On December 25, 2023, Thailand’s Personal Data Protection Committee (PDPC) issued two notifications under sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA) that address essential aspects and criteria for the cross-border transfer of personal data. These notifications are scheduled to come into effect on March 24, 2024.

Key points in the notifications are outlined below.

Adequate Data Protection Standards (Section 28)

Unless otherwise provided by the PDPA, the destination country or international organization that receives the transferred personal data must have “adequate data protection standards,” as determined by the following factors:

  • Legal measures and mechanisms. The destination country or international organization must have legal measures or mechanisms aligned with the personal data protection laws in Thailand. Specifically, the obligations of data controllers need to include providing appropriate security measures, implementing personal data protection measures that are suitable and that enable the exercise of data subjects’ rights, and establishing effective legal remedial measures.
  • Regulatory authority. The presence of an agency or organization entrusted with the duties and authority to enforce laws and regulations related to personal data protection is also a critical factor.

In addition, this notification empowers the Office of the PDPC to refer cases, either independently identified or proposed by a data controller, to the PDPC for adjudication. The PDPC retains the discretion to make decisions on a case-by-case basis or to establish a list of destination countries or international organizations that it considers to have adequate data protection standards.

Binding Corporate Rules and Appropriate Safeguards (Section 29):

In the realm of global data exchange, two prominent mechanisms have emerged as key enablers of secure and compliant transfer of personal data:

  • Binding corporate rules (BCRs). Implementation of BCRs involves enforcing an approved policy for safeguarding personal data transferred among affiliated businesses or within the same group of undertakings in order to jointly operate the business.
  • Appropriate safeguards. Appropriate safeguards not only protect personal data but can also enforce the rights of data subjects and include effective legal remedial measures. These safeguards can take various forms, such as standard contractual clauses.

To be deemed effective mechanisms for cross-border data transfer, both BCRs and appropriate safeguards must do the following:

  • Maintain legal effectiveness and enforceability across all parties involved, including juristic and natural persons, data processors, senders/transferors, and recipients of personal data while complying with personal data protection laws and being binding upon the personnel, employees, staff, any other persons related to the senders/transferors, and recipients of the personal data;
  • Recognize personal data protection, the rights of the data subject, and lodging of complaints in relation to the personal data that has been sent or transferred to a foreign country; and
  • Provide personal data protection measures and security measures that comply with personal data protection laws and with the minimum standards prescribed by law, such as those described in the initial set of subordinate regulations enacted under the PDPA.

In the absence of a decision on adequate data protection standards or where there are no BCRs in place, cross-border transfer of personal data is permissible if appropriate safeguards are implemented. This implementation can take the form of any of the following:

  • Standard contractual clauses (SCCs) that serve as foundational frameworks for establishing legal agreements, especially in the context of cross-border data transfers. In this regard, Thailand currently accepts two distinct SCC models, the Thai Model and the Overseas Model. The specific provisions and applications of each model—either of which can be adopted, as appropriate—are summarized in the table below.
Thai Model Overseas Model
Contents and provisions of the SCCs must meet the following requirements:

 

·       Processing—including transfer—of personal data must comply with data protection laws.

·       The security measures of the sender/transferor and the recipient must meet the minimum requirements set by data protection laws.

·       There must be effective legal remedial measures for the data subjects.

·       If the recipient is a data controller, it must notify the sender/transferor of any data breach incident within 72 hours of becoming aware of the incident as far as is feasible, unless the incident does not have a risk of affecting individuals’ rights and freedoms.

·       If the recipient is a data processor, it must (1) process personal data strictly in accordance with the instructions of, or on behalf of, the sender/transferor; (2) notify the sender/transferor at the first opportunity when a data subject exercises his or her right, unless agreed otherwise; (3) return, delete, destroy, or anonymize the personal data by using appropriate methods and notify the sender/transferor in writing once completed; and (4) notify the sender/transferor of any data breach incident within 72 hours upon becoming aware of the incident as far as is feasible.

One of the following models can be adopted:

 

·       ASEAN Model Contractual Clauses for Cross Border Data Flows;

·       Standard Contractual Clauses for the Transfer of Personal Data to Third Countries issued under Article 46(1), Article 46(2)(c), and Article 28(7) of Regulation (EU) 2016/679 of the European Union or the General Data Protection Regulation (GDPR); or

·       SCCs of other agencies or international organizations as prescribed by the PDPC.

 

The selected contractual clauses must include contents regarding personal data protection as prescribed by the PDPC (for example, on security measures for the sending or transferring of personal data, effective legal remedial measures, law enforcement, liability stipulations on the unlawful sending or transfer of personal data, etc.).

 

  • Certification of the implementation of the appropriate safeguards in accordance with recognized standards to be determined by the PDPC. These must include the personal data protection contents as prescribed in the notification.
  • Statutes or agreements that are legally binding and enforceable between state agencies in Thailand and foreign state agencies that transfer personal data between each other.

More from Tilleke & Gibbins