Thailand Personal Data Protection Regulation Notifications on International Data Transfer

In this client update, we summarise recent data protection notifications and present the key takeaways. The notifications aim to clarify principles and standards of international data transfer specified in sections 28 and 29 of the Personal Data Protection Act 2019 (“PDPA”). Both Notifications will come into force on 24 March 2024.

Summary of key parts

1. The Thailand Personal Data Protection Commission (“PDPC”) published two notifications on 12 December 2023, namely
   1. PDPC Notification re: Principles of Protection of Personal Data being Sent or Transferred Overseas Pursuant to Section 28 of the PDPA (“Notification under Section 28”); and
   2. PDPC Notification re: Principles of Protection of Personal Data being Send or Transferred Overseas Pursuant to Section 29 of the PDPA (“Notification under Section 29”).
2. “Transfer” is defined to include both physical and electronic transfer. However, it excludes data transit and data storage (such as cloud computing services) by which the transited or stored data is not accessible by any third party - other than the data controller or processor who transfers such data.
3. Data controllers can only transfer personal data to a recipient based overseas if the destination country has adequate data protection measures. In this regard, the PDPC may issue a list of countries or international organisations which are recognised as having adequate data protection measures (“Adequacy Decision”) in the future.
4. In absence of the PDPC’s Adequacy Decision, data controllers may rely on the following mechanisms to transfer personal data to a recipient based overseas:
5. Legal basis under Section 28 of the PDPA such as:
   1. performance of a legal obligation;
   2. performance of a contract on behalf of the data subject or as requested by the data subject;
   3. vital interest of the data subject or others; and
   4. performance of important public tasks.
6. Binding Corporate Rules (“BCR”) for the transfer of personal data to entity(s) within the data controller’s group of companies. The BCR requires approval from the PDPC. Notification under Section 29 also describes the requirements for BCR compliance, such as enforceability, data subject’s rights, and security measures.
7. Standard Contractual Clauses (“SCC”) for the transfer of personal data to entity(s) which may or may not belong to the data controller’s group of companies. The SCC does not require approval from the PDPC. However, the Notification under Section 29 specifies recognised model clauses that data controllers can adopt and the requirements for SCC compliance.
8. Certification details of the certification shall be elaborated by future PDPC notification(s).

Key Takeaways

5. To ensure uninterrupted flow of data and compliance with the recent requirements, data controllers whose business requires international transfer of personal data are advised to ensure that their current practice(s) comply with the new requirements, which will take effect on 24 March 2024 - 90 days after the notifications were published on the Royal Gazette.
6. It is also advisable to monitor the PDPC’s Adequacy Decision which will enable data controllers to transfer personal data to a recipient based overseas without the need to implement further mechanisms such as reliance on the legal basis, BCR, SCC, or certification. We will provide an update once the information becomes available.