Advance Blog

October 10, 2022
Tilleke

Thailand Opens Public Hearing Period on Measures for Cross-Border Transfer of Personal Data

Thailand’s Office of the Personal Data Protection Committee (PDPC) has opened a public hearing period on its draft notification regarding cross-border transfer of personal data. The public hearing is open through October 24. The notification, once issued, will supplement the principle of cross-border transfer of personal data outside of Thailand set out in the Personal Data Protection Act (PDPA).

The notification sets out the following key matters:

Definitions “Transfer of personal data” means any sending or transferring of personal data by a transferor of personal data, either by way of a physical transfer or a remote transfer through a computer system or an internet network to the recipient of the personal data. It does not include sending personal data through an intermediary by transiting between computer systems or internet networks, or any storing or retaining of personal data, either permanently or temporarily, by a cloud computing service provider, whereby the personal data transferor and the personal data recipient (1) are not making the order, (2) are not involved with any data selection or the content of the personal data sent and received through the computer systems or internet networks, or (3) have the purpose of entering into an agreement or any juristic act. “Binding corporate rules” means the agreed terms or policy on personal data protection made between the personal data transferor and the personal data recipient to establish appropriate measures for safeguarding personal data within a group of corporations or companies. “Standard contractual clauses” means the contractual terms made between the personal data transferor and the personal data recipient to establish appropriate measures for safeguarding personal data. “Code of conduct” means a code that sets out the obligations of a personal data transferor and a personal data recipient outside of Thailand. “Certification” means an undertaking in relation to safeguarding personal data, in order to establish appropriate personal data safeguarding measures. Binding Corporate Rules

For cross-border transfers within a group of corporations or companies, binding corporate rules (BCRs) can be established and submitted to the PDPC for approval. The BCRs must adhere to the following minimum standards: The effectiveness and legally binding nature of the BCRs apply to each company or entity within the group, including the data recipient, data processor, and data transferor, and the members belonging to the group, as well as their employees, staff, or persons related to the transfer or receipt of personal data within the group. The BCRs must comply with Thai laws on personal data protection. The BCRs must contain certification of data subject rights under the PDPA and sub-regulations. The BCRs must contain measures on personal data protection in relation to personnel, processes, and security measures in accordance with the required technology standards for personal data protection. Appropriate Safeguards

In accordance with section 29, paragraph 3, of the PDPA, a personal data transferor may transfer personal data to a recipient outside of Thailand when procuring appropriate safeguard measures by way of “standard contractual clauses,” “code of conduct,” or “certification.” Such appropriate safeguards must at least ensure the enforceability of the data subject’s rights and effective legal remedial actions, as provided in the annexes of the notification.

The appropriate safeguards must at least have the following: Effectiveness and legal enforceability. Compliance with Thai laws on personal data protection. Certification of data subject rights under the PDPA and sub-regulations. Measures on personal data protection in relation to personnel, process, and security measures in accordance with the required technology standards for personal data protection. The standard contractual clauses must be filed with the PDPC. The appropriate safeguard measures must be enforceable under Thai law, and they must provide data subject rights under Thai law. Such rights must also be enforceable and provide remedial rights for data subjects as stipulated under Thai law.

The notification also sets out standard contractual clauses for controller-to-controller and controller-to-processor international transfers. The clauses primarily stipulate the obligations of the transferor and the recipient, recognize the enforceability of the PDPA provisions on personal data protection, and ensure the ability of data subjects to exercise their rights (in the form of third-party rights).

For more information from Tilleke & Gibbins’ data privacy team regarding the draft notification, or any aspect of compliance with PDPA requirements, please contact Athistha (Nop) Chitranukroh at nop.c@tilleke.com, Nopparat Lalitkomon at nopparat.l@tilleke.com, Gvavalin Mahakunkitchareon at gvavalin.m@tilleke.com, Thammapas Chanpanich at thammapas.c@tilleke.com.
Tilleke & Gibbins
Share:
Facebook
Twitter
LinkedIn

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

As the Personal Data Protection Act (PDPA) also applies to personal data collected prior to the PDPA’s entry into force, please be informed that AustCham Thailand will automatically keep your contact details including email address, name and last name, and company details, on our mailing list.

Your data was received by AustCham Thailand as a result from you either registering or attending an event, contacting our office or subscribing to regular updates via the website. However, if you would like to stop receiving emails AustCham Thailand and revoke your consent for AustCham to keep and use your data to contact you for chamber events and updates, please scroll down to the end of this email and click “Unsubscribe from this list”. Your personal data will be shortly deleted once the opt-out notice request is received.

Please note that your data is kept in AustCham’s CRM system, please see here for AustCham’s Terms of Use and Privacy Policy. AustCham uses a management software system from Wild Apricot, and emails are distributed through MailChimp.

MEMBER LOG IN