority (the “CNIL”) unveiled in a post its four key priorities regarding its upcoming investigations for 2023 targeting specific sectors (I), to which it added another topic related to DPO in line with the coordinated enforcement framework of the European Data Protection Board to gauge whether DPOs can exercise properly their job (II).

As a reminder, in 2022, the CNIL priority topics were (i) direct marketing (ii) monitoring telework and (iii) the use of cloud computing (see our previous post).

1. The national key priorities for 2023

• Use of “smart” cameras by public stakeholders

With the upcoming 2024 Olympic and Paralympic Games in France and the usage of such devices in large-scale sporting events planned for 2023 (rugby world cup), the CNIL provided guidance and published opinions on the use of so-called “smart” cameras:

• Last July, the CNIL published its position on the deployment of these cameras in public spaces. This document provides guidance on the conditions applicable to the use of this technology which presents high risks to the data subjects’ right to privacy.
• At the end of last year, the CNIL also gave its opinion on the draft Law relating to the 2024 Olympic and Paralympic Games which notably introduces the possibility to implement, on an experimental basis, smart cameras in areas accessible to the public for detecting and reporting in real-time predetermined events likely to threaten the safety of people.

The CNIL’s roadmap for its dawn raids in 2023 is thus to check that the use of “smart” cameras, complies with the legal framework.

• The use of the personal credit repayment incidents by banks

A file named “Fichier des incidents de crédit aux particuliers” (FICP) (personal credit repayment incidents file) held by the Banque de France, includes information on payment incidents related to overdrafts and loans granted for non-professional needs, as well as information on over indebtedness. The banks are required to consult this file before granting a loan. Given the sensitiveness of such file,  the related processing activities represent a high risk for data subjects.

It is therefore paramount to ensure that the entries in such file are accurate and that the data retention term and conditions of management of this file are compliant with the data protection law (e.g., management of data subjects’ rights). The CNIL will also check the measures implemented to ensure the security of the data.

• The access to the electronic patient record in health care institutions

The security of health data has already been under the CNIL’s scrutiny over the past years and subject to investigations in 2020 and 2021 in health care institutions.

For 2023, the CNIL will continue to focus on health care sector. A particular attention will be paid to the conditions of access to the electronic patient record in health care institutions and in particular the technical and organizational security measures implemented to ensure  the security of health data. This decision comes from several claims filed with CNIL for unauthorized access by third parties to patient records held by health care institutions.

• Tracking of users by mobile applications

Phone manufacturers enable applications publishers to track users for advertising, statistical or technical purposes (e.g., Apple IDFA, IDFV and Google AAID). Such identifiers equivalent to cookies are generally used without the user’s information or consent. While the CNIL presented its three steps action plan, last November 2022 to protect privacy in the context of mobile apps usage (see, in French only), several investigations have been carried out by the CNIL on applications accessing identifiers generated by smart phones operating system, without the users’ consent. The CNIL will continue its investigations in 2023.

Last December, the CNIL already issued a fine for an amount of €3 million against a company publishing video games for smartphone and which used Apple’s IDFV identifier for advertising purpose without the users’ valid consent (see, in French only).

2. Support to the coordinated enforcement framework regarding Data Protection Officers

On the same day of the CNIL’s publication, the European Data Protection Board (EDPB) made a press release regarding the launch of a coordinated enforcement to assess whether the  Data Protection Officers (DPO) have the position required by the GDPR in their organization. The CNIL will verify the conditions of appointment  and modalities of exercise of the DPO function.

In France, the CNIL has already published a practical guide on DPO (see our previous post). In line with EDPB, it is likely that the CNIL will send questionnaire for fact finding or determine if an investigation is relevant and can conduct investigations. The results of this initiative will be analyzed in a coordinated manner and the Supervisory Authorities will decide whether national supervision and enforcement actions would be necessary. The EDPB will publish a report on the outcome of this analysis in an aggregated format.

Once again, the coming year promises to be a busy one for the CNIL and organizations targeted by this new annual dawn raid program.

For more information, please contact denise.lebeau-marianna@dlapiper.com, Partner.

Facebook
Twitter
LinkedIn