To print this article, all you need is to be registered or login on Mondaq.com.
On December 25, 2023, Thailand’s Personal Data Protection
Committee (PDPC) issued two notifications under sections 28 and 29
of the Personal Data Protection Act 2019 (PDPA) that address
essential aspects and criteria for the cross-border transfer of
personal data. These notifications are scheduled to come into
effect on March 24, 2024.
Key points in the notifications are outlined below.
Adequate Data Protection Standards (Section 28)
Unless otherwise provided by the PDPA, the destination country
or international organization that receives the transferred
personal data must have “adequate data protection
standards,” as determined by the following factors:
- Legal measures and mechanisms. The destination
country or international organization must have legal measures or
mechanisms aligned with the personal data protection laws in
Thailand. Specifically, the obligations of data controllers need to
include providing appropriate security measures, implementing
personal data protection measures that are suitable and that enable
the exercise of data subjects’ rights, and establishing
effective legal remedial measures. - Regulatory authority. The presence of an
agency or organization entrusted with the duties and authority to
enforce laws and regulations related to personal data protection is
also a critical factor.
In addition, this notification empowers the Office of the PDPC
to refer cases, either independently identified or proposed by a
data controller, to the PDPC for adjudication. The PDPC retains the
discretion to make decisions on a case-by-case basis or to
establish a list of destination countries or international
organizations that it considers to have adequate data protection
standards.
Binding Corporate Rules and Appropriate Safeguards (Section
29):
In the realm of global data exchange, two prominent mechanisms
have emerged as key enablers of secure and compliant transfer of
personal data:
- Binding corporate rules (BCRs). Implementation
of BCRs involves enforcing an approved policy for safeguarding
personal data transferred among affiliated businesses or within the
same group of undertakings in order to jointly operate the
business. - Appropriate safeguards. Appropriate safeguards
not only protect personal data but can also enforce the rights of
data subjects and include effective legal remedial measures. These
safeguards can take various forms, such as standard contractual
clauses.
To be deemed effective mechanisms for cross-border data
transfer, both BCRs and appropriate safeguards must do the
following:
- Maintain legal effectiveness and enforceability across all
parties involved, including juristic and natural persons, data
processors, senders/transferors, and recipients of personal data
while complying with personal data protection laws and being
binding upon the personnel, employees, staff, any other persons
related to the senders/transferors, and recipients of the personal
data; - Recognize personal data protection, the rights of the data
subject, and lodging of complaints in relation to the personal data
that has been sent or transferred to a foreign country; and - Provide personal data protection measures and security measures
that comply with personal data protection laws and with the minimum
standards prescribed by law, such as those described in the initial set of subordinate regulations enacted
under the PDPA.
In the absence of a decision on adequate data protection
standards or where there are no BCRs in place, cross-border
transfer of personal data is permissible if appropriate safeguards
are implemented. This implementation can take the form of any of
the following:
- Standard contractual clauses (SCCs) that serve
as foundational frameworks for establishing legal agreements,
especially in the context of cross-border data transfers. In this
regard, Thailand currently accepts two distinct SCC models, the
Thai Model and the Overseas Model. The specific provisions and
applications of each model—either of which can be adopted, as
appropriate—are summarized in the table below.
- Certification of the implementation of the
appropriate safeguards in accordance with recognized standards to
be determined by the PDPC. These must include the personal data
protection contents as prescribed in the notification. - Statutes or agreements that are legally
binding and enforceable between state agencies in Thailand and
foreign state agencies that transfer personal data between each
other.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Thailand