Personal Data Protection Laws Update: Thailand’s New sub regulation on the designation of the Data Protection Officer under Section 41 (2) of Personal Data Protection Act B.E. 2562 (2019), B.E. 2566 (2023)

On 14 September 2023, the Government Gazette published the Personal Data Protection Committee (PDPC) Notification on the designation of the Data Protection Officer under Section 41 (2) of Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), B.E. 2566 (2023) (the “Notification”). This Notification shall be in force after 90 days from its publication date (by 13 December 2023).

The requirement to designate a Data Protection Officer

As the name suggested, this Notification is issued under Section 41 (2) of the PDPA which requires data controllers or data processors to designate their Data Protection Officer if their core activities involve collection, use, or disclosure of personal data which (1) requires regular or systematic monitoring of personal data and system, and (2) relates to a large scale personal data(Article 4). A Data Protection Officer under this Notification shall have the obligations and duties as stipulated under Section 42 of the PDPA, e.g.: to advise the data controller or the data processor, with respect to compliance with the PDPA; to investigate the performance of the data controller or the data processor for compliance with the PDPA; to coordinate and cooperate with the PDPC Office, etc.

Core activities involve collection, use, or disclosure of personal data which requires regular or systematic monitoring of personal data and system

This Notification defines core activities as ‘the required and necessary operations aimed for the main objective in carrying out tasks or missions of a data controller or a data processor’. For example, processing a customer’s personal data to provide services and to record services received by a customer is necessary for a delivery service. Another example provided is a disclosure of CCTV data is necessary for a security service. This Notification further provides that the activities of data controllers or data processors which part of their core activities are tracking, monitoring, analyzing, and predicting of personal behavior, opinion, or characteristic generally by collecting, using, or disclosing personal data on systematic and regular basis shall be deemed as activities required regular monitoring of personal data and system. These include the following activities:

• Collecting, using, or disclosing personal data relating to a membership card, public transport card, electronic card, or any related cards, all of which a card service provider or any person may check a card activity (Article 5 paragraph 2 (1));
• Regularly or systematically collecting, using, or disclosing a customer’s personal data in relation to credit scoring, insurance premium quotation, fraud prevention, or any risk assessment of a customer’s profile before entering into an agreement or into a service (Article 5 paragraph 2 (2));
• Collecting, using, or disclosing personal data for the purpose of behavioral advertising (Article 5 paragraph 2 (3));
• Collecting, using, or disclosing a customer’s personal data carried out by a computer network service provider or a telecommunication operator (Article 5 paragraph 2 (4));
• Collecting, using, or disclosing personal data for the purpose of surveillance or security (Article 5 paragraph 2 (5));
• Other activities as prescribed by the PDPC (Article 5 paragraph 2 (6)).

A large scale of personal data 

Apart from the first requirement, the number of personal data involving must also be on a large scale. This Notification provides the criteria to determine whether personal data is on a large scale, as follows (Article 6 paragraph 1):

• Number of a data subject, or ratio of a data subject in which personal data may be collected, used, or disclosed compared to all possible data subjects;
• Volume, type, or characteristic of a collected, used, or disclosed personal data;
• Duration, permanence of processing of personal data for the core activities’ benefit of a data controller or a data processor;
• Landscape of the usage of personal data, area, or number of countries related to the processing.

Furthermore, the Notification also specifically rules that processing of personal data under the following criteria shall be deemed as a large scale (Article 6 paragraph 2):

• Involving of more than 100,000 data subjects;
• For the purpose of behavioral advertising via search engine or social media;
• Carried out by an insurance company under life or non-line insurance laws; 
• Carried out by a type 3 telecommunication licensee;
• Other criteria as prescribed by the PDPC.

In conclusion (and at this time of this writing), not all data controllers or data processors is required to designate their data protection officer but only the specified data controllers or data processors under Section 41 of the PDPA, namely, (1) data controller or data processor who is a listed public authority; (2) data controller or data processor under this Notification; and (3) data controller or data processor which their core activities involving a processing of sensitive data. That being said, a data controller or a data processor falling under the specified categories (e.g., digital services, insurance company, telecommunication services, security services, electronic card services, user behavioral monitoring/analysis services) should take proactive steps to designate a data protection officer to ensure compliance with the new regulations before the enforcement date on 13 December 2023. However, if your data protection officer is also responsible for other duties/activities, data controller or data processor shall also certify with PDPC that such duties or activities is not contrary to or contradict with the duties of data protection officer under the PDPA. Please note.

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this matter, please do not hesitate to contact our Personal Data Protection team at pdpa_bkk@eml.nishimura.com, and our team would be pleased to assist.

Reference

The Personal Data Protection Committee Notification on the designation of the Data Protection Officer under Section 41 (2) of Personal Data Protection Act B.E. 2562 (2019), B.E. 2566 (2023) (Thai): mdes.go.th/law/detail/7337-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-การจัดให้มีเจ้าหน้าที่คุ้มครองข้อมูลส่วนบุคคลตามมาตรา-๔๑--๒--แห่งพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล-พ-ศ--๒๕๖๒-พ-ศ--๒๕๖๖

Authors