Tag: PDPA

on by

The Legal Dilemma: When Data Protection Clashes with Justice

In the bustling financial district of Bangkok, a peculiar challenge has emerged, pitting the pursuit of justice against the shield of personal data protection. This is the story of Company XYZ, a business caught in the crossfire of evolving legal landscapes.

For years, Company XYZ operated smoothly, relying on a time-tested system of check payments from its customers. When the occasional bad check surfaced, their legal team swiftly moved to prosecute the offenders. It was a straightforward process: identify the check signer, file a case, and let justice take its course.

However, the winds of change swept through Thailand with the enactment of the Personal Data Protection Act (PDPA) in 2019. Suddenly, the well-oiled machine of legal recourse began to sputter and stall. Banks, once cooperative in providing crucial information about check signatories, now hesitated, their silence fortified by the new data protection walls.

The company’s legal advisor, a seasoned attorney accustomed to navigating the intricacies of commercial law, found himself in uncharted waters. “We’re not asking for state secrets,” he argued, “just the name of someone who owes us money.” But the banks stood firm, leaving Company XYZ grappling with a surge of uncollectible debts and a growing sense of frustration.

In their quest for a solution, the company turned to the letter of the law, specifically Section 4(5) of the PDPA. This provision exempts certain judicial and criminal justice processes from the Act’s restrictions. Surely, they reasoned, their efforts to bring fraudsters to justice would fall under this umbrella.

security logo

However, the legal landscape proved more nuanced than anticipated. The Privacy Sub-Committee, tasked with interpreting the new law, drew a fine line. While courtroom proceedings and official investigations were indeed exempt, the preliminary evidence-gathering by private attorneys did not enjoy the same privilege. Company Y found itself caught in legal limbo, unable to access the information needed to initiate proceedings, yet still bound by the obligation to protect personal data.

This predicament raises profound questions about the balance between individual privacy and corporate rights. How can businesses protect themselves from fraud when the tools to identify wrongdoers are placed out of reach? And how do we ensure that data protection does not inadvertently become a shield for those seeking to evade financial responsibilities?

The story of Company XYZ is far from over. As they continue to navigate these choppy legal waters, a glimmer of hope emerges. The Privacy Committee suggests that banks may have grounds to disclose information under certain circumstances, particularly when there is a legitimate interest at stake. This potential pathway offers a ray of light, hinting at a future where data protection and the pursuit of justice might find a harmonious coexistence.

As Thailand, like many nations, grapples with the implications of stringent data protection in an increasingly digital world, the experiences of Company XYZ serve as a cautionary tale. It reminds us that in our quest to protect personal information, we must be vigilant not to inadvertently obstruct the very systems of accountability and justice that underpin a fair and functioning society.

Key Takeaways:

  1. The Personal Data Protection Act (PDPA) has limited banks’ willingness to share information about check signatories.
  2. Private attorneys and plaintiffs are not exempt from data protection laws when gathering evidence before filing a case.
  3. Banks may have legal grounds to disclose information in certain circumstances without violating data protection laws.
  4. Balancing data protection and the pursuit of justice requires careful consideration of legal exemptions and legitimate interests.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Thailand’s Comprehensive Roadmap for Personal Data Protection: The Master Plan 2023-2026

Thailand has taken a significant step towards strengthening personal data protection within its borders by introducing the Master Plan of Personal Data Promotion and Protection from 2023 to 2026 (Master Plan). This comprehensive roadmap, approved by the Personal Data Protection Committee and the Committee of the National Digital Economy and Society Commission (ONDE), aims to establish a robust framework for safeguarding individuals’ privacy rights and fostering a secure digital environment.

Mandated by Section 44 (1) of the Personal Data Protection Act B.E.2562 (2019) (PDPA), the Office of the Personal Data Protection Commission (PDPC) has meticulously crafted this Master Plan to align with national policies, strategies, and relevant plans. The plan was officially published in the Royal Gazette and came into force on April 29, 2023.

A Phased Approach to Effective Implementation

The Master Plan is divided into three distinct phases spanning four years, each with specific objectives and focus areas:

Phase 1 (within 1 year): This initial phase concentrates on creating strict and sustainable enforcement measures for the PDPA. The emphasis is on establishing standards, tools, and guidelines for data protection, covering both individual and regional authorities.

Phase 2 (within 2 years): The second phase aims to implement innovative methods to deepen the understanding of the PDPA. Key goals include assisting individuals in comprehending their rights under the PDPA, enabling them to protect themselves against personal data privacy invasions, and ensuring competence among public and private sector personnel in personal data protection processes. Additionally, this phase aims to raise awareness among data controllers and processors regarding the penalties associated with non-compliance.

Phase 3 (within 4 years): The final phase focuses on aligning Thailand’s personal data protection standards with international benchmarks. This includes fostering international operational cooperation, positioning Thailand as a mentor for personal data protection to other countries, and enhancing the country’s competitive ability in areas such as data privacy, personal data protection, and trusted data in the World Digital Competitiveness Ranking (WDCR).

Prioritized Industries for Compliance

While the Master Plan aims to uplift personal data protection standards across all sectors, Phases 1 and 2 prioritize compliance in seven critical industries: (1) Security and crucial government services, (2) Information technology and telecommunication, (3) Retail, wholesale, and online trade, (4) Finance, investment, and insurance, (5) Public health, (6) Tourism, and (7) Education.

Four Strategic Pillars

To achieve the goals outlined in the four-year plan, the Master Plan presents four strategic pillars:

  1. PDPA Effective and Balanced Enforcement: This strategy focuses on developing standards, criteria, rules, tools, indicators, and data privacy governance, as well as improving personal data protection laws to strengthen personal data protection and promote actions that enhance the country’s competitiveness under the PDPA.
  2. PDPA Knowledge and Trust Enhancement: This strategy emphasizes strengthening human resources by increasing knowledge, understanding, awareness, and confidence in keeping up with changes in personal data governance and threats. It includes enhancing personal data protection skills certification, public relations, prevention, and problem-solving models to accelerate awareness and readiness for PDPA enforcement.
  3. PDPA Digital Economy and Society Promotion: This strategy aims to strengthen cooperation within Thailand and internationally to motivate stakeholder participation in creating and promoting the digital economy and society, increase the country’s personal data protection capabilities, and build a sustainable network.
  4. PDPA R&D and Technology: This strategy focuses on developing a research ecosystem to incentivize and support research and invention creation related to privacy-enhancing technologies (PET), data privacy, and data security. It encourages researchers and entrepreneurs to develop innovations that utilize personal data securely and fairly without being hindered by legal restrictions, thereby boosting Thailand’s global competitiveness.

Thailand’s commitment to personal data protection, as outlined in the Master Plan, demonstrates the nation’s determination to establish a robust framework that safeguards individuals’ privacy rights while fostering a secure and thriving digital landscape. By implementing this comprehensive roadmap, Thailand is poised to become a leader in personal data protection, not only within its borders but also on the global stage.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Employment Termination: Navigating Confidentiality Breaches and Fair Practices

The Supreme Court, Decision No. 7189/2562, ruling in a high-profile labor case has shed a spotlight on the intricate interplay between employee confidentiality obligations and fair employment termination practices. The case involved an offshore petroleum company that terminated the employment of a training instructor after allegations of disclosing confidential company information. This decision offers valuable insights and lessons for both employers and employees alike.

Confidentiality Obligations: A Sacrosanct Duty

The court’s ruling reinforced the fundamental principle that employees have a sacrosanct duty to protect their employer’s confidential information and trade secrets. Unauthorized disclosure or mishandling of such sensitive data can constitute grounds for disciplinary action, including termination of employment. This obligation extends beyond the employee’s tenure with the company, underscoring the enduring nature of confidentiality responsibilities.

Defining Confidential Information: A Contextual Approach

The court adopted a contextual approach in defining what constitutes confidential information in this case. It scrutinized the nature of the information disclosed by the plaintiff-employee, specifically the audit reports from a third-party training organization. The court determined that these reports contained sensitive data pertaining to the defendant-company’s operations, training standards, and were protected by a non-disclosure agreement between the company and the third-party organization.

Notably, the agreement between the employer-defendant and the employee-plaintiff explicitly stipulated confidentiality obligations, whereby the plaintiff agreed to safeguard the defendant’s information and data. This agreement underscored the paramount importance the defendant placed on protecting and preserving information related to its business operations.

However, the plaintiff’s submission of the document containing the defendant’s organizational and managerial information, aimed at ensuring the defendant’s training and assessment standards, to the plaintiff’s personal email account raised significant concerns. This action facilitated the potential unauthorized transmission or removal of such information without the defendant’s ability to monitor or track its dissemination.

Consequently, the court viewed the plaintiff’s actions as a breach of duty, constituting dishonest conduct and an unauthorized disclosure of the defendant’s confidential information. This intentional act was deemed to have caused harm to the employer and amounted to a violation of disciplinary regulations governing workplace behavior.

photography of person peeking

Fair Termination Practices: Striking the Right Balance

While acknowledging the employer’s right to terminate employment for breaches of confidentiality, the court emphasized the importance of following fair termination procedures. This includes providing proper notice, adhering to labor laws, and ensuring that the termination is not considered unfair, retaliatory, or discriminatory. The court’s decision serves as a reminder that even in cases of confidentiality breaches, employers must exercise due diligence and uphold principles of fairness and equity.

Burden of Proof: A Stringent Standard

In cases of employment termination, the court placed a stringent burden of proof on the employer to demonstrate that the termination was justified and in compliance with applicable laws and regulations. The employer must provide clear and convincing evidence to substantiate the grounds for termination, particularly in cases involving confidentiality breaches, where the consequences for the employee can be severe.

Balancing Interests: A Delicate Equilibrium

The court’s ruling highlights the need to strike a delicate balance between the employer’s legitimate interest in protecting confidential information and trade secrets, and the employee’s right to fair treatment and due process during termination proceedings. This equilibrium ensures that both parties’ interests are safeguarded and that employment relationships are governed by principles of fairness, transparency, and mutual respect.

Confidentiality Policies and Procedures: A Proactive Approach

The court’s decision underscores the importance of employers implementing robust confidentiality policies and procedures. Clear guidelines, training programs, and well-defined consequences for breaches can help prevent confidentiality issues from arising in the first place. Additionally, ensuring that employees understand and acknowledge these policies can strengthen the employer’s position in the event of a dispute.

Employee Responsibilities: Upholding Trust and Integrity

For employees, this case serves as a reminder of the gravity of their confidentiality obligations and the potential consequences of breaching such trust. Employees must exercise utmost care in handling sensitive information and refrain from any unauthorized disclosure or misuse. Maintaining professional integrity and upholding the confidentiality of employer information is not only a legal obligation but also a ethical responsibility.

The Supreme Court’s ruling in this case has far-reaching implications for both employers and employees. It underscores the significance of maintaining confidentiality in the workplace and the potential consequences of breaching such obligations. At the same time, it emphasizes the importance of fair employment practices, adherence to labor laws, and the need for employers to provide due process and proper justification when terminating employees.

As the business landscape evolves, with an increasing emphasis on data protection and trade secret preservation, this ruling serves as a timely reminder for all parties to exercise caution in handling confidential information and to understand their respective rights and responsibilities in the employment relationship. By fostering a culture of trust, transparency, and mutual respect, employers and employees can create a harmonious and legally compliant work environment, where both parties’ interests are protected, and the sanctity of confidentiality is upheld.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Accommodating Foreigners Coming to Thailand: Proposed Amendments to the Immigration Act

The current Immigration Act B.E. 2522 (1979) is considered outdated and in need of revision to better accommodate the needs of foreigners seeking to enter the country. The proposed draft of the Immigration Act (No…) B.E. …. (“Draft”) aims to address these concerns by streamlining procedures and reducing bureaucratic obstacles for foreigners and relevant individuals.

Proposed Amendments

1. Notification Requirements for Foreigners Staying in Thailand

The Draft proposes the elimination of certain notification requirements for foreigners staying in Thailand. Specifically, the requirement for foreigners permitted to temporary stay in Thailand, but not engaged in occupation or employment, to notify the competent officer of their residing address leaving only for foreigners wishing to extend their stay beyond 90 days to notify the competent official at the Immigration Bureau of their residence. additionally, the Chief of the National Police will be granted the authority to specify the procedure, method, and duration for this notification.

2. Residing Notification Duties

Under the Draft, the duties for notifying the address of temporary residents will shift from the owner, possessor of dwelling, or hotel manager to notify a competent official in-person at the local Immigration Bureau or local police station to be by an online mean as an option. This is to facilitate the notification process and reducing the need for in-person visits to immigration offices or local police stations.

low angle photography of high rise building

3. Quota for Annual Residence in Thailand

The Draft includes provisions for amending the quota of foreigners eligible for annual residence in Thailand. The Cabinet will have the authority to specify the number of foreigners permitted to have annual residence in Thailand, not exceeding 100 people per country per year, and 50 people per year for stateless individuals. The determination of the number of foreigners eligible for annual residence will be made in consideration of mutual support principles and the necessity and security of the state.

4. Changes in Liabilities for Non-Compliance

The Draft also include changes to the liabilities for non-compliance with notification requirements. Rather than criminal fines, the draft introduces disciplinary fines for any foreigner, owner, or possessor of a dwelling, or hotel manager who fails to notify the competent officer.

The Draft proposed amendments to the Immigration Act B.E. 2522 (1979) was passed the process of public hearing and will need to be passing the process of consideration by the parliament before becoming into force.  

The proposed amendments to the Immigration Act B.E. 2522 (1979) in Thailand seek to modernize and streamline the immigration process, while also addressing the needs and concerns of foreigners seeking to stay in the country. It is an important step towards ensuring a more efficient and transparent immigration system that aligns with the current realities and requirements of all parties involved.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Modernizing Hospitality: An In-Depth Look at the Proposed Amendments to the Hotel Act

Introduction:

The proposed amendments to the current Hotel Act (B.E.2547, 2004) aim to revolutionize the hospitality industry by streamlining and modernizing the responsibilities of hotel managers. These changes primarily focus on the documentation and reporting processes related to guest information, as well as the electronic submission of the lodger registration card. Additionally, the bill includes provisions to establish guidelines for the development of electronic systems. This article delves into the key points of the proposed amendments, shedding light on their potential impact.

Amendment of the Duties of Hotel Managers:

One of the main aspects of the bill involves amending the duties of hotel managers regarding the recording of guest information, as stipulated in Section 35 of the current Hotel Act (B.E.2547, 2004). Specifically, the proposed amendments advocate for the adoption of electronic methods to record guest details, with a primary focus on the “Lodger Registration” (Form Ror. Ror.4). This shift aims to minimize unnecessary burdens on both guests and hotel managers. Additionally, the bill seeks to eliminate the requirement for guests to fill out the “Lodger Registration Card” (Form Ror. Ror.3), which will relieve hotels from completing the lodging registration card within 24 hours and retaining it for at least one year.

man covering face with frame

Electronic Submission of Guest Information to the Registrar:

The bill proposes significant alterations to the responsibilities of hotel managers outlined in Section 36 of the current Hotel Act (B.E.2547, 2004). These changes primarily pertain to the submission of guest information to the Department of Provincial Administration, known as the Registrar. The proposed amendments advocate for the adoption of electronic means to transmit guest data within a 24-hour period. Moreover, the Registrar will be entrusted with forwarding information related to foreign guests to the Immigration Bureau, aiming to simplify legal compliance and promote inter-agency data sharing. This amendment seeks to relieve hotel managers from the direct obligation of sending information regarding foreign guests to the Immigration Bureau. Furthermore, the bill proposes expanding the legal provisions that outline the roles of the Registrar in collecting, aggregating, and disclosing guest information received from hotels. This expansion aims to ensure that the government can effectively utilize the data for security and research purposes related to tourism and the development of the hotel industry, in line with relevant laws and principles set forth by the Digital Government Development Agency (Public Organization) (DGA).

Change of Administrative Fines to Disciplinary Fines:

To streamline the legal framework, the bill also proposes amending the administrative fines associated with Sections 35 and 36 of the Hotel Act (B.E.2547, 2004), replacing them with disciplinary fines.

Conclusion:

In conclusion, the proposed amendments to the Hotel Act (B.E.2547, 2004) place a strong emphasis on leveraging electronic systems, reducing administrative burdens, and promoting efficient data sharing among government agencies. The objective is to enhance the overall effectiveness of the law while aligning it with contemporary technological advancements and administrative practices in the hospitality industry. Furthermore, the bill updates its penalty provisions to include the adoption of disciplinary fines, streamlining the legal process of imposing penalties. As of now, the bill is undergoing a public hearing process until January 31, 2024. These amendments have the potential to shape the future of the hospitality industry, fostering efficiency and innovation while ensuring compliance with relevant laws and regulations.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Cross-Border Transferring of Personal Data

Pursuant to our previous articles on the PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the PDPA (Draft Notification on Section 28) and the PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 29 of the PDPA (Draft Notification on Section 29) (collectively referred to as the Draft Notifications), whereby at the time were drafts for public hearing. Now, the Personal Data Protection Committee (PDPC) in Thailand has announced the official version of Draft Notifications, the effective date of which shall be on 24 March 2024. This article herein then intends to outline the essential differences between the Draft Notifications and their respective official versions.

Subordinate regulation pursuant to Section 28 of the PDPA:

As we have discussed in length regarding the provision of Section 28 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) prescribing a condition under which the data controller may cross-border transfer personal data, that is, if the destination country or international organization is deemed to have an adequate personal data protection standard, otherwise, other exemption would have to be relied upon (e.g., consent form the data subjects), and that what was deemed as adequate personal data protection standard, more information can be studied at the Draft Notification on Section 28. The official version and the draft version are substantially the same, except for the defined terms, which were added to exclude the sending or transferring of personal data of the following nature: (1) the sending or transferring of personal data by an intermediary as a data transit; (2) the sending or transferring of personal data that was done between the computer systems or data storages, provided that no third-party has access to such personal data. Examples of the exempted activities include the sending or transferring of personal data by the cloud computing service provider. By this exclusion, it releases intermediary and cloud computing service providers, as well as controllers or processors, burden compliance burdens.

Subordinate regulation pursuant to Section 29 of the PDPA:

In continuation to our previous article on the Draft Notification on Section 29, where we discussed that the PDPA provides two additional mechanisms for the cross-border transferring of personal data, that is (1) cross-border transfer of personal data within inter-affiliate companies, provided that the personal data protection policy (Binding Corporate Rules or BCR) is reviewed and certified; and (2) where in absence of whitelist country (i.e., per Section 28) and the BCR has not been reviewed or certified, a data controller may cross-border transfer personal data provided that an appropriate safeguard that ensure the enforceability of personal data subject’s rights and a legally remedial measures has been put in place.

modern fiber optic device with colorful plastic connectors

We have also discussed that the appropriate safeguard could be achieved through the use of the Model Contractual Clause, namely (1) ASEAN Model Contractual Clauses for Cross-Border Data Flows; or (2) Standard Contractual Clauses for the Transfer of Personal Data to Third Countries issued pursuant to Articles 46 (1), (2) (c), and 28 (7) of Regulation (EU) 2016/679 or the European Union General Data Protection Regulation, commonly known as GDPR. The official version of subordinate regulation pursuant to Section 29 of the PDPA entails the required elements to be in such Model Contractual Clause. Notable elements required to be in the Model Contractual Clause include but not limited to the (1) measures for notifying the sending or transferring of personal data to the data subject; (2) measures for limiting the sending or transferring of personal data; (3) measures for specifying responsibility for the sending or transferring of personal data to be included in the contract; (4) measures to maintain security in the sending or transferring of personal data; (5) measures for ensuring effective remedial measures; and others. Moreover, revisions/amendments to the Model Contractual Clause are possible, provided that such revision/amendment is not contrary to the required elements as samples. Please be reminded that the Model Contractual Clause may be used as an alternative to the reviewed and certified BCR. Data controllers and processors have the choice to adopt the method deemed appropriate to their normal business operation.

The development of these subordinate regulations will not only change the course of normal business operations but also the paradigm of personal data protection in the digital era. Unifying the cross-border transferring of personal data’s requirements with those of international standards will not only ease Thai data controllers or data processors’ compliance with the PDPA and other personal data protection regulations internationally but also, allow the foreign data controller or data processor to easily comply with the Thai requirements, indirectly promoting the investment in Thailand.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Subordinate Regulations for Enhanced Security Measures under the PDPA

Introduction:

The Personal Data Protection Committee (PDPC) in Thailand has recently announced two important notifications as part of its ongoing efforts to enforce the Personal Data Protection Act B.E. 2562 (2019) (PDPA) and ensure robust information privacy practices. These subordinate regulations, namely the PDPC Notification Concerning the Security Standard for Personal Data under the Responsibility of Data Controllers Exempted from the Enforcement of the PDPA, and the PDPC Notification Concerning the Appropriate Security Measures to Protect the Rights and Freedom of the Data Subject in the Processing of Personal Data for Purposes Relating to the Preparation of the Historical Documents or the Archives for Public Interest, are set to come into effect on March 7, B.E. 2567 (2024).

PDPC Notification Concerning the Security Standard for Personal Data under the Responsibility of Data Controllers Exempted from the Enforcement of the PDPA:

Following our previous coverage on this topic – PDPC notification on security standards for personal data controllers exempted from PDPA, the PDPC conducted a public hearing to gather input and evaluate the imposition of obligations on data controllers exempted from the PDPA. The official version of the notification has been published, and its provisions are identical to those previously discussed. For more details, please refer to our earlier article on the PDPC notification on security standards for personal data controllers exempted from the PDPA in the link above.

two person standing under lot of bullet cctv camera

PDPC Notification Concerning the Appropriate Security Measures to Protect the Rights and Freedom of the Data Subject in the Processing of Personal Data for Purposes Relating to the Preparation of the Historical Document or the Archives for Public Interest:

Section 24 (1) of the PDPA exempts certain data controllers from obtaining prior consent from data subjects when collecting, using, or disclosing personal data for the preparation of historical documents or archives for public interest purposes. However, these data controllers are still obligated to implement specific security measures to safeguard the personal data of individuals. The following summary outlines the key security measures:

  1. Implementation of Organizational, Technical, and Physical Safeguards: Data controllers must establish and maintain appropriate organizational, technical, and physical safeguards to ensure that personal data processing is limited to purposes directly connected to the preparation of historical documents or archives for public interest.
  2. Suitable Security Measures: Data controllers must implement security measures that effectively prevent unauthorized or unlawful loss, access, use, alteration, correction, or disclosure of personal data, in accordance with Section 37 (1) of the PDPA.

Additionally, data controllers may consider pseudonymization or encryption of personal data, where applicable, to minimize the risk of exposure. However, such additional safeguards should not compromise the intended purposes of preparing historical documents or archiving and must be assessed based on the specific contexts of personal data processing and the associated risks involved.

Conclusion:

The introduction of these subordinate regulations by the PDPC highlights its commitment to enhancing personal data security measures in Thailand. By providing guidance on security standards and appropriate measures, these regulations reinforce the enforcement of the PDPA and safeguard the rights and freedoms of individuals with regard to their personal data. It is crucial for organizations to understand the nature of their personal data processing activities and undertake a case-by-case interpretation and consideration to ensure compliance with these regulations. As Thailand continues to prioritize data protection, these measures lay a strong foundation for fostering a culture of responsible and secure handling of personal data in the country.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Data Protection Officer: Guidelines and Assistance for Designation

Introduction:

This article provides an overview of the obligations and requirements surrounding the designation of a Data Protection Officer (DPO) in accordance with the Personal Data Protection Act B.E. 2562 (2019) (PDPA) B.E. 2566 (2023). It also outlines the consequences of failing to designate the DPO and offers assistance in evaluating the necessity of designating the DPO, selecting a suitable candidate, and fulfilling the DPO’s obligations and responsibilities.

Appointment and Notification of the Data Protection Officer:

The Personal Data Protection Committee (PDPC) has recently published a Notification on the Appointment of the Data Protection Officer, which came into force on December 13, 2023. This Notification, in conjunction with Section 41 of the PDPA, requires certain data controllers and processors to designate the DPO. In addition to designating the DPO, data controllers, and processors who are required to do so must also provide the DPO’s information, including contact details, to both the data subjects and the office of the PDPC.

Guidance and Support:

To assist data controllers and processors in understanding their obligations regarding the DPO designation and the submission of DPO’s information, the PDPC has issued a form for submitting the DPO’s information to their office. This form requires various details, such as the general information of the data controller or processor, the name and contact information of the DPO, and more. The PDPC has also provided a checklist to determine whether the designation of DPO is necessary.

Importance of Compliance:

It is crucial for data controllers and processors to carefully assess whether they are required to designate the DPO, as failure to do so may result in administrative liability, including fines of up to one million Baht.

Assistance Offered:

Navigating the intricacies of determining the need for DPO can prove daunting, particularly for individuals without a legal background who may encounter difficulties interpreting relevant laws. To address this challenge, our services extend to evaluating the necessity of appointing the DPO, offering guidance on selecting an appropriate candidate, and providing advice on the extensive obligations and responsibilities associated with the role. Furthermore, we offer support in the submission of the DPO’s pertinent information to the office of PDPC.

Conclusion:

Compliance with the PDPA’s requirements regarding the DPO designation is essential for data controllers and processors. By understanding their obligations and seeking appropriate assistance, organizations can ensure they meet their legal responsibilities while protecting the personal data of individuals.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

PDPC Notification on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the PDPA

The Office of the Personal Data Protection Commission (“PDPC”) conducted a public hearing on the draft PDPC Notification on the Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country According to Section 28 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) (“Notification”). The public hearing was conducted between 27 October 2023 to 10 November 2023.

Section 28 of the PDPA prescribes a condition under which the data controller may cross-border transfer personal data, that is, if the destination country or international organization is deemed to have an adequate personal data protection standard, otherwise, other exemptions would have to be relied upon (e.g., consent from the data subject). In this regard, the Notification aims to set out the criteria by which the PDPC may deem a country or international organization to have an adequate personal data protection standard.

Article 5 of the Notification prescribes that the determination of adequate personal data protection standards shall be based on:

  1. Whether the destination country or international organization has a legal protection mechanism equivalent to or higher than those prescribed under Thai law or not. Specifically, the data controller’s obligations, personal data protection mechanisms, the enforcement of the data subject’s rights, and effective remedial measures.
  2. Whether there is an agency or organization with the duty and power to enforce the personal data protection laws in the destination country or international organizations, provided that such shall not be lower than that of Thailand.

Additionally, the Notification also prescribes that the data controllers may submit for the PDPC’s determination if such a destination country or international organization is of adequate personal data protection level or that the PDPC may gather the information themselves. The publication of a list of countries the PDPC deems to have adequate personal data protection (otherwise known as a whitelist country) will be closely monitored and updated.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles