No products in the basket.
Thailand Introduces New Legislation on Cross-Border Data Transfer
Thailand's Personal Data Protection Committee (PDPC) has issued two subordinate regulations regarding the cross-border transfer of personal data, in accordance with the provisions of the Personal Data Protection Act (PDPA) of 2019.
Thailand’s Personal Data Protection Committee (PDPC) issued two subordinate regulations concerning cross-border transfers of personal data, as outlined in the Personal Data Protection Act (PDPA) of 2019.
These regulations were officially published in the Official Gazette on December 25, 2023. The regulations encompass Articles 28 and 29 of the PDPA and provide crucial aspects and criteria for cross-border personal data transfers. Effective March 24, 2024, the Whitelist Notice and the Binding Corporate Rules (BCR) and Appropriate Protection Notice have come into operation, broadening the options available to companies for lawful cross-border transfers of personal data outside Thailand as stipulated by the PDPA.
Binding corporate rules and appropriate safeguards notification
The Personal Data Protection Committee has issued a notification detailing the criteria for protecting personal data transmitted to foreign countries under Section 29 of the Personal Data Protection Act, B.E. 2562 B.E. 2566 (2023), known as the “BCRs and Appropriate Safeguards Notification.”
According to this notification, compliance with Binding Corporate Rules (BCR) involves implementing approved policies aimed at safeguarding personal data exchanged between affiliated businesses or within the same corporate group. Additionally, key requirements include the availability of legal remedies, such as standard contract clauses, certification of standards enforcement by criteria set forth by the PDPC, and binding agreements between Thai and foreign governmental institutions involved in personal data transfers.
BCR implementation entails the establishment of agreed-upon policies to protect personal data transferred within affiliated businesses or the same corporate entity for collaborative business activities.
Businesses are advised to assess their existing BCR, if any, and ascertain whether adjustments are needed to align with the requirements outlined in the BCR and appropriate safeguard notifications.
Furthermore, appropriate safeguards not only serve to protect personal data but also serve to uphold the rights of data subjects, including the provision of effective legal remedies.These safeguards can manifest in various forms, such as standard contract clauses.
Cross-border data transfer requirements
Key to facilitating cross-border data transfers under Article 28 of the PDPA is ensuring that the destination country or international organization receiving personal data from controllers and processors in Thailand maintains an adequate level of data protection. Section 5 of the Adequacy Notice outlines specific factors for assessing protection standards:
- Verification of whether the destination country or organization’s legal mechanisms align with Thailand’s personal data protection laws.
- Evaluation of the existence of a designated agency or organization tasked with enforcing data protection laws in the destination, ensuring active monitoring and enforcement.
- Confirmation of the availability of legal remedies for data owners within the destination country in case of data protection breaches.
The PDPC assesses the adequacy of data protection standards in the destination country or international organization. Under Article 28, Paragraph 3 of the PDPA, the PDPC office may address concerns raised by data controllers or independently gather pertinent information.
Furthermore, the Adequacy Notice stipulates that the PDPC may render decisions on a case-by-case basis or contemplate compiling a list of destination countries or international organizations deemed to uphold sufficient personal data protection standards.
Discover more from Thailand Business News
Subscribe to get the latest posts sent to your email.
