On September 14, 2023, Thailand’s Personal Data Protection Committee (PDPC) published a notification on the requirements for the appointment of a data protection officer (DPO) in the Government Gazette, taking effect on December 13, 2023.
The notification on appointing a DPO lays out the criteria for what constitutes processing of personal data requiring “regular monitoring of the personal data or the system” by reason of “having large-scale personal data,” which requires data controllers and data processors to appoint a DPO under the Personal Data Protection Act B.E. 2562 (PDPA).
After a hearing on the draft DPO appointment notification in July, the published version has been slightly amended while the main criteria for appointment of a DPO are still the same. These have been finalized as follows:
- When determining whether processing of personal data requires regular monitoring due to having large-scale personal data, only the “core activity” of the data controller or data processor is to be taken into consideration. The term “core activity” denotes an essential and integral activity directly related to the primary operations of the data controller or data processor and does not include any supplementary business activities (e.g., human resources and information technology activities).
- “Processing activities that require regular monitoring of personal data” refers to activities relating to tracking, monitoring, analyzing, or predicting the behavior, attitude, or profile of individuals, and generally involves the processing of personal data in a systemic manner on a usual or regular basis. Examples include membership card programs, credit scoring, insurance premium consideration, fraud prevention, processing of personal data by computer network system service providers or telecommunications operators, behavioral advertising, and so on.
- To determine whether processing activities constitute “large-scale processing of personal data,” various factors are considered:
- Volume, type, or nature of personal data processed;
- Duration or permanence of the processing of personal data;
- Number or proportion of data subjects whose personal data is processed, compared to the total number of potential data subjects; and
- Scope or areas of the processing of the personal data.
- This version of the notification specifies that processing personal data of 100,000 data subjects or more is considered “large-scale processing of personal data.”
If the processing of personal data in core activities meets the criteria in (b) and (c) above, the data controller or data processor must appoint a DPO to handle personal data protection-related matters.
The DPO appointment notification also emphasizes that the DPO can carry out other duties if the data controller or data processor warrants that these duties do not conflict with the DPO duties prescribed in the PDPA.
For more information on these DPO appointment requirements and other personal data protection issues, please contact Tilleke & Gibbins’ regional data privacy team at firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, or email@example.com.