| 1. |
VASPs shall produce and implement a written compliance programme to protect the privacy of Personal Data, in accordance with all applicable data protection laws. |
| 2. |
Notwithstanding the requirements of any applicable data protection laws, VASPs shall at a minimum comply with the following VARA requirements—
|
| |
a. |
appoint a Data Protection Officer who has the appropriate competencies and experience to perform the statutory duties and responsibilities associated with this role under applicable data protection laws [including under Article 11 of the PDPL] [Data Protection Officer]. The Data Protection Officer can be the same individual as the CISO of the VASP; and |
| |
b. |
establish a function in their organisation that is responsible for the management and protection of Personal Data in accordance with all applicable law and is appropriate for the level of risk involved with such Personal Data, including responsibility for implementing and maintaining appropriate policies, procedures, systems and controls.
|