Update on Thai Personal Data Protection Law: Clarification on Requirement of Data Controller and Data Processor that is Required to Designate the Data Protection Officer (Thailand)

2. Details of the Notification

2.1 Obligations to designate a DPO

Under Clause 4 of the Notification, for the purpose of protection of personal data, the data controller and the data processor must designate a DPO if all of the following conditions are met:

1. the Data Processing is a part of the “core activities” of the data controller/data processor;
2. such Data Processing requires regular monitoring of personal data or the system; and
3. the amount of personal data is on a large scale.

In this regard, “core activity” means any necessary and important actions taken for achieving the main objectives or goals in the operation of business or mission of the data controller or the data processor, but not including the supplemental activities which constitute only supporting work for their operations.

This Notification further provides clarification in relation to conditions (ii) and (iii) above.

(1) Data Processing that requires regular monitoring of the personal data

Under Clause 5 paragraph one of the Notification, activities that require regular monitoring of personal data are the activities that:

1. are a part of the “core activities” of the data controller/data processor;
2. contain tracking, monitoring, analyzing, or predicting the behavior, attitude, or profile of individuals; and
3. generally require regular and systematic Data Processing.

Moreover, under Clause 5 paragraph two of the Notification, Data Processing that requires regular monitoring of personal data is deemed as the Data Processing in relation to/for the purpose of:

1. cards (e.g., membership cards, public transportation cards, electronic cards) that allows for card providers or others to inspect card usage details;
2. customers or service recipients, in order for the data recipient to assess their status, history, or qualifications for purposes like credit scoring, insurance premium consideration, and fraud prevention, but not including the processing of information of credit information companies and their members under the credit information business operation law;
3. behavioral targeting advertising;
4. customers or service recipients through a computer network service provider or telecommunication business operators;
5. surveillance and security at various locations; or
6. other cases as provided by the PDPC.

(2) Data Processing that concerns personal data on a large scale

Under Clause 6 paragraph one of the Notification, in order to consider whether the Data Processing concerns an amount of personal data on a large scale, the following factors are taken into consideration:

1. the number of relevant data subjects, etc.;
2. volume, type, or nature of personal data collected, used, or disclosed;
3. the duration or permanence of collection, use, or disclosure of personal data for the benefit of the operation of the core activities; and
4. the scope of use, area, or number of countries related to collection, use, or disclosure of personal data.

Moreover, under Clause 6 paragraph two of the Notification, Data Processing in relation to/for the purpose of the following shall also be deemed to concern personal data on a large scale:

1. core activities with a total number of data subjects from 100,000 individuals or more;
2. behaviorally targeted advertising via search engines or social media that are widely used;
3. customers and/or service recipients of life insurance, non-life insurance, the financial institution business operators during the ordinary course of business, but not including the processing of information of credit information companies and their members under the credit information business operation law;
4. customers and/or service recipients through a telecommunication business operators; or
5. other cases as provided by the PDPC.

2.2 Others

Under Section 42 paragraph four of the PDPA and Clause 8 of the Notification, it is notable that the DPO may perform any duties or missions other than those within the DPO’s regular scope of responsibility, provided, however, that the data controller or the data processor must certify with the Office of the PDPC that such duties or missions are not contrary to the performance of duties under the PDPA and its sub-regulations.

3. Summary

In order to be prepared for the Notification coming into effect, data controllers and data processors, which meet the requirement under the Notification, are advised to designate a DPO promptly. Failure to designate a DPO as required under Section 41(2) of the PDPA, will result in the data controller or the data processor being liable for an administrative fine not exceeding THB 1,000,000 in accordance with Section 82 and Section 85 of the PDPA.