Public Entities Required to Designate a Data Protection Officer
Section 41 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) requires public entities listed by the Personal Data Protection Committee (“PDPC”) to designate a Data Protection Officer (“DPO”). Currently, PDPC has drafted “Announcement of the Personal Data Protection Committee Concerning the Data Controller and the Data Processor Who Are Public Entities that Must Designate a Data Protection Officer B.E. ….” (“Announcement”). This Announcement will list the public entities that are required to designate DPO. It is likely that the public entities that process personal data on a large scale or collect sizable numbers of sensitive personal data will be listed under this Annoucement. This Announcement is, however, still undergoing public hearings in which anyone interested can share opinion or provide feedback via the Law Portal provided by the Office of the Council of State and the Digital Government Development Agency.
According to Section 3 of the PDPA, in the event that there is any specific law governing the protection of personal data in any specific manner, business or entity, the provisions of such law shall be applied. Furthermore, in Thailand, there is a law known as the Official Information Act B.E. 2540 (1997) (“OIC“), which its provisions govern the public entities for the matter related to the collection, disclosure, and security of personal information. Where the said personal information under OIC is considered personal data under PDPA but is only kept by the public entities, as a result, although it can be assumed that personal information is partly governed by the OIC, the PDPA shall be applied in addition to the rights of data subjects and the relevant penalties, regardless of whether it is repetitious with the same matter in OIC according to Section 3 of PDPA as it aims to ensure the same level of personal data protection for Data Controllers and Data Processors in both public entities and private entities.
In conclusion, the public entities should consider whether the DPO is required based on this Announcement. Plus, such public entities should also consider the PDPA as it might be an additional requirement which they must comply. At the same time, an individual or a private entity also should be aware of this Announcement in order to directly contact the DPO of such public entities regarding personal data protection matters, as the DPO will be the entity’s contact center for personal data protection matters of those entities who may collect, use, or disclose your personal data.