Monitoring of Personal Data or the System that Requires an Appointment of DPO

Section 41 (2) of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) prescribed that the data controller and the data processor shall designate a data protection officer (“DPO”) if the activities of the data controller/processor in the processing of personal data require regular monitoring of personal data or the system, by reason of having a large number of personal data as prescribed and announced by the Personal Data Protection Committee (“PDPC”).  

Given that the PDPA has been in effect for a year, many organizations in Thailand are still unsure whether they are required to appoint a DPO or not. As a result, the PDPC is considering the Draft Notification of the PDPC re: data controllers and data processors who collect, use, or disclose personal data that requires regular monitoring of the personal data or the system due to a large scale of personal data that must appoint a DPO, B.E. …. (the “Draft Notification”). This Draft Notification was posted on the Law Portal on July 13^th, 2023, for the public to consider and express their opinion (public hearing closes on July 27^th, 2023).  

Under the Draft Notification, the PDPC intends to clarify 3 following criteria, (1) what constitutes a core activity; (2) what is meant by regular monitoring of personal data or the system; and (3) how to determine if a data controller or data processor is having a large number of personal data. The summary is as follows:  

1. Core Activities:

The core activities are defined under the Draft Notification as actions required to achieve the data controller’s or data processor’s business objectives or goals.  

2. Regular Monitoring of Personal Data or the System:

The Draft Notification deems that a data controller or data processor regularly monitors personal data or the system, if the core activities of the said data controller or data processor systematically or regularly track, monitor, or predict data subject’s behavior (i.e., profiles).  

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to require regular monitoring, example includes:

• Processing of personal data relating to the holder of a membership card, electronic card, or any other card that allows the card service provider or any other person to review the card usage information.
• Processing of personal data for the purpose of behavioral advertising.
• Processing of personal data for security purposes.

3. A Large Number of Personal Data:

Further, the Draft Notification sets out the criterion in which the data controller or data processor shall determine if their processing of the personal data is considered to be on a large scale or not. The criteria are as follows: (1) the proportion of the number of data subjects and the amount of personal data; (2) the quantity and type of personal data; (3) retention period and permanence; and (4) territorial or geographical scale of personal data collection.  

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to be of a large scale, example includes:  

• Processing personal data for the purpose of behavioral advertising through the use of search engines or social media.
• Processing of personal data by a type 3 telecommunication business operator.

By reading this far, you probably have the idea of whether your organization would need to appoint a DPO or not, but please note that organizations whose DPO performs duties or tasks other than data protection must consider the scope of his/her duties or tasks and warrant to the PDPC office that his/her duties or tasks do not conflict with the DPO’s main duties under the PDPA. The Data Controller and Data Processor should read this Draft Notification carefully and monitor the development of this Draft Notification.

It is crucial for all data controllers and data processors to note that if subjected but fail to appoint the DPO as required by the PDPA, they may be subject to an administrative fine of up to 1 million Baht.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

• Revised Digital Government Standard Updates Public Sector Data Governance Framework
• Guidelines on State Litigation and Administrative and Constitutional Court Proceedings
• Thailand’s Proposed Updates to the Non-Preferential Certificate of Origin Framework for Exports to the United States and the European Union
• Thailand’s DBD Launches Public Hearing to Evaluate the Effectiveness of the Foreign Business Act B.E. 2542 (1999)
• Trade Competition: Multi-Sided Platforms
• Fast-Tracking Investment in Thailand: How BOI’s “Fast Pass” Is Unlocking Growth