Rules and Policy for Transferring Personal Data to a Foreign Country under PDPA of Thailand

green and white line illustration

Rules and Policy for Transferring Personal Data to a Foreign Country under PDPA of Thailand

The Personal Data Protection Committee (“PDPC”) is currently considering for issuing a Personal Data Protection Announcement Concerning Sending or Transferring Personal Data from the Kingdom of Thailand to a Data Controller or Data Processor in a foreign country or international organization.  This draft announcement will establish various standards, including binding corporate rules (“BCR”), appropriate safeguards, certification and standard contractual clauses to protect the personal data and to have the involved parties operate legally under Personal Data Protection Act B.E.2562 (“PDPA”).

The involved parties in this announcement are from the same affiliate business or group of undertakings, including the Transferer, i.e. the Data Controller in the Kingdom of Thailand, the Transferee, i.e. either a Data Controller or Data Processor in other countries or international organizations and the Sub Data Processors (if any).

security logo

Binding Corporate Rules (“BCR”) is a data protection policy among business affiliates that may be implemented for data to be transferred to ensure that personal data will be protected and transferred in accordance with the PDPA standards. BCR must certify the Data Subject’s rights as well as specify the general principles of the PDPA. Furthermore, BCR must establish appropriate safeguards to protect personal data in terms of people, processes, and technology.

The appropriate safeguard is to prevent the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of personal data and such measures must be reviewed when it is necessary or when the technology has changed in order to efficiently maintain the appropriate security and safety. The most important is that the BCR must be effective, legally binding and enforced among parties and Sub Data Processors (if any).

Furthermore, BCR must be submitted to the Office of Personal Data Protection Committee for review and certification that it is applicable and valid. Then, sending or transferring of personal data under approved BCR to a foreign country is permitted.

Such BCR will be effective only when it binds all employees, staffs and persons concerned in transferring personal data and is subject to Thai law. An example of important requirements is the duties of the Transferor and Transferee, rights of Data Subjects, dispute resolution and liability to Data Subject and cooperation with PDPC, etc. If the Transferee fails to fulfill its obligations, the Transferor has the right to terminate transferring of data, either temporarily or permanently. Moreover, if  a dispute arises as a result of an improper duty and failure to fulfill such duty, and the Data Subject exercises his or her rights to seek for damages, the Transferor , Transferee, or Sub Data Processor must notify other parties and resolve the dispute jointly through mediation. Neither party can use the failure of the other involved parties to exclude or limit their liability as a defense.

In light of this, the Data Controller should follow up with this draft announcement that will be issued and become effective soon so that the Data Controller and other involved parties can properly and legally prepare for actions related to the protection of personal data transferred abroad.

Author: Panisa Suwanmatajarn, Managing Partner