Personal Data Protection Update: recent developments, sub-regulations, guidelines, and official plan under the Thai PDPA

This newsletter will review the recent updates to and developments in legislation and regulations under the Personal Data Protection Act (PDPA), as well as the notable administrative measures taken by the Personal Data Protection Committee (PDPC) during the last few months: 

• PDPC Notifications Governing Cross-Border Personal Data Transfers
  
  In December 2023, the PDPC published two sub-regulations governing cross-border transfers of personal data, relating to Section 28 (adequate protection standards, whitelisted countries) and Section 29 (Binding Corporate Rules, Appropriate Safeguards, Standard Contractual Clauses) of the PDPA; the sub-regulations came into effect in March 2024.
  
  In connection with these new sub-regulations, the PDPC published recommended model agreements that align with both the ASEAN Model Contractual Clauses (ASEAN MCC) and the EU’s General Data Protection Regulation (GDPR) Standard Contractual Clauses (EU GDPR SCC). Data controllers engaging in international data transfers are encouraged to use these templates to ensure compliance with international personal data protection standards.
  
  Notification (under Section 28) (TH): 7703-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-หลักเกณฑ์การให้ความคุ้มครองข้อมูลส่วนบุคคลที่ส่งหรือโอนไปยังต่างประเทศตามมาตรา-๒๘-แห่งพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล-พ-ศ--๒๕๖๒-พ-ศ--๒๕๖๖ (mdes.go.th)
  Notification (under Section 29) (TH): 7704-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-หลักเกณฑ์การให้ความคุ้มครองข้อมูลส่วนบุคคลที่ส่งหรือโอนไปยังต่างประเทศตามมาตรา-๒๙-แห่งพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล-พ-ศ--๒๕๖๒-พ-ศ--๒๕๖๖ (mdes.go.th)
  Recommended Cross-Border Data Transfer Agreements (Thai): https://www.pdpc.or.th/5188/ 
• PDPC Notification Regarding Criminal Records
  
  In connection with the provision of sensitive data under Section 26 of the PDPA, the collection, use, or disclosure of a criminal record will be permitted only when mandated by law for purposes of carrying out a criminal record investigation or when the data subject has granted explicit consent to the purposes specified in the Notification, for example, for employment or for granting certain licenses.  This Notification was published in January 2024 and came into effect in April 2024.
  
  Notification (TH): 7725-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-หลักเกณฑ์เกี่ยวกับมาตรการคุ้มครองสำหรับการเก็บรวบรวมข้อมูลส่วนบุคคลเกี่ยวกับประวัติอาชญากรรมที่มิได้กระทำภายใต้การควบคุมของหน่วยงานที่มีอำนาจหน้าที่ตามกฎหมาย-พ-ศ--๒๕๖๖ (mdes.go.th)
• PDPC Notification on Criteria for Erasing, Destroying, or Anonymizing Personal Data
  
  Pursuant to Section 33 of the PDPA, data subjects have the right to request that data controllers erase or destroy the data subjects’ personal data, or anonymize the personal data so it becomes anonymous data that cannot identify the data subject. In August 2024, the PDPC issued a notification that provides criteria, technological standards, timeframes, and tracking status with which data controllers must comply when dealing with a request for erasure, destruction, or anonymization. This Notification was published in August 2024 and will come into effect this November.
  
  Notification (TH): 8511-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-หลักเกณฑ์ในการลบหรือทำลาย-หรือทำให้ข้อมูลส่วนบุคคลเป็นข้อมูลที่ไม่สามารถระบุตัวบุคคลที่เป็นเจ้าของข้อมูลส่วนบุคคลได้-พ-ศ--๒๕๖๗ (mdes.go.th)
• PDPC Issues First Administrative Penalty
  
  In a major enforcement milestone, the PDPC issued its first administrative penalty for non-compliance with the PDPA. A private sector entity was fined 7 million Baht in connection with a personal data breach. The penalty demonstrates that the PDPC is taking a strict approach to data breaches and non-compliance, and marks the beginning of more active enforcement of Thailand’s data protection laws. For more details about the administrative penalty, please see our recent newsletter, linked below.
  
  Personal Data Protection Update – PDPC Issues First Administrative Penalty Under PDPA, Imposes 7M Baht Administrative Fines for Non-Compliance with Personal Data Protection Act | Publications | Knowledge | Nishimura & Asahi
• New Complaint Submission Platform Launched
  
  The PDPC has launched an enhanced online platform where individuals can submit complaints related to personal data breaches and malpractice, to assist data subjects in addition to other available channels. This user-friendly website creates a more streamlined process for individuals seeking to hold data controllers accountable for data privacy violations.
  
  PDPC Link (Thai): https://complaint.pdpc.or.th/ 
  Manual (Thai): https://www.pdpc.or.th/3424/
• Master Plan for Promotion and Protection of Personal Data (2024-2027)
  
  The PDPC aims to comply with the Government’s 20-year national strategic master plan regarding technology growth, economic growth, and national cyber security. From 2024 – 2027, the PDPC plans to set three-phase objectives; the first phase (to be completed in one year) is to increase the enforceability of the PDPA, raise awareness, and improve national and organizational audit systems. The second phase (to be completed over 2 years) will focus on collaboration with the public, improving protection of rights, improving systems and guidelines with the targeted market, and improving national capabilities relating to data privacy. In the third phase (to be completed in 4 years) Thailand seeks to be a leading country in this area, to join international collaborations, and to improve standards to reach international personal data protection levels.
  
  Plan (TH): 8171-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-แผนแม่บทการส่งเสริมและการคุ้มครองข้อมูลส่วนบุคคลของประเทศ-พ-ศ--๒๕๖๗---๒๕๗๐ (mdes.go.th)

During the first quarter of 2025, our Bangkok office plans to hold a public seminar on notable updates to and developments in personal data protection; please stay tuned for more information, and we hope you will join us for this important event!

This article is intended merely to provide a regulatory overview; it is not intended to be comprehensive, and does not constitute legal advice. Should you have any questions on this or related matters, please do not hesitate to contact our Personal Data Protection team at pdpa_bkk@eml.nishimura.com. We would be pleased to assist you.
 

Authors