Thailand PDPA – DPO Qualifications
The Personal Data Protection Act B.E. 2562 (2019) (“PDPA“), which became effective on 1 June 2022, specifies the rules and restrictions that Data Controller and Data Processor must adhere to. One important rule and regulation regarding the Data Protection Officer (“DPO“) is specified in Section 41 of PDPA that “The Data Controller and the Data Processor shall designate a data protection officer…” Therefore, many organizations might wonder, what is a DPO? What is its responsibility? And what qualifications are required to become one?
A DPO is a person who is responsible for the data protection of all personal data collected, used and disclosed by a legal entity, whether it is internal personal data or third-party personal data collected by the legal entity. Section 42 of the PDPA specifies the duties of the DPO as follows:
- Monitoring the operation and the performance of the parties mentioned in item 1 regarding personal data collection, use and disclosure to be in accordance with the PDPA.
- Coordinating with the regulator, the Personal Data Protection Committee (“PDPC”) on any issues that arise in relation to item 2 such as a data breach.
- Maintaining the confidentiality of personal data known and acquired while performing the duties.
There are no officially announced sub-regulations governing DPO qualification; the PDPA only specifies the duties of the DPO as mentioned above. As a result, the following is only a guideline by Thailand Data Protection Guidelines regarding this such matter, which Data Controller and Data Processor should consider.
- Having background knowledge of the PDPA and other applicable laws
- Understanding of technologies, IT, and data security measures. The DPO may need to fully understand this matter because the IT system and technological capabilities may be involved in personal data collection, use, disclosure and processing in order to perform its obligations in terms of technology under the PDPA.
- DPO should not be a person who directly benefits from collecting personal data, and DPO shall not be able to audit its own actions involving the collection, use or disclosure of personal data. As a result, the duties of the DPO and those who process personal data should not overlap.
- Good communication and collaboration skills with internals, externals and regulators because the DPO must collaborate with all departments within the organization and the PDPC pertaining to PDPA matters. Furthermore, the DPO should be the person who has direct access to the executives because many aspects of PDPA compliance may need to be taken urgently.
- DPO is not required to be an employee of the legal entity for which he or she works.