On December 25, 2023, Thailand’s Personal Data Protection Committee (PDPC) issued two notifications under sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA) that address essential aspects and criteria for the cross-border transfer of personal data. These notifications are scheduled to come into effect on March 24, 2024.
Key points in the notifications are outlined below.
Adequate Data Protection Standards (Section 28)
Unless otherwise provided by the PDPA, the destination country or international organization that receives the transferred personal data must have “adequate data protection standards,” as determined by the following factors:
- Legal measures and mechanisms. The destination country or international organization must have legal measures or mechanisms aligned with the personal data protection laws in Thailand. Specifically, the obligations of data controllers need to include providing appropriate security measures, implementing personal data protection measures that are suitable and that enable the exercise of data subjects’ rights, and establishing effective legal remedial measures.
- Regulatory authority. The presence of an agency or organization entrusted with the duties and authority to enforce laws and regulations related to personal data protection is also a critical factor.
In addition, this notification empowers the Office of the PDPC to refer cases, either independently identified or proposed by a data controller, to the PDPC for adjudication. The PDPC retains the discretion to make decisions on a case-by-case basis or to establish a list of destination countries or international organizations that it considers to have adequate data protection standards.
Binding Corporate Rules and Appropriate Safeguards (Section 29):
In the realm of global data exchange, two prominent mechanisms have emerged as key enablers of secure and compliant transfer of personal data:
- Binding corporate rules (BCRs). Implementation of BCRs involves enforcing an approved policy for safeguarding personal data transferred among affiliated businesses or within the same group of undertakings in order to jointly operate the business.
- Appropriate safeguards. Appropriate safeguards not only protect personal data but can also enforce the rights of data subjects and include effective legal remedial measures. These safeguards can take various forms, such as standard contractual clauses.
To be deemed effective mechanisms for cross-border data transfer, both BCRs and appropriate safeguards must do the following:
- Maintain legal effectiveness and enforceability across all parties involved, including juristic and natural persons, data processors, senders/transferors, and recipients of personal data while complying with personal data protection laws and being binding upon the personnel, employees, staff, any other persons related to the senders/transferors, and recipients of the personal data;
- Recognize personal data protection, the rights of the data subject, and lodging of complaints in relation to the personal data that has been sent or transferred to a foreign country; and
- Provide personal data protection measures and security measures that comply with personal data protection laws and with the minimum standards prescribed by law, such as those described in the initial set of subordinate regulations enacted under the PDPA.
In the absence of a decision on adequate data protection standards or where there are no BCRs in place, cross-border transfer of personal data is permissible if appropriate safeguards are implemented. This implementation can take the form of any of the following:
- Standard contractual clauses (SCCs) that serve as foundational frameworks for establishing legal agreements, especially in the context of cross-border data transfers. In this regard, Thailand currently accepts two distinct SCC models, the Thai Model and the Overseas Model. The specific provisions and applications of each model—either of which can be adopted, as appropriate—are summarized in the table below.
- Certification of the implementation of the appropriate safeguards in accordance with recognized standards to be determined by the PDPC. These must include the personal data protection contents as prescribed in the notification.
- Statutes or agreements that are legally binding and enforceable between state agencies in Thailand and foreign state agencies that transfer personal data between each other.