Data Protection Officer Requirements by Country (2026)

A Data Protection Officer (DPO) is a designated compliance professional required by law in dozens of jurisdictions worldwide. Under the EU General Data Protection Regulation (GDPR), Articles 37 through 39 set the foundational rules that most national frameworks have since adopted or adapted. This guide explains who must appoint a DPO, what the role requires, and how the obligation varies across major global regimes as of May 2026.

Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer.

Jurisdiction scope: This article covers DPO and DPO-equivalent requirements under the EU GDPR, UK GDPR, and selected national privacy laws in Brazil, China, India, South Korea, Singapore, Malaysia, Thailand, South Africa, the UAE (federal PDPL, DIFC, ADGM), Indonesia, and Vietnam. Statutes are cited as in force on 2026-05-19.

What Is a Data Protection Officer?

A Data Protection Officer is an individual designated by an organisation to serve as the internal authority on data protection compliance. Article 39 of the GDPR defines the DPO's core tasks: informing and advising the controller and processor (and their employees) of data protection obligations; monitoring compliance with the GDPR and with the controller's own policies; advising on data protection impact assessments (DPIAs); cooperating with the supervisory authority; and acting as the contact point for data subjects and the supervisory authority.

The concept gained global traction after the GDPR took effect on 25 May 2018. Regulators across South America, Asia, and Africa have since built DPO-equivalent requirements into national privacy statutes, though the specific triggers, qualifications, and reporting lines differ substantially by jurisdiction.

Not every organisation needs a DPO. The obligation typically turns on the type of data processed, the scale of processing activities, and whether the organisation is a public body. For multinational organisations, overlapping obligations can arise simultaneously under two or more regimes.

The GDPR DPO Rules: Articles 37, 38, and 39

The GDPR establishes the foundational DPO framework that most other jurisdictions have used as a reference. Articles 37 through 39 of Regulation (EU) 2016/679 set out the appointment triggers, qualifications, operational requirements, and tasks.

The Three Mandatory Appointment Triggers (Article 37)

Under Article 37(1) of the GDPR, a data controller or processor must designate a DPO when any one of three conditions is met:

Trigger 1: Public authority or body. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity. This covers government departments, municipalities, public universities, state-owned enterprises, and similar entities across the EU and EEA.

Trigger 2: Large-scale regular and systematic monitoring. The controller's or processor's core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale. The WP29 guidelines (WP243rev.01, endorsed by the EDPB) give geolocation tracking via mobile applications and systematic CCTV monitoring of public spaces as examples. The GDPR does not define "large scale" by a precise number; the WP29 guidance instructs controllers to consider the number of data subjects, volume of data, geographic extent, duration, and the nature of the processing. A single hospital processing health data for its patient population qualifies; a sole-practitioner doctor treating individual patients does not.

Trigger 3: Large-scale processing of special-category or criminal data. The controller's or processor's core activities consist of large-scale processing of special categories of data under Article 9 (including racial or ethnic origin, health data, biometric data, and data concerning sexual orientation) or of personal data relating to criminal convictions and offences under Article 10.

The term "core activities" is critical. The EDPB clarifies that it refers to the primary business operations, not ancillary support functions. An insurer processing health data to assess risk is engaged in a core activity; a law firm processing employee payroll data is not, even though payroll involves personal data.

"The concept of 'core activities' can be interpreted as the key operations necessary to achieve the controller's or processor's goals. For example, a hospital cannot provide healthcare without processing patients' health data, so the processing of this data constitutes a core activity." -- WP29, Guidelines on Data Protection Officers (WP243rev.01), 5 April 2017

DPO Qualifications (Article 37(5))

Article 37(5) of the GDPR requires the DPO to possess "expert knowledge of data protection law and practices." No specific academic degree or professional certification is mandated at the EU level. The required level of expertise scales with the complexity of the organisation's data processing operations. For a large-scale processor of sensitive data, a high level of specialist knowledge is expected. For a smaller public body with straightforward processing, a proportionate level of knowledge suffices.

In practice, certifications such as the CIPP/E (Certified Information Privacy Professional/Europe) and CIPM (Certified Information Privacy Manager) from the International Association of Privacy Professionals (IAPP) are widely treated as evidence of the required expertise, though they remain voluntary under EU law.

Position and Independence (Article 38)

Article 38 establishes the operational requirements that protect the DPO's independence:

• The DPO must be involved, properly and in a timely manner, in all matters relating to the protection of personal data.
• The controller and processor must support the DPO by providing resources necessary to carry out their tasks, maintain expert knowledge, and access to personal data and processing operations.
• The DPO must report directly to the highest level of management of the controller or processor.
• The DPO cannot be dismissed or penalised for performing their tasks.
• The DPO may fulfil other tasks, but there must be no conflict of interest.

The conflict-of-interest requirement has been a focus of significant enforcement action. The EDPB confirms that roles which determine the purposes and means of data processing inherently conflict with the DPO position. This includes: Chief Executive Officer, Chief Operating Officer, Chief Technology Officer, Head of IT, Head of Human Resources, Head of Marketing, and in most contexts, Head of Legal (where legal counsel advises on the very processing decisions the DPO must independently oversee).

In 2025, the Polish data protection authority (UODO) issued an administrative fine of EUR 132,000 against an organisation for improper DPO positioning, including a conflict of interest from the DPO simultaneously holding compliance, audit, and risk management roles (UODO Decision, 2025). The Berlin Commissioner for Data Protection separately fined a retail group EUR 525,000 for a comparable Article 38(6) violation.

The DPO's Tasks (Article 39)

Article 39 defines five categories of mandatory tasks:

1. Informing and advising the controller, processor, and their employees of their data protection obligations under the GDPR and other EU or member-state data protection law.
2. Monitoring compliance, including the assignment of responsibilities, awareness-raising, training of staff involved in processing operations, and related audits.
3. Providing advice where requested on DPIAs and monitoring their performance under Article 35.
4. Cooperating with the supervisory authority.
5. Acting as the contact point for the supervisory authority on processing issues and consulting them where appropriate.

Penalties for DPO Non-Compliance (Article 83(4))

Failure to designate a required DPO, interfering with the DPO's independence, or failing to publish DPO contact details falls under Article 83(4)(a), which permits fines of up to EUR 10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher.

The EDPB's DPO Guidance and the 2024 Coordinated Enforcement Action

The WP29 Guidelines on Data Protection Officers (WP243rev.01), adopted in December 2016 and revised in April 2017, remain the primary interpretive authority on Articles 37 through 39. The EDPB endorsed these guidelines at its first plenary meeting in May 2018.

In January 2024, the EDPB published the report of its 2023 Coordinated Enforcement Action (CEF 2023) on DPO designation and position. The investigation involved 25 data protection authorities across the EEA, which reviewed over 17,000 responses from organisations and DPOs across the private and public sectors. Key findings included:

• A significant number of organisations required to designate a DPO had not done so.
• Many designated DPOs lacked sufficient expert knowledge for the complexity of the processing they oversaw.
• DPOs frequently reported insufficient resources: inadequate time, budget, and staffing.
• Inadequate independence remained widespread, with some DPOs reporting pressure from management to modify compliance assessments.
• DPOs were not always involved at the outset of new data processing projects.

The EDPB recommended that data protection authorities increase awareness-raising activity and targeted enforcement. The full report is available at edpb.europa.eu.

EU Member State Variations

While the GDPR sets a minimum floor, member states may impose additional requirements through national implementing legislation.

Germany. The Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), Section 38, requires DPO appointment for any organisation that regularly employs at least 20 persons engaged in automated processing of personal data. This threshold is substantially lower than the GDPR's large-scale standard and captures many small and mid-sized businesses.

France. The CNIL recommends broad DPO adoption but does not add mandatory appointment triggers beyond the GDPR. France registered over 80,000 DPOs with the CNIL by 2024, reflecting strong institutional adoption of the role.

Romania. The National Supervisory Authority (ANSPDCP) requires DPOs to hold formal qualifications recognised by the authority, making Romania one of the few EU member states imposing a de facto certification requirement.

Poland. The Polish data protection authority (UODO) requires notification of DPO appointment within 14 days and publishes a public register. In 2025, the UODO issued a EUR 5,814 fine for failure to designate a DPO and failure to publish DPO contact details (UODO Decision, 2025).

United Kingdom (UK GDPR and DPA 2018)

Since Brexit, the UK operates under the UK GDPR and the Data Protection Act 2018 (DPA 2018). The DPO appointment triggers mirror the EU GDPR's three-part Article 37 structure. The Information Commissioner's Office (ICO) provides guidance at ico.org.uk.

The Data Protection and Digital Information Bill, introduced in 2023, proposed replacing the mandatory DPO requirement with a more flexible "senior responsible individual" (SRI) model. As of May 2026, the Bill has not been enacted, and the UK GDPR DPO requirement remains in force.

DPO-Equivalent Requirements in Other Jurisdictions

Brazil (LGPD) -- Encarregado

Brazil's Lei Geral de Proteção de Dados (LGPD), Law 13.709/2018, effective September 2020, requires every data controller to appoint an encarregado under Article 41. Unlike the GDPR, Brazil's obligation applies to all controllers regardless of size or processing type. The encarregado accepts complaints from data subjects, provides information to data subjects and the ANPD, cooperates with the ANPD, and guides internal compliance efforts.

The ANPD's Resolution CD/ANPD No. 2 of January 2022 relaxed the obligation for small businesses and microenterprises classified under Brazilian law, allowing voluntary rather than mandatory designation. No specific qualifications are prescribed. The role may be performed by an individual or an external organisation; there is no local-presence requirement.

China (PIPL) -- Person Responsible for Personal Information Protection

China's Personal Information Protection Law (PIPL), effective 1 November 2021, requires organisations processing personal information of more than 1 million individuals to designate a person responsible for personal information protection under Article 52. The responsible person must be based in China, or the organisation must establish a dedicated entity or designate a representative within China. The responsible person's name and contact information must be publicly disclosed and reported to the relevant Cyberspace Administration of China (CAC) department.

Penalties for violations, including failure to designate a responsible person, can reach CNY 50 million (approximately USD 7 million) or 5% of the prior year's revenue, whichever is higher.

India (DPDPA 2023) -- DPO for Significant Data Fiduciaries

India's Digital Personal Data Protection Act, 2023 (DPDPA), enacted 11 August 2023, requires "Significant Data Fiduciaries" (SDFs) to appoint a Data Protection Officer based in India under Section 10(2)(a). The DPDP Rules, notified by MeitY on 13 November 2025 and progressively effective through 2026-2027, define the SDF criteria and DPO responsibilities.

SDFs are classified by the government based on volume of personal data processed, sensitivity of data, risk to data principals, national security considerations, and potential impact on the rights of data principals. The DPO must be a senior officer of the SDF based in India, must report to the board of directors, and serves as the contact point for the Data Protection Board of India. SDFs must also conduct periodic DPIAs and appoint an independent data auditor. The maximum fine for non-compliance is INR 250 crore (approximately USD 30 million).

Singapore (PDPA) -- Universal Mandatory DPO

Singapore's Personal Data Protection Act 2012 (PDPA), administered by the Personal Data Protection Commission (PDPC), requires every organisation subject to the PDPA to designate at least one individual as its DPO under Section 11(3). There is no minimum processing threshold. The obligation extends to holding companies, dormant companies, and organisations ceasing operations while they continue handling personal data.

As of 1 June 2025, the PDPC requires organisations to notify it of their DPO's contact details. No specific qualifications are mandated by law, though the DPO must possess adequate knowledge of the PDPA to guide the organisation effectively.

Malaysia (PDPA as amended 2024)

Malaysia's Personal Data Protection Act 2010 (PDPA) was substantially amended by the Personal Data Protection (Amendment) Act 2024. The amendment mandates DPO appointment for data controllers and processors that process large volumes of personal data, handle sensitive personal data, or conduct regular and systematic monitoring of individuals. The amendment came into force in stages between January and June 2025.

Key requirements: the DPO must be a Malaysian resident for at least 180 days per year; the Commissioner must be notified of the DPO's appointment; the DPO advises on PDPA obligations, monitors compliance, conducts impact assessments, and serves as the contact point with the Commissioner. Outsourced DPO services are permitted provided the residency requirement is met.

South Korea (PIPA) -- CPO and 2026 CEO Accountability Amendment

South Korea's Personal Information Protection Act (PIPA), significantly amended in 2023, requires all personal information controllers and processors to designate a Chief Privacy Officer (CPO) under Article 31. The CPO must hold decision-making authority within the organisation. Public institutions must designate the CPO at senior executive officer level. The CPO's name, department, and contact details must be publicly disclosed.

On 12 February 2026, the National Assembly passed a further amendment to PIPA, promulgated 10 March 2026 and effective 11 September 2026. The 2026 amendment: designates the CEO or business representative as the "ultimate person responsible for data protection"; requires CPO appointment, reassignment, or removal by formal board resolution with notification to the Personal Information Protection Commission (PIPC) for organisations above a size threshold; requires the CPO to report directly to both the CEO and the board; and introduces an aggravated penalty ceiling of 10% of total turnover for repeated or serious violations.

Thailand (PDPA)

Thailand's Personal Data Protection Act B.E. 2562 (2019), fully effective from 1 June 2022, requires DPO appointment for public authorities, organisations conducting large-scale regular and systematic monitoring, and organisations whose primary activities involve processing sensitive personal data (Sections 41-42 PDPA). The PDPC's Notification on Appointment of Data Protection Officers, effective 13 December 2023, provides detailed implementation guidance.

A Royal Gazette notification of 9 October 2025 extended mandatory DPO requirements to all state agencies. The DPO may be an employee or an external contractor. The DPO's contact information must be provided to the PDPC. In March 2026, the PDPC opened a public consultation on updated PDPA guidelines, with DPO obligations among the priority areas.

South Africa (POPIA) -- Information Officer

South Africa's Protection of Personal Information Act 4 of 2013 (POPIA), fully effective from 1 July 2021, requires every responsible party (controller) to register an Information Officer with the Information Regulator under Section 56. For private-sector organisations, the head of the organisation is the default Information Officer. A Deputy Information Officer may be designated for day-to-day compliance duties. All Information Officers and Deputy Information Officers must be registered on the Information Regulator's public register. Penalties for non-compliance include fines up to ZAR 10 million (approximately USD 550,000) and imprisonment of up to 10 years.

UAE (Federal PDPL, DIFC, ADGM)

The United Arab Emirates has three overlapping but distinct data protection frameworks with different DPO requirements:

Federal PDPL. UAE Federal Decree-Law No. 45 of 2021 (PDPL) requires controllers to appoint a DPO when: processing involves systematic large-scale handling of sensitive personal data; processing poses a high risk to the privacy and confidentiality of personal data; or processing involves large-scale, sensitive, or systematically automated profiling. Once appointed, the controller or processor must notify the UAE Data Office of the DPO's contact details. The DPO may be an internal employee or an external service provider.

DIFC. The Dubai International Financial Centre operates under DIFC Law No. 5 of 2020 (Data Protection Law). DPO appointment is mandatory for DIFC bodies and for any controller or processor conducting High Risk Processing Activities on a systematic or regular basis. The DPO must reside in the UAE, unless the individual is employed within the organisation's group and performs an equivalent function internationally. The organisation must publish the DPO's contact details. Amended Data Protection Regulations enacted in September 2023 further aligned the framework with international standards.

ADGM. The Abu Dhabi Global Market operates under the ADGM Data Protection Regulations 2021. A DPO must be appointed for firms whose core activities involve regular and systematic processing of personal data on a large scale, or large-scale processing of special categories of personal data. The controller or processor must notify the ADGM Commissioner of Data Protection of the DPO's appointment within one month of appointment.

Indonesia (PDP Law 2022)

Indonesia's Law No. 27 of 2022 on Personal Data Protection took full effect on 17 October 2024. Article 53 requires appointment of a DPO where the processing is carried out for the interest of public services, the core activities require regular and systematic monitoring of personal data on a large scale, or the core activities involve large-scale processing of special categories of personal data.

In July 2025, Indonesia's Constitutional Court (Decision No. 151/PUU-XXII/2024) issued a ruling that broadened the scope of mandatory DPO appointment beyond the initial statutory thresholds, though implementing regulations defining the revised criteria remain pending as of May 2026.

Vietnam (PDPL 2025)

Vietnam's Law No. 91/2025/QH15 on Personal Data Protection, enacted 26 June 2025 and effective 1 January 2026, requires controllers and processors to appoint an internal data protection department or personnel, or to engage external data protection service providers. Start-ups, small enterprises, business households, and microenterprises are exempt from this requirement and from data protection impact assessment obligations.

Global DPO Requirements: Comparison Table

Internal vs. External DPO

Most major privacy frameworks permit the DPO role to be filled by an external contractor or shared-service DPO, provided independence and expertise standards are met. The GDPR Article 37(2) explicitly allows a group of undertakings to designate a single DPO, provided that person is "easily accessible from each establishment."

External DPO services are commercially available in most jurisdictions and are popular among small and mid-sized businesses. Under the GDPR, the LGPD, and Thailand's PDPA, an external DPO must meet the same independence requirements as an internal one: they cannot simultaneously advise on the processing decisions they are supposed to oversee, and the organisation remains fully liable for compliance.

Jurisdictions that require internal appointment include: China (the responsible person must be an internal individual with authority within the organisation), South Korea (the CPO must hold internal decision-making authority), and India (the DPO must be a senior officer of the SDF itself).

Watch out: Using a law firm or a data privacy consultant as your DPO does not automatically satisfy independence requirements. The EDPB has noted that a legal adviser who also provides processing recommendations to the same client may hold a conflict of interest. Maintain a clear scope-of-work separation between advisory services and DPO oversight functions when using external providers.

How to Appoint and Position a DPO Effectively

Based on the EDPB's WP243rev.01 guidelines and the findings of the January 2024 CEF report, the following steps reduce compliance risk:

Step 1: Determine whether appointment is mandatory. Map all jurisdictions in which your organisation is established or processes personal data. Apply each jurisdiction's triggers. Document the analysis and review it annually or when operations change materially.

Step 2: Select a qualified candidate. The level of "expert knowledge" required scales with the complexity of the organisation's processing. A hospital DPO requires deeper expertise than a small municipality's. Certifications (CIPP/E, CIPM, CDPSE) are common evidence of expertise but are not legally required under EU law.

Step 3: Conduct a conflict-of-interest review. Identify every role the candidate holds or will hold that involves setting the purposes or means of data processing. Under the 2026 South Korea PIPA amendment, CPO appointment, reassignment, or removal requires formal board resolution. Consider similar governance mechanisms in other jurisdictions as a best practice.

Step 4: Provide adequate resources. The CEF 2023 report identified resource inadequacy as the most common operational failure. The DPO must have protected time, budget, and access to processing operations and relevant staff. Part-time DPOs are permissible but must have time sufficient for the role.

Step 5: Establish direct reporting lines. The DPO must report to the highest level of management under GDPR Article 38(3). India's DPDP Rules and South Korea's 2026 PIPA amendment require board-level reporting by statute.

Step 6: Register and notify where required. Notification obligations exist in: Singapore (PDPC, from June 2025), Malaysia (PDPA Commissioner), Poland (UODO, within 14 days), South Africa (Information Regulator), ADGM (Commissioner, within one month), and UAE federal (UAE Data Office). Publish DPO contact details in the organisation's privacy notice and on its website.

Recent Developments (2024-2026)

EDPB CEF 2023 report (January 2024). The EDPB's coordinated enforcement action examined over 17,000 responses from DPOs and organisations across 25 EEA authorities. It identified systemic gaps in DPO resourcing and independence. National authorities were recommended to follow with targeted investigations and enforcement in 2025-2026.

EU AI Act expansion of DPO workload. The EU AI Act (Regulation (EU) 2024/1689) has obligations for high-risk AI systems entering full application on 2 August 2026. Many organisations are assigning AI compliance oversight to existing DPOs, particularly for high-risk AI systems that also process personal data and therefore require DPIAs under the GDPR.

Malaysia mandatory DPO (June 2025). The Personal Data Protection (Amendment) Act 2024 came fully into force by June 2025, establishing mandatory DPO requirements for qualifying controllers and processors with residency and notification obligations.

India DPDP Rules (November 2025). MeitY notified the DPDP Rules on 13 November 2025, activating the SDF classification framework and the DPO obligation for designated entities. The Data Protection Board of India was simultaneously established.

South Korea 2026 PIPA amendment (effective September 2026). Passed 12 February 2026, promulgated 10 March 2026. Introduces CEO as ultimate responsible person, board-resolution requirement for CPO changes, 10% of turnover penalty ceiling for aggravated violations, and mandatory ISMS-P certification for large controllers from 1 July 2027.

Vietnam PDPL (January 2026). Vietnam's first standalone data protection law entered into force, requiring data protection personnel or departments across most organisations, with exemptions for start-ups and microenterprises.

Indonesia Constitutional Court ruling (July 2025). Decision No. 151/PUU-XXII/2024 broadened mandatory DPO thresholds under the 2022 PDP Law; implementing regulations defining revised criteria remain pending.

Singapore DPO notification (June 2025). PDPC introduced a notification requirement for organisations to register DPO contact details, increasing accountability and enabling targeted supervisory outreach.

Where to Learn More

For organisations subject to the GDPR, the foundational reference is the EDPB's endorsed WP29 Guidelines on Data Protection Officers (WP243rev.01), available at edpb.europa.eu. For the broader GDPR compliance framework in which the DPO obligation sits, see the GDPR compliance checklist and the EU data privacy laws hub on this site.

Organisations operating across multiple jurisdictions should obtain advice from qualified data protection counsel in each relevant territory before finalising their DPO structure.

Disclaimer

This article provides general legal information about data protection officer requirements across multiple jurisdictions as of 2026-05-19. It is not legal advice. The laws and regulations described change frequently and may have been amended after the date of verification. Readers should not rely on this article as a substitute for advice from a lawyer qualified and licensed in the specific jurisdictions relevant to their operations. No attorney-client relationship is formed by reading this article.

Authorities Cited

1. Regulation (EU) 2016/679 (GDPR), Arts. 37-39, 83(4). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
2. WP29, Guidelines on Data Protection Officers (WP243rev.01), 5 April 2017 (endorsed by EDPB). https://ec.europa.eu/newsroom/article29/items/612048
3. EDPB, CEF 2023 Report on Designation and Position of DPOs, 16 January 2024. https://www.edpb.europa.eu/our-work-tools/our-documents/other/coordinated-enforcement-action-designation-and-position-data_en
4. Bundesdatenschutzgesetz (BDSG) 2018, s. 38. https://www.gesetze-im-internet.de/bdsg_2018/__38.html
5. ICO (UK), Guide to Accountability and Governance: Data Protection Officers. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-officers/
6. Brazil LGPD, Law 13.709/2018, Art. 41. https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
7. ANPD Resolution CD/ANPD No. 2, 27 January 2022. https://www.gov.br/anpd/pt-br
8. China PIPL, effective 1 November 2021, Art. 52. http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml
9. India DPDPA 2023, s. 10. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
10. India DPDP Rules 2025, notified 13 November 2025. https://www.meity.gov.in
11. Singapore PDPA 2012 (rev. 2021), s. 11(3). https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act
12. Malaysia Personal Data Protection (Amendment) Act 2024. https://www.pdp.gov.my/ppdpv1/en/akta/personal-data-protection-amendment-act-2024/
13. South Korea PIPA, Art. 31 (2023 amendment). https://www.law.go.kr/LSW/eng/engLsSc.do?menuId=2&section=lawNm&query=personal+information+protection&x=0&y=0
14. South Korea PIPA Amendment (promulgated 10 March 2026, effective 11 September 2026). https://iapp.org/news/a/south-korea-overhauls-pipa-and-ties-fines-to-ceo-accountability
15. Thailand PDPA B.E. 2562 (2019), ss. 41-42; PDPC Notification on DPO Appointment (effective 13 December 2023). https://www.mdes.go.th/law
16. South Africa POPIA, Act 4 of 2013, s. 56. https://www.gov.za/documents/protection-personal-information-act
17. UAE Federal Decree-Law No. 45 of 2021 (PDPL), Art. 10. https://uaepdpl.com/article-10/
18. DIFC Data Protection Law No. 5 of 2020. https://www.difc.ae/business/laws-regulations/legal-database/data-protection-law-difc-law-no-5-2020/
19. ADGM Data Protection Regulations 2021. https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance
20. Indonesia Law No. 27 of 2022 on Personal Data Protection, Art. 53. https://jdih.kominfo.go.id
21. Vietnam Law No. 91/2025/QH15 on Personal Data Protection (effective 1 January 2026). https://www.ey.com/en_vn/technical/tax/tax-and-law-updates/legal-alert-july-2025-personal-data-protection-law
22. Polish UODO, Administrative fine EUR 132,000 for improper DPO positioning (2025). https://www.edpb.europa.eu/news/national-news/2025/polish-sa-administrative-fine-132-000-eu-improper-positioning-dpo-and_en
23. Polish UODO, Administrative fine EUR 5,814 for failure to designate DPO (2025). https://www.edpb.europa.eu/news/national-news/2025/polish-sa-administrative-fine-5-814-eu-failure-designate-data-protection_en
24. BlnBDI (Berlin), Administrative fine EUR 525,000 for DPO conflict of interest (Art. 38(6) GDPR). https://gdprhub.eu/index.php?title=BlnBDI_(Berlin)_-_Berlin_DPO_Conflict_of_Interest

Last updated: 2026-05-19. Statutes cited reflect their in-force version as of 2026-05-19.