NO&T Thailand Legal Update
The transfer of personal data to foreign countries shall be subject to the requirements stipulated under the Thai Personal Data Protection Act of 2019 (“Thai PDPA”) and the subordinate regulations issued thereunder. The draft of the relevant subordinate regulations was publicly available in September 2022 with the details as summarized in our previous article.
On 25 December 2023, the Personal Data Protection Committee (“PDPC”) officially published in the Royal Gazette the following subordinate regulations relating to the cross-border transfer of personal data, which come into effect after the expiration of 90 days from the date of its publication in the Royal Gazette i.e., 24 March 2024:
The PDPC Notification issued under Section 28 and the PDPC Notification issued under Section 29 shall be collectively referred to as the “PDPC Notifications”. The PDPC Notifications aim to clarify and set out the criteria of the adequate data protection standards of the destination country and other alternative ways for protection of personal data upon international transfer. In this article, we aim to provide a summary of the key principles relating to the international transfer of personal data under the PDPC Notifications.
In principle, in accordance with the Thai PDPA and the PDPC Notification under Section 28, a data controller may send or transfer personal data to a recipient of personal data (“Recipient”) in foreign countries or an international organization only when such destination countries have adequate data protection standards, except in the case where (i) it is necessary for compliance with the law, (ii) the data subject has been informed of the inadequacy of the data protection standards of the destination countries and has provided consent therefor, or (iii) it is necessary for the performance of obligations of an agreement to which the data subject is a party, etc.※1
In this connection, the following factors shall be taken into account when considering whether the destination countries have adequate data protection standards, whether the destination country or the international organization:
Notably, in the case where an argument relating to the adequacy of the data protection standards of a destination country arises, a case may be filed with the PDPC for its consideration※3 either by a data controller or the Office of the Personal Data Protection Commission (“Office of the PDPC”) itself. In this relation, the PDPC may (i) consider it on a case-by-case basis whether or not the destination country or the international organization has adequate data protection standards or (ii) stipulate the list of countries which do have adequate data protection standards※4. Please note that the Office of the PDPC may request the PDPC to review its consideration when there is new convincing proof showing that any destination countries or international organizations have adequate data protection standards.※5 As of the date of this article, the PDPC has yet to announce the list of countries which have adequate data protection standards and does not seem to announce it anytime soon.
As an exception from ensuring that the destination country or the international organization has adequate data protection standards, or obtaining consent from the data subject regarding the inadequacy of the data protection standards of the destination country or the international organization, a data controller or a data processor may send or transfer the personal data to a foreign country by alternatively providing or executing the following, as applicable:
I. Binding Corporate Rules (“BCRs”) | |
---|---|
For the transfer of personal data to affiliated companies or group companies in foreign countries, the sender or the transferor of personal data (“Sender of Transferor”) and the Recipient may execute/prepare the BCRs, which shall be verified and certified by the Office of the PDPC.※6 In this relation, the Office of the PDPC will verify the content of the BCRs to ensure that it is in accordance with the following criteria:
|
|
II. Appropriate safeguards | |
In the absence of the adjudication of the PDPC relating to the adequacy of the data protection standards or the BCRs as mentioned above, a data controller or a data processor who wishes to send or transfer personal data to foreign countries may procure the appropriate safeguards in order to be exempted from having to ensure the adequacy of the data protection standards of the destination country under Section 28 of the Thai PDPA. The appropriate safeguards mentioned above can be provided in either of the following forms: |
|
(a) Contractual clauses that are in accordance with acceptable contractual clauses for sending or transferring the personal data (“Standard Contractual Clauses”) ※7 |
These are contractual clauses for personal data protection concerning the cross-border or international sending or transferring of personal data, as prescribed by the PDPC. The PDPC set out the characteristics of the Standard Contractual Clauses as follows:
The contractual clauses under this item (a)(2) must contain the content pertaining to the personal data protection prescribed under Clause 11 of the PDPC Notification under Section 29, e.g., the measures for notifying the data subjects about the sending or transferring of personal data, the measures limiting the sending or transfer of personal data to be on a necessary basis only, an alternative measure for the data subject to exercise the right to revoke the transfer of personal data or the use of personal data outside the scope of objectives, measures on security protection in sending or transferring personal data to prevent data breach, measures prescribing the data subject’s rights, and effective legal remedial measures, enforcement of law, and prescription of liability arising from unlawful sending or transferring of personal data. In the case of these contractual clauses prepared in accordance with the laws of foreign countries or by international organizations, the amendment to the content, the appropriate protection measures of personal data, etc., is acceptable provided that such amendment will not result in contradiction with the essence of the personal data protection as prescribed under the PDPC Notification under Section 29 and will not affect the rights and freedom of the data subject.※8 Sample clauses to correspond to (1) above have yet to be provided by the PDPC as guidelines but may soon be. |
(b) Certification |
This certification ensures the presence of appropriate safeguards of personal data in accordance with acceptable standards※9. The details of this certification shall be further prescribed by the PDPC, which shall contain the content according to Clause 11 of the PDPC Notification under Section 29 as mentioned above.※10 |
(c) Provisions for personal data protection measures in instruments or agreements that are legally binding and enforceable between state agencies※11 | This shall be applicable only to the cases of sending or transferring of the personal data between state agencies of Thailand and state agencies of other countries. |
Notwithstanding the above, it should be noted that all forms of the appropriate safeguards above must be in accordance with the similar three criteria as described for the BCRs above as well.※12
A data controller or a data processor sending or transferring personal data to foreign countries should ensure its compliance with the requirements set forth for the international transfer, as elaborated above, in order to avoid being subject to liability, i.e., the administrative fine for non-compliance with the Thai PDPA, which is relatively high. However, please note that some requirements, such as the scope of destination countries with adequate data protection standards and the sample Standard Contractual Clauses, are still subject to further clarification from the PDPC.
*1
Section 28 of the Thai PDPA and Clause 4 of the PDPC Notification issued under Section 28
*2
Clause 5 of the PDPC Notification issued under Section 28
*3
Section 28, paragraph 3 of the Thai PDPA
*4
Clause 6 of the PDPC Notification issued under Section 29
*5
Section 28, paragraph 3 of the Thai PDPA and Clause 6, paragraph 2 of the Notification issued under Section 29
*6
Section 29, paragraph 1 of the Thai PDPA and Clause 5 of the Notification issued under Section 29
*7
Clause 8, paragraph 2 (1) of the PDPC Notification under Section 29
*8
Clause 12 of the PDPC Notification under Section 29
*9
Clause 8, paragraph 2 (2) of the PDPC Notification under Section 29
*10
Clause 14 of the PDPC Notification under Section 29
*11
Clause 8, paragraph 2 (3) of the PDPC Notification under Section 29
*12
Clause 9 of the PDPC Notification under Section 29
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
Nga Tran
(November 2024)
Keiji Tonomura, Masaki Mizukoshi, Uchu Takehara, Hitomi Kono (Co-author)
(September 2024)
Oki Mori, Takeshi Hayakawa (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
Yuan Yao Lee
Nga Tran
Annia Hsu, Kennosuke Muro (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
Yuan Yao Lee
Nga Tran
Annia Hsu, Kennosuke Muro (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
Salin Kongpakpaisarn, Pundaree Tanapathong (Co-author)
Yothin Intaraprasong, Waritpan Titatornwattanasiri, Yanisa Wiboonthan (Co-author)
Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)