icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
People

With one of the largest legal teams in Japan, we bring a wealth of practical knowledge focused on the singular purpose of providing high quality legal services.

Publications

Our lawyers have authored or co-authored a number of newsletters, articles, books and other materials covering a wide range of legal areas to address the latest legal developments and increasingly diverse and complex issues.

Seminars

We regularly hold seminars and offer lectures through various formats, such as online streaming.

SCROLL
TOP
Publications
Newsletters

Update on Thai Personal Data Protection Law: Clarification on Requirement of Data Controller and Data Processor that is Required to Designate the Data Protection Officer (Thailand)

NO&T Thailand Legal Update

Author
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
Publisher
Nagashima Ohno & Tsunematsu
Journal /
Book
NO&T Thailand Legal Update No.27(October, 2023)
Reference
Practice Areas
*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

1.Background

Under Section 41(2) of the Personal Data Protection Act of 2019 of Thailand (“PDPA”), the data controller and the data processor must designate a data protection officer (“DPO”) if their activities with respect to collection, use, or disclosure of personal data (“Data Processing”) require regular monitoring of personal data and system due to the ground that the number of personal data is on a large scale as prescribed by the Personal Data Protection Committee (“PDPC”).

In this connection, on 14 September 2023, the PDPC published the Notification of the Personal Data Protection Committee Re: Designation of a Data Protection Officer according to Section 41(2) of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023) (“Notification”) in the Royal Gazette. The Notification will become effective after the expiration of 90 days from the date of its publication in the Royal Gazette (i.e., 13 December 2023). Therefore, in this article, we aim to provide a summary of the details of the requirements of the data controller and data processor that must designate a DPO.

2. Details of the Notification

2.1 Obligations to designate a DPO

Under Clause 4 of the Notification, for the purpose of protection of personal data, the data controller and the data processor must designate a DPO if all of the following conditions are met:

  1. the Data Processing is a part of the “core activities” of the data controller/data processor;
  2. such Data Processing requires regular monitoring of personal data or the system; and
  3. the amount of personal data is on a large scale.

In this regard, “core activity” means any necessary and important actions taken for achieving the main objectives or goals in the operation of business or mission of the data controller or the data processor, but not including the supplemental activities which constitute only supporting work for their operations.

This Notification further provides clarification in relation to conditions (ii) and (iii) above.

(1) Data Processing that requires regular monitoring of the personal data

Under Clause 5 paragraph one of the Notification, activities that require regular monitoring of personal data are the activities that:

  1. are a part of the “core activities” of the data controller/data processor;
  2. contain tracking, monitoring, analyzing, or predicting the behavior, attitude, or profile of individuals; and
  3. generally require regular and systematic Data Processing.

Moreover, under Clause 5 paragraph two of the Notification, Data Processing that requires regular monitoring of personal data is deemed as the Data Processing in relation to/for the purpose of:

  1. cards (e.g., membership cards, public transportation cards, electronic cards) that allows for card providers or others to inspect card usage details;
  2. customers or service recipients, in order for the data recipient to assess their status, history, or qualifications for purposes like credit scoring, insurance premium consideration, and fraud prevention, but not including the processing of information of credit information companies and their members under the credit information business operation law;
  3. behavioral targeting advertising;
  4. customers or service recipients through a computer network service provider or telecommunication business operators;
  5. surveillance and security at various locations; or
  6. other cases as provided by the PDPC.
(2) Data Processing that concerns personal data on a large scale

Under Clause 6 paragraph one of the Notification, in order to consider whether the Data Processing concerns an amount of personal data on a large scale, the following factors are taken into consideration:

  1. the number of relevant data subjects, etc.;
  2. volume, type, or nature of personal data collected, used, or disclosed;
  3. the duration or permanence of collection, use, or disclosure of personal data for the benefit of the operation of the core activities; and
  4. the scope of use, area, or number of countries related to collection, use, or disclosure of personal data.

Moreover, under Clause 6 paragraph two of the Notification, Data Processing in relation to/for the purpose of the following shall also be deemed to concern personal data on a large scale:

  1. core activities with a total number of data subjects from 100,000 individuals or more;
  2. behaviorally targeted advertising via search engines or social media that are widely used;
  3. customers and/or service recipients of life insurance, non-life insurance, the financial institution business operators during the ordinary course of business, but not including the processing of information of credit information companies and their members under the credit information business operation law;
  4. customers and/or service recipients through a telecommunication business operators; or
  5. other cases as provided by the PDPC.

2.2 Others

Under Section 42 paragraph four of the PDPA and Clause 8 of the Notification, it is notable that the DPO may perform any duties or missions other than those within the DPO’s regular scope of responsibility, provided, however, that the data controller or the data processor must certify with the Office of the PDPC that such duties or missions are not contrary to the performance of duties under the PDPA and its sub-regulations.

3. Summary

In order to be prepared for the Notification coming into effect, data controllers and data processors, which meet the requirement under the Notification, are advised to designate a DPO promptly. Failure to designate a DPO as required under Section 41(2) of the PDPA, will result in the data controller or the data processor being liable for an administrative fine not exceeding THB 1,000,000 in accordance with Section 82 and Section 85 of the PDPA.

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)

Lawyers

Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

Thailand Related Publications

Apply Select Practice Areas
Apply