Skip to main content

Draft Notification regarding Cross-Border Transfer of Personal Data

  • Articles

Draft Notification regarding Cross-Border Transfer of Personal Data

In continuance of its duty to issue relevant sub-regulations to supplement the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”), the Office of the Personal Data Protection Committee (the “PDPC”) opened a public hearing for the “Draft Notification of the PDPC on Rules and Principles of Appropriate Personal Data Protection Policy for Cross-Border Transfer” (“Draft Notification”) during 29 September 2022 to 24 October 2022.

As certain clarifications in this Draft Notification may be helpful in comprehending the concept of cross-border transfer under the PDPA, we have summarised the essential parts below.

The Draft Notification provides definitions of some of the key terms, as follows:

  • Affiliated Undertakings or Affiliated Businesses” means undertakings in which the operator has control and management power over other undertakings, or which are controlled by the operator that has power over other undertakings in the form of a parent company, subsidiary, affiliate, natural persons or juristic persons who are legally or economically related under generally accepted accounting standards.
  • Transfer of Personal Data” means to send or transfer personal data physically or remotely via a computer system or over the internet to the transferee of Personal Data. This does not include the transfer or receipt of data as an intermediary for transiting between company systems or over the internet, nor temporary or permanent data storage by the provider of a cloud computing service which the transferor or transferee of the Personal Data is not a controller of, is not related to, nor participates in selecting the Personal Data or its content to be transferred between the computer systems or over the internet for performing any juristic acts or agreements.
  • Binding Corporate Rules” means the agreed terms or policy for the Personal Data protection as mutually agreed upon between the transferor and transferee of the Personal Data, in order to establish the appropriate safeguards for the Personal Data among Affiliated Undertakings or Affiliated Businesses.
  • Standard Contractual Clause” means a contractual clause for the Personal Data protection that is mutually agreed upon by the transferor and transferee of the Personal Data, in order to establish the appropriate safeguards for the Personal Data by determining the obligations of the contractual parties and protection of the data subject’s rights.
  • Code of Conduct” means a code set out to determine the obligations of the transferor and transferee regarding Personal Data in foreign countries.
  • Certification” means certification of the standards of Personal Data protection to establish the appropriate safeguards for the Personal Data.

In this connection, please note that the transferor and transferee of the Personal Data, according to this Draft Notification, refer to the ‘Data Controller’ or ‘Data Processor’ who transfers the Personal Data to another Data Controller or Data Processor overseas, who receives such Personal Data for the purposes of collecting, using, disclosing or processing such Personal Data only.

The cross-border transfer of Personal Data among the Affiliated Undertakings or Affiliated Businesses may be performed if both the transferor and transferee of the Personal Data have prescribed and adhered to the Binding Corporate Rules for operating or undertaking business together, and such Binding Corporate Rules are reviewed and certified by the Office of the PDPC (Section 29, paragraph 1 of the PDPA). The criteria and methods for reviewing and certifying the Binding Corporate Rules for Affiliated Undertakings or Affiliated Businesses as set out by the PDPC are those specified under the PDPA and its sub-legislations as well as any other relevant announcements, by examining the content of the Binding Corporate Rules in order to prove that such meet, among others, the following minimum standards:

  • The Binding Corporate Rules must be in accordance with Thailand’s Personal Data protection law.
  • The legal effectiveness and enforceability of such Binding Corporate Rules must apply to the company, juristic person or person in the Affiliated Undertakings or Affiliated Businesses, including members, transmitters, processors, transferors or transferees of the Personal Data, as well as their employees, staff or any related person of the transferor and transferee.
  • The Binding Corporate Rules must contain clauses that recognise the rights of the data subject over the transferred Personal Data under the PDPA and its relevant sub-regulations.
  • The Binding Corporate Rules must have the Personal Data protection measures that cover people, processes and security measures which meet the technological standards under the criteria, procedures and notifications prescribed by the PDPC.

Furthermore, in accordance with Section 29, paragraph 3 of the PDPA, the transferor and transferee of Personal Data may transfer the Personal Data to foreign countries when appropriate safeguards have been taken in the form of Standard Contractual Clauses, Code of Conduct or Certification. Such appropriate safeguards must be able to enforce the rights of the data subject and provide efficient legal remedies, at least as set out in the examples for each scenario in the appendixes of the Draft Notification. The Draft Notification explains that the appropriate safeguards must also meet the minimum standards, in which such minimum standards are similar to those of the Binding Corporate Rules listed above. Once the Standard Contractual Clauses are made, the Data Controller and Data Processor are required to certify and submit them to the Office of the PDPC.

It is important to note that the appropriate safeguards the transferor and transferee arrange to have in accordance with the preceding paragraph shall have legal enforcement under Thai law, and must specify the rights of data subjects which can be enforced, as well as entitlements to remedy under Thai law. However, this condition does not apply in the case of the transfer of Personal Data between government agencies of Thailand and foreign countries. Regarding the transfer of Personal Data between government agencies of Thailand and foreign countries; the government agencies may establish an instrument which is legally binding and enforceable between government agencies of Thailand and foreign countries without the need to proceed in accordance with the first part of this paragraph. Moreover, the government agencies may consult with the PDPC or related government agencies on this matter.

Currently, there is an unofficial English translation of this Draft Notification (and its appendixes) prepared by a volunteer for the public hearing during 29 September 2022 to 24 October 2022 (not by our lawyer). We would be happy to share such unofficial English translation with you, upon request.

Since this is merely the Draft Notification and not the final version of the notification, there may be variations to the Draft Notification when it is actually enforced. It can be anticipated that the PDPC will enforce this Draft Notification in due time.​

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this or on other areas of law, please do not hesitate to contact:

Chanakarn Boonyasith
Partner

Pimsiri Harnpanicharoen
Attorney-at-law

Authors

チャナカーン・ブーンヤシット

Chanakarn has particular in-depth expertise in the practical side of the legislative system of labour & employment law and personal data protection law. For the Labour & Employment practice, she engages in both advisory work and litigation, as well as drafting and reviewing legal documents, negotiating settlements, interviewing employees (particularly those accused of wrongdoing), managing whistleblowing hotlines and processes, providing trainings and various types of employment law advice, and representing clients in numerous court cases and in hearings before the labour authorities. For the Personal Data Protection practice, she assists her clients through the entire process, from providing training, analysing how clients handle personal data transactions, summarising clients’ data flow, providing legal advice, and drafting necessary legal documents for her clients. Chanakarn’s strategy is to provide detailed, accurate advice and flexible solutions, adapted to meet her clients’ needs. She excels in simplifying complex matters and equipping her clients to make the right decisions. She receives consistently strong feedback from her clients regarding the quality of her work. She has been ranked for labour and employment practice in Chambers Asia Pacific 2022 and 2023.