Data Protection Officer: Guidelines and Assistance for Designation

Introduction:

This article provides an overview of the obligations and requirements surrounding the designation of a Data Protection Officer (DPO) in accordance with the Personal Data Protection Act B.E. 2562 (2019) (PDPA) B.E. 2566 (2023). It also outlines the consequences of failing to designate the DPO and offers assistance in evaluating the necessity of designating the DPO, selecting a suitable candidate, and fulfilling the DPO’s obligations and responsibilities.

Appointment and Notification of the Data Protection Officer:

The Personal Data Protection Committee (PDPC) has recently published a Notification on the Appointment of the Data Protection Officer, which came into force on December 13, 2023. This Notification, in conjunction with Section 41 of the PDPA, requires certain data controllers and processors to designate the DPO. In addition to designating the DPO, data controllers, and processors who are required to do so must also provide the DPO’s information, including contact details, to both the data subjects and the office of the PDPC.

Guidance and Support:

To assist data controllers and processors in understanding their obligations regarding the DPO designation and the submission of DPO’s information, the PDPC has issued a form for submitting the DPO’s information to their office. This form requires various details, such as the general information of the data controller or processor, the name and contact information of the DPO, and more. The PDPC has also provided a checklist to determine whether the designation of DPO is necessary.

Importance of Compliance:

It is crucial for data controllers and processors to carefully assess whether they are required to designate the DPO, as failure to do so may result in administrative liability, including fines of up to one million Baht.

Assistance Offered:

Navigating the intricacies of determining the need for DPO can prove daunting, particularly for individuals without a legal background who may encounter difficulties interpreting relevant laws. To address this challenge, our services extend to evaluating the necessity of appointing the DPO, offering guidance on selecting an appropriate candidate, and providing advice on the extensive obligations and responsibilities associated with the role. Furthermore, we offer support in the submission of the DPO’s pertinent information to the office of PDPC.

Conclusion:

Compliance with the PDPA’s requirements regarding the DPO designation is essential for data controllers and processors. By understanding their obligations and seeking appropriate assistance, organizations can ensure they meet their legal responsibilities while protecting the personal data of individuals.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

• Thailand FDA — Proposed Food Labelling Rules for Prepackaged Foods
• U.S. Tariff Developments Post Supreme Court Ruling
• FDA: Food and Drug Administration Proposes Revised Food Advertising Notification
• Employment vs Liberal Profession
• Labor: The Case of Continuous Employment After Retirement – A Landmark Ruling on Severance Pay Continuity
• IP: Strengthens Intellectual Property Governance Through Reform of the National IP Policy Committee