PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the PDPA

on
green and white line illustration

PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the PDPA

The Office of the Personal Data Protection Commission (“PDPC”) conducted a public hearing on the draft PDPC Notification on the Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) (“Notification”). The public hearing was conducted between 27 October 2023 to 10 November 2023.

Section 28 of the PDPA prescribes a condition under which the data controller may cross-border transfer personal data, that is, if the destination country or international organization is deemed to have an adequate personal data protection standard, otherwise, other exemptions would have to be relied upon (e.g., consent from the data subject). In this regard, the Notification aims to set out the criteria by which the PDPC may deem a country or international organization to have an adequate personal data protection standard.

Article 5 of the Notification prescribes that the determination of adequate personal data protection standards shall be based on:

  1. Whether the destination country or international organization has a legal protection mechanism equivalent to or higher than those prescribed under Thai law or not. Specifically, the data controller’s obligations, personal data protection mechanisms, the enforcement of the data subject’s rights, and effective remedial measures.
  2. Whether there is an agency or organization with the duty and power to enforce the personal data protection laws in the destination country or international organizations, provided that such shall not be lower than that of Thailand.

Additionally, the Notification also prescribes that the data controllers may submit for the PDPC’s determination if such a destination country or international organization is of adequate personal data protection level or that the PDPC may gather the information themselves. The publication of a list of countries the PDPC deems to have adequate personal data protection (otherwise known as a whitelist country) will be closely monitored and updated.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Posted in

Tagged as