Tag: Data Controller

on by

The Legal Dilemma: When Data Protection Clashes with Justice

In the bustling financial district of Bangkok, a peculiar challenge has emerged, pitting the pursuit of justice against the shield of personal data protection. This is the story of Company XYZ, a business caught in the crossfire of evolving legal landscapes.

For years, Company XYZ operated smoothly, relying on a time-tested system of check payments from its customers. When the occasional bad check surfaced, their legal team swiftly moved to prosecute the offenders. It was a straightforward process: identify the check signer, file a case, and let justice take its course.

However, the winds of change swept through Thailand with the enactment of the Personal Data Protection Act (PDPA) in 2019. Suddenly, the well-oiled machine of legal recourse began to sputter and stall. Banks, once cooperative in providing crucial information about check signatories, now hesitated, their silence fortified by the new data protection walls.

The company’s legal advisor, a seasoned attorney accustomed to navigating the intricacies of commercial law, found himself in uncharted waters. “We’re not asking for state secrets,” he argued, “just the name of someone who owes us money.” But the banks stood firm, leaving Company XYZ grappling with a surge of uncollectible debts and a growing sense of frustration.

In their quest for a solution, the company turned to the letter of the law, specifically Section 4(5) of the PDPA. This provision exempts certain judicial and criminal justice processes from the Act’s restrictions. Surely, they reasoned, their efforts to bring fraudsters to justice would fall under this umbrella.

security logo

However, the legal landscape proved more nuanced than anticipated. The Privacy Sub-Committee, tasked with interpreting the new law, drew a fine line. While courtroom proceedings and official investigations were indeed exempt, the preliminary evidence-gathering by private attorneys did not enjoy the same privilege. Company Y found itself caught in legal limbo, unable to access the information needed to initiate proceedings, yet still bound by the obligation to protect personal data.

This predicament raises profound questions about the balance between individual privacy and corporate rights. How can businesses protect themselves from fraud when the tools to identify wrongdoers are placed out of reach? And how do we ensure that data protection does not inadvertently become a shield for those seeking to evade financial responsibilities?

The story of Company XYZ is far from over. As they continue to navigate these choppy legal waters, a glimmer of hope emerges. The Privacy Committee suggests that banks may have grounds to disclose information under certain circumstances, particularly when there is a legitimate interest at stake. This potential pathway offers a ray of light, hinting at a future where data protection and the pursuit of justice might find a harmonious coexistence.

As Thailand, like many nations, grapples with the implications of stringent data protection in an increasingly digital world, the experiences of Company XYZ serve as a cautionary tale. It reminds us that in our quest to protect personal information, we must be vigilant not to inadvertently obstruct the very systems of accountability and justice that underpin a fair and functioning society.

Key Takeaways:

  1. The Personal Data Protection Act (PDPA) has limited banks’ willingness to share information about check signatories.
  2. Private attorneys and plaintiffs are not exempt from data protection laws when gathering evidence before filing a case.
  3. Banks may have legal grounds to disclose information in certain circumstances without violating data protection laws.
  4. Balancing data protection and the pursuit of justice requires careful consideration of legal exemptions and legitimate interests.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Thailand’s Comprehensive Roadmap for Personal Data Protection: The Master Plan 2023-2026

Thailand has taken a significant step towards strengthening personal data protection within its borders by introducing the Master Plan of Personal Data Promotion and Protection from 2023 to 2026 (Master Plan). This comprehensive roadmap, approved by the Personal Data Protection Committee and the Committee of the National Digital Economy and Society Commission (ONDE), aims to establish a robust framework for safeguarding individuals’ privacy rights and fostering a secure digital environment.

Mandated by Section 44 (1) of the Personal Data Protection Act B.E.2562 (2019) (PDPA), the Office of the Personal Data Protection Commission (PDPC) has meticulously crafted this Master Plan to align with national policies, strategies, and relevant plans. The plan was officially published in the Royal Gazette and came into force on April 29, 2023.

A Phased Approach to Effective Implementation

The Master Plan is divided into three distinct phases spanning four years, each with specific objectives and focus areas:

Phase 1 (within 1 year): This initial phase concentrates on creating strict and sustainable enforcement measures for the PDPA. The emphasis is on establishing standards, tools, and guidelines for data protection, covering both individual and regional authorities.

Phase 2 (within 2 years): The second phase aims to implement innovative methods to deepen the understanding of the PDPA. Key goals include assisting individuals in comprehending their rights under the PDPA, enabling them to protect themselves against personal data privacy invasions, and ensuring competence among public and private sector personnel in personal data protection processes. Additionally, this phase aims to raise awareness among data controllers and processors regarding the penalties associated with non-compliance.

Phase 3 (within 4 years): The final phase focuses on aligning Thailand’s personal data protection standards with international benchmarks. This includes fostering international operational cooperation, positioning Thailand as a mentor for personal data protection to other countries, and enhancing the country’s competitive ability in areas such as data privacy, personal data protection, and trusted data in the World Digital Competitiveness Ranking (WDCR).

Prioritized Industries for Compliance

While the Master Plan aims to uplift personal data protection standards across all sectors, Phases 1 and 2 prioritize compliance in seven critical industries: (1) Security and crucial government services, (2) Information technology and telecommunication, (3) Retail, wholesale, and online trade, (4) Finance, investment, and insurance, (5) Public health, (6) Tourism, and (7) Education.

Four Strategic Pillars

To achieve the goals outlined in the four-year plan, the Master Plan presents four strategic pillars:

  1. PDPA Effective and Balanced Enforcement: This strategy focuses on developing standards, criteria, rules, tools, indicators, and data privacy governance, as well as improving personal data protection laws to strengthen personal data protection and promote actions that enhance the country’s competitiveness under the PDPA.
  2. PDPA Knowledge and Trust Enhancement: This strategy emphasizes strengthening human resources by increasing knowledge, understanding, awareness, and confidence in keeping up with changes in personal data governance and threats. It includes enhancing personal data protection skills certification, public relations, prevention, and problem-solving models to accelerate awareness and readiness for PDPA enforcement.
  3. PDPA Digital Economy and Society Promotion: This strategy aims to strengthen cooperation within Thailand and internationally to motivate stakeholder participation in creating and promoting the digital economy and society, increase the country’s personal data protection capabilities, and build a sustainable network.
  4. PDPA R&D and Technology: This strategy focuses on developing a research ecosystem to incentivize and support research and invention creation related to privacy-enhancing technologies (PET), data privacy, and data security. It encourages researchers and entrepreneurs to develop innovations that utilize personal data securely and fairly without being hindered by legal restrictions, thereby boosting Thailand’s global competitiveness.

Thailand’s commitment to personal data protection, as outlined in the Master Plan, demonstrates the nation’s determination to establish a robust framework that safeguards individuals’ privacy rights while fostering a secure and thriving digital landscape. By implementing this comprehensive roadmap, Thailand is poised to become a leader in personal data protection, not only within its borders but also on the global stage.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Employment Termination: Navigating Confidentiality Breaches and Fair Practices

The Supreme Court, Decision No. 7189/2562, ruling in a high-profile labor case has shed a spotlight on the intricate interplay between employee confidentiality obligations and fair employment termination practices. The case involved an offshore petroleum company that terminated the employment of a training instructor after allegations of disclosing confidential company information. This decision offers valuable insights and lessons for both employers and employees alike.

Confidentiality Obligations: A Sacrosanct Duty

The court’s ruling reinforced the fundamental principle that employees have a sacrosanct duty to protect their employer’s confidential information and trade secrets. Unauthorized disclosure or mishandling of such sensitive data can constitute grounds for disciplinary action, including termination of employment. This obligation extends beyond the employee’s tenure with the company, underscoring the enduring nature of confidentiality responsibilities.

Defining Confidential Information: A Contextual Approach

The court adopted a contextual approach in defining what constitutes confidential information in this case. It scrutinized the nature of the information disclosed by the plaintiff-employee, specifically the audit reports from a third-party training organization. The court determined that these reports contained sensitive data pertaining to the defendant-company’s operations, training standards, and were protected by a non-disclosure agreement between the company and the third-party organization.

Notably, the agreement between the employer-defendant and the employee-plaintiff explicitly stipulated confidentiality obligations, whereby the plaintiff agreed to safeguard the defendant’s information and data. This agreement underscored the paramount importance the defendant placed on protecting and preserving information related to its business operations.

However, the plaintiff’s submission of the document containing the defendant’s organizational and managerial information, aimed at ensuring the defendant’s training and assessment standards, to the plaintiff’s personal email account raised significant concerns. This action facilitated the potential unauthorized transmission or removal of such information without the defendant’s ability to monitor or track its dissemination.

Consequently, the court viewed the plaintiff’s actions as a breach of duty, constituting dishonest conduct and an unauthorized disclosure of the defendant’s confidential information. This intentional act was deemed to have caused harm to the employer and amounted to a violation of disciplinary regulations governing workplace behavior.

photography of person peeking

Fair Termination Practices: Striking the Right Balance

While acknowledging the employer’s right to terminate employment for breaches of confidentiality, the court emphasized the importance of following fair termination procedures. This includes providing proper notice, adhering to labor laws, and ensuring that the termination is not considered unfair, retaliatory, or discriminatory. The court’s decision serves as a reminder that even in cases of confidentiality breaches, employers must exercise due diligence and uphold principles of fairness and equity.

Burden of Proof: A Stringent Standard

In cases of employment termination, the court placed a stringent burden of proof on the employer to demonstrate that the termination was justified and in compliance with applicable laws and regulations. The employer must provide clear and convincing evidence to substantiate the grounds for termination, particularly in cases involving confidentiality breaches, where the consequences for the employee can be severe.

Balancing Interests: A Delicate Equilibrium

The court’s ruling highlights the need to strike a delicate balance between the employer’s legitimate interest in protecting confidential information and trade secrets, and the employee’s right to fair treatment and due process during termination proceedings. This equilibrium ensures that both parties’ interests are safeguarded and that employment relationships are governed by principles of fairness, transparency, and mutual respect.

Confidentiality Policies and Procedures: A Proactive Approach

The court’s decision underscores the importance of employers implementing robust confidentiality policies and procedures. Clear guidelines, training programs, and well-defined consequences for breaches can help prevent confidentiality issues from arising in the first place. Additionally, ensuring that employees understand and acknowledge these policies can strengthen the employer’s position in the event of a dispute.

Employee Responsibilities: Upholding Trust and Integrity

For employees, this case serves as a reminder of the gravity of their confidentiality obligations and the potential consequences of breaching such trust. Employees must exercise utmost care in handling sensitive information and refrain from any unauthorized disclosure or misuse. Maintaining professional integrity and upholding the confidentiality of employer information is not only a legal obligation but also a ethical responsibility.

The Supreme Court’s ruling in this case has far-reaching implications for both employers and employees. It underscores the significance of maintaining confidentiality in the workplace and the potential consequences of breaching such obligations. At the same time, it emphasizes the importance of fair employment practices, adherence to labor laws, and the need for employers to provide due process and proper justification when terminating employees.

As the business landscape evolves, with an increasing emphasis on data protection and trade secret preservation, this ruling serves as a timely reminder for all parties to exercise caution in handling confidential information and to understand their respective rights and responsibilities in the employment relationship. By fostering a culture of trust, transparency, and mutual respect, employers and employees can create a harmonious and legally compliant work environment, where both parties’ interests are protected, and the sanctity of confidentiality is upheld.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Cross-Border Transferring of Personal Data

Pursuant to our previous articles on the PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the PDPA (Draft Notification on Section 28) and the PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 29 of the PDPA (Draft Notification on Section 29) (collectively referred to as the Draft Notifications), whereby at the time were drafts for public hearing. Now, the Personal Data Protection Committee (PDPC) in Thailand has announced the official version of Draft Notifications, the effective date of which shall be on 24 March 2024. This article herein then intends to outline the essential differences between the Draft Notifications and their respective official versions.

Subordinate regulation pursuant to Section 28 of the PDPA:

As we have discussed in length regarding the provision of Section 28 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) prescribing a condition under which the data controller may cross-border transfer personal data, that is, if the destination country or international organization is deemed to have an adequate personal data protection standard, otherwise, other exemption would have to be relied upon (e.g., consent form the data subjects), and that what was deemed as adequate personal data protection standard, more information can be studied at the Draft Notification on Section 28. The official version and the draft version are substantially the same, except for the defined terms, which were added to exclude the sending or transferring of personal data of the following nature: (1) the sending or transferring of personal data by an intermediary as a data transit; (2) the sending or transferring of personal data that was done between the computer systems or data storages, provided that no third-party has access to such personal data. Examples of the exempted activities include the sending or transferring of personal data by the cloud computing service provider. By this exclusion, it releases intermediary and cloud computing service providers, as well as controllers or processors, burden compliance burdens.

Subordinate regulation pursuant to Section 29 of the PDPA:

In continuation to our previous article on the Draft Notification on Section 29, where we discussed that the PDPA provides two additional mechanisms for the cross-border transferring of personal data, that is (1) cross-border transfer of personal data within inter-affiliate companies, provided that the personal data protection policy (Binding Corporate Rules or BCR) is reviewed and certified; and (2) where in absence of whitelist country (i.e., per Section 28) and the BCR has not been reviewed or certified, a data controller may cross-border transfer personal data provided that an appropriate safeguard that ensure the enforceability of personal data subject’s rights and a legally remedial measures has been put in place.

modern fiber optic device with colorful plastic connectors

We have also discussed that the appropriate safeguard could be achieved through the use of the Model Contractual Clause, namely (1) ASEAN Model Contractual Clauses for Cross-Border Data Flows; or (2) Standard Contractual Clauses for the Transfer of Personal Data to Third Countries issued pursuant to Articles 46 (1), (2) (c), and 28 (7) of Regulation (EU) 2016/679 or the European Union General Data Protection Regulation, commonly known as GDPR. The official version of subordinate regulation pursuant to Section 29 of the PDPA entails the required elements to be in such Model Contractual Clause. Notable elements required to be in the Model Contractual Clause include but not limited to the (1) measures for notifying the sending or transferring of personal data to the data subject; (2) measures for limiting the sending or transferring of personal data; (3) measures for specifying responsibility for the sending or transferring of personal data to be included in the contract; (4) measures to maintain security in the sending or transferring of personal data; (5) measures for ensuring effective remedial measures; and others. Moreover, revisions/amendments to the Model Contractual Clause are possible, provided that such revision/amendment is not contrary to the required elements as samples. Please be reminded that the Model Contractual Clause may be used as an alternative to the reviewed and certified BCR. Data controllers and processors have the choice to adopt the method deemed appropriate to their normal business operation.

The development of these subordinate regulations will not only change the course of normal business operations but also the paradigm of personal data protection in the digital era. Unifying the cross-border transferring of personal data’s requirements with those of international standards will not only ease Thai data controllers or data processors’ compliance with the PDPA and other personal data protection regulations internationally but also, allow the foreign data controller or data processor to easily comply with the Thai requirements, indirectly promoting the investment in Thailand.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Subordinate Regulations for Enhanced Security Measures under the PDPA

Introduction:

The Personal Data Protection Committee (PDPC) in Thailand has recently announced two important notifications as part of its ongoing efforts to enforce the Personal Data Protection Act B.E. 2562 (2019) (PDPA) and ensure robust information privacy practices. These subordinate regulations, namely the PDPC Notification Concerning the Security Standard for Personal Data under the Responsibility of Data Controllers Exempted from the Enforcement of the PDPA, and the PDPC Notification Concerning the Appropriate Security Measures to Protect the Rights and Freedom of the Data Subject in the Processing of Personal Data for Purposes Relating to the Preparation of the Historical Documents or the Archives for Public Interest, are set to come into effect on March 7, B.E. 2567 (2024).

PDPC Notification Concerning the Security Standard for Personal Data under the Responsibility of Data Controllers Exempted from the Enforcement of the PDPA:

Following our previous coverage on this topic – PDPC notification on security standards for personal data controllers exempted from PDPA, the PDPC conducted a public hearing to gather input and evaluate the imposition of obligations on data controllers exempted from the PDPA. The official version of the notification has been published, and its provisions are identical to those previously discussed. For more details, please refer to our earlier article on the PDPC notification on security standards for personal data controllers exempted from the PDPA in the link above.

two person standing under lot of bullet cctv camera

PDPC Notification Concerning the Appropriate Security Measures to Protect the Rights and Freedom of the Data Subject in the Processing of Personal Data for Purposes Relating to the Preparation of the Historical Document or the Archives for Public Interest:

Section 24 (1) of the PDPA exempts certain data controllers from obtaining prior consent from data subjects when collecting, using, or disclosing personal data for the preparation of historical documents or archives for public interest purposes. However, these data controllers are still obligated to implement specific security measures to safeguard the personal data of individuals. The following summary outlines the key security measures:

  1. Implementation of Organizational, Technical, and Physical Safeguards: Data controllers must establish and maintain appropriate organizational, technical, and physical safeguards to ensure that personal data processing is limited to purposes directly connected to the preparation of historical documents or archives for public interest.
  2. Suitable Security Measures: Data controllers must implement security measures that effectively prevent unauthorized or unlawful loss, access, use, alteration, correction, or disclosure of personal data, in accordance with Section 37 (1) of the PDPA.

Additionally, data controllers may consider pseudonymization or encryption of personal data, where applicable, to minimize the risk of exposure. However, such additional safeguards should not compromise the intended purposes of preparing historical documents or archiving and must be assessed based on the specific contexts of personal data processing and the associated risks involved.

Conclusion:

The introduction of these subordinate regulations by the PDPC highlights its commitment to enhancing personal data security measures in Thailand. By providing guidance on security standards and appropriate measures, these regulations reinforce the enforcement of the PDPA and safeguard the rights and freedoms of individuals with regard to their personal data. It is crucial for organizations to understand the nature of their personal data processing activities and undertake a case-by-case interpretation and consideration to ensure compliance with these regulations. As Thailand continues to prioritize data protection, these measures lay a strong foundation for fostering a culture of responsible and secure handling of personal data in the country.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Data Protection Officer: Guidelines and Assistance for Designation

Introduction:

This article provides an overview of the obligations and requirements surrounding the designation of a Data Protection Officer (DPO) in accordance with the Personal Data Protection Act B.E. 2562 (2019) (PDPA) B.E. 2566 (2023). It also outlines the consequences of failing to designate the DPO and offers assistance in evaluating the necessity of designating the DPO, selecting a suitable candidate, and fulfilling the DPO’s obligations and responsibilities.

Appointment and Notification of the Data Protection Officer:

The Personal Data Protection Committee (PDPC) has recently published a Notification on the Appointment of the Data Protection Officer, which came into force on December 13, 2023. This Notification, in conjunction with Section 41 of the PDPA, requires certain data controllers and processors to designate the DPO. In addition to designating the DPO, data controllers, and processors who are required to do so must also provide the DPO’s information, including contact details, to both the data subjects and the office of the PDPC.

Guidance and Support:

To assist data controllers and processors in understanding their obligations regarding the DPO designation and the submission of DPO’s information, the PDPC has issued a form for submitting the DPO’s information to their office. This form requires various details, such as the general information of the data controller or processor, the name and contact information of the DPO, and more. The PDPC has also provided a checklist to determine whether the designation of DPO is necessary.

Importance of Compliance:

It is crucial for data controllers and processors to carefully assess whether they are required to designate the DPO, as failure to do so may result in administrative liability, including fines of up to one million Baht.

Assistance Offered:

Navigating the intricacies of determining the need for DPO can prove daunting, particularly for individuals without a legal background who may encounter difficulties interpreting relevant laws. To address this challenge, our services extend to evaluating the necessity of appointing the DPO, offering guidance on selecting an appropriate candidate, and providing advice on the extensive obligations and responsibilities associated with the role. Furthermore, we offer support in the submission of the DPO’s pertinent information to the office of PDPC.

Conclusion:

Compliance with the PDPA’s requirements regarding the DPO designation is essential for data controllers and processors. By understanding their obligations and seeking appropriate assistance, organizations can ensure they meet their legal responsibilities while protecting the personal data of individuals.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the PDPA

The Office of the Personal Data Protection Commission (“PDPC”) conducted a public hearing on the draft PDPC Notification on the Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) (“Notification”). The public hearing was conducted between 27 October 2023 to 10 November 2023.

Section 28 of the PDPA prescribes a condition under which the data controller may cross-border transfer personal data, that is, if the destination country or international organization is deemed to have an adequate personal data protection standard, otherwise, other exemptions would have to be relied upon (e.g., consent from the data subject). In this regard, the Notification aims to set out the criteria by which the PDPC may deem a country or international organization to have an adequate personal data protection standard.

Article 5 of the Notification prescribes that the determination of adequate personal data protection standards shall be based on:

  1. Whether the destination country or international organization has a legal protection mechanism equivalent to or higher than those prescribed under Thai law or not. Specifically, the data controller’s obligations, personal data protection mechanisms, the enforcement of the data subject’s rights, and effective remedial measures.
  2. Whether there is an agency or organization with the duty and power to enforce the personal data protection laws in the destination country or international organizations, provided that such shall not be lower than that of Thailand.

Additionally, the Notification also prescribes that the data controllers may submit for the PDPC’s determination if such a destination country or international organization is of adequate personal data protection level or that the PDPC may gather the information themselves. The publication of a list of countries the PDPC deems to have adequate personal data protection (otherwise known as a whitelist country) will be closely monitored and updated.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 29 of the PDPA

PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 29 of the PDPA

The Office of the Personal Data Protection Commission (“PDPC”) conducted a public hearing on the draft PDPC Notification on the Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 29 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) (“Notification”). The public hearing was opened between 27 October 2023 to 10 November 2023.

In addition to the exemptions for cross-border transfer of personal data provided in Section 28 of the PDPA (i.e., whitelist countries and other exemptions), Section 29 provides two additional mechanisms for the cross-border transferring of personal data, that is (1) cross-border transfer of personal data within inter-affiliate companies, provided that the personal data protection policy (also known as “Binding Corporate Rules” or “BCR”) is reviewed and certified by the PDPC; and (2) where in the absence of whitelist country (i.e., per Section 28) and the BCR has not been reviewed and certified by the PDPC, a data controller may cross-border transfer personal data provided that an appropriate safeguard that ensures the enforceability of personal data subject’s rights and a legally remedial measures has been put in place.

In this regard, the Notification sets out the required characteristics of the BCR and the appropriate safeguard as follows:

  1. The legitimacy and enforceability of BCR against the juristic person, natural person, involving data controllers, data processors, and receivers of personal data within the same affiliated company, provided that such enforceability shall be extended to the employees and personnel involved in the transferring and receiving of personal data.
  2. The terms that ensure the protection of personal data, the rights of the data subject, and the right to file a complaint in relation to the transferred personal data.
  3. The security measures shall be in accordance with those prescribed under the personal data protection law.

The referred to appropriate safeguard could be in the form of either (1) a data transfer agreement; (2) a personal data collection, use, and disclosure certification; or (3) a bilateral agreement between international organizations or agencies.

The Notification went further to prescribe that the data transfer agreement mentioned above could be either of the following: (1) the agreement between the transferring and receiving parties with the required contractual clauses; (2) ASEAN Model Contractual Clauses for Cross-Border Data Flows; or (3) Standard Contractual Clauses for the Transfer of Personal Data to Third Countries issued pursuant to Article 46 (1), (2) (c), and 28 (7) of Regulation (EU) 2016/679 or the European Union General Data Protection Regulation, commonly known as GDPR.

The Notification consists of great details; international organizations or corporations may be required to closely monitor the development of this Notification until its publication and enforcement. It seems that PDPC has its interpretation and does not follow that of GDPR. Thus, it is necessary for the data controller that follows the practice in the EU to revisit this issue, especially those who rely upon the Standard Contractual Clauses (“SCC”).

In the EU, many EU-related companies adopted SCC, which are pre-approved contractual clauses issued by the European Commission that can be used by organizations to ensure adequate safeguards for data transfers to countries outside the EU. While SCC provides a more straightforward and less time-consuming solution for organizations, it is standardized contractual clauses that cannot be modified. BCR provides more flexibility and customization options compared to SCCs. It can be customized to align with the specific requirements of a business. Once implemented and operational, BCR is significantly easier to manage in comparison to intra-group contracts that include SCC. Additionally, BCR establishes a rigorous level of compliance with the PDPA as it requires approval from PDPC, thereby reducing the business’s vulnerability and being recognized as the benchmark for achieving compliance. It is suitable for multinational organizations with subsidiaries or affiliates in different countries.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

PDPC Notification on Security Standards for Personal Data Controllers Exempted from PDPA

The Office of Personal Data Protection Commission (PDPC) conducted a public hearing on the draft PDPC Notification Concerning the Security Standards for Personal Data under Responsibility of Data Controllers exempted from the enforcement of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) (“Notification”). This public hearing occurred from 17 October 2023 to 31 October 2023.

Under Section 4 of the PDPA, certain data controllers, including public authorities, the media, the House of Representatives, the Senate, the Parliament, the courts, and the credit bureau, are exempted from the enforcement of the PDPA. However, Section 4 paragraph 3 of the PDPA mandates that these exempted data controllers must implement security measures to protect personal data.

black android smartphone on top of white book

The draft Notification sets out the security measures that exempted data controllers must adhere to. These measures are similar to those prescribed in the PDPC’s Notification on Security Measures for the Protection of Personal Data B.E. 2565 (2022). The key measures include:

  1. Implementing organizational, technical, and physical measures to safeguard personal data, regardless of its form (physical or digital).
  2. Ensuring the confidentiality, integrity, and availability of personal data.
  3. Extending security measures to servers, software, or applications for storing or processing personal data.
  4. Implementing access control, identity proofing and authentication, need-to-know basis access, user access management, determination of user responsibilities, and personal data audit trails.
  5. Raising awareness about privacy and security among employees or users with access to personal data.
  6. Adopting pseudonymization or encryption measures to minimize the risk of unauthorized or unlawful processing of personal data.

The enforcement of these measures will be closely monitored once the draft Notification becomes enforced.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles