icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
People

With one of the largest legal teams in Japan, we bring a wealth of practical knowledge focused on the singular purpose of providing high quality legal services.

Publications

Our lawyers have authored or co-authored a number of newsletters, articles, books and other materials covering a wide range of legal areas to address the latest legal developments and increasingly diverse and complex issues.

Seminars

We regularly hold seminars and offer lectures through various formats, such as online streaming.

SCROLL
TOP
Publications
Newsletters

Updates on Subordinate Regulations on International Transfer of Personal Data under Thailand Personal Data Protection Law (Thailand)

NO&T Thailand Legal Update

Author
Shohei Sasaki, Shunsuke Minowa, Poonyisa Sornchangwat, Preeyanuch Jareonlarp, Niparat Pothing (Co-author)
Publisher
Nagashima Ohno & Tsunematsu
Journal /
Book
NO&T Thailand Legal Update No.30(March, 2024)
Reference
Practice Areas
*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

1. Background

The transfer of personal data to foreign countries shall be subject to the requirements stipulated under the Thai Personal Data Protection Act of 2019 (“Thai PDPA”) and the subordinate regulations issued thereunder. The draft of the relevant subordinate regulations was publicly available in September 2022 with the details as summarized in our previous article.

On 25 December 2023, the Personal Data Protection Committee (“PDPC”) officially published in the Royal Gazette the following subordinate regulations relating to the cross-border transfer of personal data, which come into effect after the expiration of 90 days from the date of its publication in the Royal Gazette i.e., 24 March 2024:

  1. PDPC Notification Re: Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 28 of the Personal Data Protection Act of 2019 dated 12 December 2023 (“PDPC Notification under Section 28”); and
  2. PDPC Notification Re: Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 29 of the Personal Data Protection Act of 2019 dated 12 December 2023 (“PDPC Notification under Section 29”)

The PDPC Notification issued under Section 28 and the PDPC Notification issued under Section 29 shall be collectively referred to as the “PDPC Notifications”. The PDPC Notifications aim to clarify and set out the criteria of the adequate data protection standards of the destination country and other alternative ways for protection of personal data upon international transfer. In this article, we aim to provide a summary of the key principles relating to the international transfer of personal data under the PDPC Notifications.

2. Summary of the key principles under the PDPC Notifications

2.1 Key principles of the PDPC Notification under Section 28

In principle, in accordance with the Thai PDPA and the PDPC Notification under Section 28, a data controller may send or transfer personal data to a recipient of personal data (“Recipient”) in foreign countries or an international organization only when such destination countries have adequate data protection standards, except in the case where (i) it is necessary for compliance with the law, (ii) the data subject has been informed of the inadequacy of the data protection standards of the destination countries and has provided consent therefor, or (iii) it is necessary for the performance of obligations of an agreement to which the data subject is a party, etc.※1

In this connection, the following factors shall be taken into account when considering whether the destination countries have adequate data protection standards, whether the destination country or the international organization:

  • (1) provides any legal measures or mechanisms with respect to the protection of personal data corresponding with the Thai PDPA, particularly the duties of the data controller to provide appropriate security protection measures, appropriate personal data protection measures that could ensure the enforcement of the data subject’s rights, and effective legal remedial measures; and
  • (2) has an authority or organization with the duty and power to enforce the laws and regulations regarding personal data protection※2.

Notably, in the case where an argument relating to the adequacy of the data protection standards of a destination country arises, a case may be filed with the PDPC for its consideration※3 either by a data controller or the Office of the Personal Data Protection Commission (“Office of the PDPC”) itself. In this relation, the PDPC may (i) consider it on a case-by-case basis whether or not the destination country or the international organization has adequate data protection standards or (ii) stipulate the list of countries which do have adequate data protection standards※4. Please note that the Office of the PDPC may request the PDPC to review its consideration when there is new convincing proof showing that any destination countries or international organizations have adequate data protection standards.※5 As of the date of this article, the PDPC has yet to announce the list of countries which have adequate data protection standards and does not seem to announce it anytime soon.

2.2 Key principles of the PDPC Notification under Section 29

As an exception from ensuring that the destination country or the international organization has adequate data protection standards, or obtaining consent from the data subject regarding the inadequacy of the data protection standards of the destination country or the international organization, a data controller or a data processor may send or transfer the personal data to a foreign country by alternatively providing or executing the following, as applicable:

I. Binding Corporate Rules (“BCRs”)

For the transfer of personal data to affiliated companies or group companies in foreign countries, the sender or the transferor of personal data (“Sender of Transferor”) and the Recipient may execute/prepare the BCRs, which shall be verified and certified by the Office of the PDPC.※6

In this relation, the Office of the PDPC will verify the content of the BCRs to ensure that it is in accordance with the following criteria:

  1. the BCRs have legal effectiveness and enforceability over entities or the natural persons in the same affiliate as well as the relevant data processor, the Sender or Transferor, and the Recipient in the same affiliate of the data controller or the data processor who presented the BCRs to the Office of the PDPC for verification and certification (please note, the BCRs must correspond with the Thai PDPA and bind the personnel, staff, employees, or any person relating to the Sender or Transferor and the Recipient);
  2. the BCRs contain provisions recognizing personal data protection, the data subject’s rights, and the mechanisms for lodging complaints, with respect to personal data that is sent or transferred to a foreign country; and
  3. the BCRs include measures for personal data protection and security protection measures corresponding with the Thai PDPA.
II. Appropriate safeguards

In the absence of the adjudication of the PDPC relating to the adequacy of the data protection standards or the BCRs as mentioned above, a data controller or a data processor who wishes to send or transfer personal data to foreign countries may procure the appropriate safeguards in order to be exempted from having to ensure the adequacy of the data protection standards of the destination country under Section 28 of the Thai PDPA.

The appropriate safeguards mentioned above can be provided in either of the following forms:

(a) Contractual clauses that are in accordance with acceptable contractual clauses for sending or transferring the personal data (“Standard Contractual Clauses”) ※7

These are contractual clauses for personal data protection concerning the cross-border or international sending or transferring of personal data, as prescribed by the PDPC. The PDPC set out the characteristics of the Standard Contractual Clauses as follows:

  • (1) being contractual clauses that are executed between the contractual parties and legally binding, containing the following terms with respect to the personal data protection:

    • the collection, use, and disclosure of personal data, including the sending or transfer of personal data, must be in compliance with the Thai PDPA;
    • the Sender or Transferor and the Recipient must provide security protection measures in accordance with the Thai PDPA;
    • in the case where the Recipient is a data processor, specific duties of the Recipient must be stipulated in the contractual clauses;
    • in the case where the Recipient is a data controller, the Recipient must notify the occurrence of the data breach to the Sender or Transferor (if the Sender or Transferor is a data controller) without delay within 72 hours after becoming aware of it, unless such breach poses no risk to the rights and freedom of a person; and
    • effective legal remedies must be provided.
  • (2) being contractual clauses prepared in accordance with the laws of the foreign countries, or by the international organizations, with the content and terms pertaining to personal data protection, which can be in either of the following forms:

    • ASEAN Model Contractual Clauses for Cross Border Data Flows;
    • Contractual Clauses for the Transfer of Personal Data to Third Countries issued under the Regulation (EU) 2016/679 of the European Union or General Data Protection Regulation (GDPR); or
    • Standard contractual clauses for sending or transferring personal data to foreign countries of international agencies or organizations, as prescribed by the PDPC.

The contractual clauses under this item (a)(2) must contain the content pertaining to the personal data protection prescribed under Clause 11 of the PDPC Notification under Section 29, e.g., the measures for notifying the data subjects about the sending or transferring of personal data, the measures limiting the sending or transfer of personal data to be on a necessary basis only, an alternative measure for the data subject to exercise the right to revoke the transfer of personal data or the use of personal data outside the scope of objectives, measures on security protection in sending or transferring personal data to prevent data breach, measures prescribing the data subject’s rights, and effective legal remedial measures, enforcement of law, and prescription of liability arising from unlawful sending or transferring of personal data.

In the case of these contractual clauses prepared in accordance with the laws of foreign countries or by international organizations, the amendment to the content, the appropriate protection measures of personal data, etc., is acceptable provided that such amendment will not result in contradiction with the essence of the personal data protection as prescribed under the PDPC Notification under Section 29 and will not affect the rights and freedom of the data subject.※8

Sample clauses to correspond to (1) above have yet to be provided by the PDPC as guidelines but may soon be.

(b) Certification

This certification ensures the presence of appropriate safeguards of personal data in accordance with acceptable standards※9.

The details of this certification shall be further prescribed by the PDPC, which shall contain the content according to Clause 11 of the PDPC Notification under Section 29 as mentioned above.※10

(c) Provisions for personal data protection measures in instruments or agreements that are legally binding and enforceable between state agencies※11 This shall be applicable only to the cases of sending or transferring of the personal data between state agencies of Thailand and state agencies of other countries.

Notwithstanding the above, it should be noted that all forms of the appropriate safeguards above must be in accordance with the similar three criteria as described for the BCRs above as well.※12

Conclusion

A data controller or a data processor sending or transferring personal data to foreign countries should ensure its compliance with the requirements set forth for the international transfer, as elaborated above, in order to avoid being subject to liability, i.e., the administrative fine for non-compliance with the Thai PDPA, which is relatively high. However, please note that some requirements, such as the scope of destination countries with adequate data protection standards and the sample Standard Contractual Clauses, are still subject to further clarification from the PDPC.

Endnotes

*1
Section 28 of the Thai PDPA and Clause 4 of the PDPC Notification issued under Section 28

*2
Clause 5 of the PDPC Notification issued under Section 28

*3
Section 28, paragraph 3 of the Thai PDPA

*4
Clause 6 of the PDPC Notification issued under Section 29

*5
Section 28, paragraph 3 of the Thai PDPA and Clause 6, paragraph 2 of the Notification issued under Section 29

*6
Section 29, paragraph 1 of the Thai PDPA and Clause 5 of the Notification issued under Section 29

*7
Clause 8, paragraph 2 (1) of the PDPC Notification under Section 29

*8
Clause 12 of the PDPC Notification under Section 29

*9
Clause 8, paragraph 2 (2) of the PDPC Notification under Section 29

*10
Clause 14 of the PDPC Notification under Section 29

*11
Clause 8, paragraph 2 (3) of the PDPC Notification under Section 29

*12
Clause 9 of the PDPC Notification under Section 29

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)

Lawyers

Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

Thailand Related Publications

Apply Select Practice Areas
Apply