-
Articles
Personal Data Protection Update: recent developments, sub-regulations, guidelines, and official plan under the Thai PDPA
This newsletter will review the recent updates to and developments in legislation and regulations under the Personal Data Protection Act (PDPA), as well as the notable administrative measures taken by the Personal Data Protection Committee (PDPC) during the last few months:
- PDPC Notifications Governing Cross-Border Personal Data Transfers
In December 2023, the PDPC published two sub-regulations governing cross-border transfers of personal data, relating to Section 28 (adequate protection standards, whitelisted countries) and Section 29 (Binding Corporate Rules, Appropriate Safeguards, Standard Contractual Clauses) of the PDPA; the sub-regulations came into effect in March 2024.
In connection with these new sub-regulations, the PDPC published recommended model agreements that align with both the ASEAN Model Contractual Clauses (ASEAN MCC) and the EU’s General Data Protection Regulation (GDPR) Standard Contractual Clauses (EU GDPR SCC). Data controllers engaging in international data transfers are encouraged to use these templates to ensure compliance with international personal data protection standards.
Notification (under Section 28) (TH): 7703-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-หลักเกณฑ์การให้ความคุ้มครองข้อมูลส่วนบุคคลที่ส่งหรือโอนไปยังต่างประเทศตามมาตรา-๒๘-แห่งพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล-พ-ศ--๒๕๖๒-พ-ศ--๒๕๖๖ (mdes.go.th)
Notification (under Section 29) (TH): 7704-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-หลักเกณฑ์การให้ความคุ้มครองข้อมูลส่วนบุคคลที่ส่งหรือโอนไปยังต่างประเทศตามมาตรา-๒๙-แห่งพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล-พ-ศ--๒๕๖๒-พ-ศ--๒๕๖๖ (mdes.go.th)
Recommended Cross-Border Data Transfer Agreements (Thai): https://www.pdpc.or.th/5188/ - PDPC Notification Regarding Criminal Records
In connection with the provision of sensitive data under Section 26 of the PDPA, the collection, use, or disclosure of a criminal record will be permitted only when mandated by law for purposes of carrying out a criminal record investigation or when the data subject has granted explicit consent to the purposes specified in the Notification, for example, for employment or for granting certain licenses. This Notification was published in January 2024 and came into effect in April 2024.
Notification (TH): 7725-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-หลักเกณฑ์เกี่ยวกับมาตรการคุ้มครองสำหรับการเก็บรวบรวมข้อมูลส่วนบุคคลเกี่ยวกับประวัติอาชญากรรมที่มิได้กระทำภายใต้การควบคุมของหน่วยงานที่มีอำนาจหน้าที่ตามกฎหมาย-พ-ศ--๒๕๖๖ (mdes.go.th) - PDPC Notification on Criteria for Erasing, Destroying, or Anonymizing Personal Data
Pursuant to Section 33 of the PDPA, data subjects have the right to request that data controllers erase or destroy the data subjects’ personal data, or anonymize the personal data so it becomes anonymous data that cannot identify the data subject. In August 2024, the PDPC issued a notification that provides criteria, technological standards, timeframes, and tracking status with which data controllers must comply when dealing with a request for erasure, destruction, or anonymization. This Notification was published in August 2024 and will come into effect this November.
Notification (TH): 8511-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-หลักเกณฑ์ในการลบหรือทำลาย-หรือทำให้ข้อมูลส่วนบุคคลเป็นข้อมูลที่ไม่สามารถระบุตัวบุคคลที่เป็นเจ้าของข้อมูลส่วนบุคคลได้-พ-ศ--๒๕๖๗ (mdes.go.th) - PDPC Issues First Administrative Penalty
In a major enforcement milestone, the PDPC issued its first administrative penalty for non-compliance with the PDPA. A private sector entity was fined 7 million Baht in connection with a personal data breach. The penalty demonstrates that the PDPC is taking a strict approach to data breaches and non-compliance, and marks the beginning of more active enforcement of Thailand’s data protection laws. For more details about the administrative penalty, please see our recent newsletter, linked below.
Personal Data Protection Update – PDPC Issues First Administrative Penalty Under PDPA, Imposes 7M Baht Administrative Fines for Non-Compliance with Personal Data Protection Act | Publications | Knowledge | Nishimura & Asahi - New Complaint Submission Platform Launched
The PDPC has launched an enhanced online platform where individuals can submit complaints related to personal data breaches and malpractice, to assist data subjects in addition to other available channels. This user-friendly website creates a more streamlined process for individuals seeking to hold data controllers accountable for data privacy violations.
PDPC Link (Thai): https://complaint.pdpc.or.th/
Manual (Thai): https://www.pdpc.or.th/3424/ - Master Plan for Promotion and Protection of Personal Data (2024-2027)
The PDPC aims to comply with the Government’s 20-year national strategic master plan regarding technology growth, economic growth, and national cyber security. From 2024 – 2027, the PDPC plans to set three-phase objectives; the first phase (to be completed in one year) is to increase the enforceability of the PDPA, raise awareness, and improve national and organizational audit systems. The second phase (to be completed over 2 years) will focus on collaboration with the public, improving protection of rights, improving systems and guidelines with the targeted market, and improving national capabilities relating to data privacy. In the third phase (to be completed in 4 years) Thailand seeks to be a leading country in this area, to join international collaborations, and to improve standards to reach international personal data protection levels.
Plan (TH): 8171-ประกาศคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล-เรื่อง-แผนแม่บทการส่งเสริมและการคุ้มครองข้อมูลส่วนบุคคลของประเทศ-พ-ศ--๒๕๖๗---๒๕๗๐ (mdes.go.th)
During the first quarter of 2025, our Bangkok office plans to hold a public seminar on notable updates to and developments in personal data protection; please stay tuned for more information, and we hope you will join us for this important event!
This article is intended merely to provide a regulatory overview; it is not intended to be comprehensive, and does not constitute legal advice. Should you have any questions on this or related matters, please do not hesitate to contact our Personal Data Protection team at pdpa_bkk@eml.nishimura.com. We would be pleased to assist you.
Pavinee is a leading expert in intellectual property (IP) law. She joined the Intellectual Property Practice Group of SCL Law Group (currently known as SCL Nishimura & Asahi) as an associate upon its formation in 2005. Prior to that, Pavinee was an in-house legal counsel at many companies where she gained extensive hands-on experience within general law practice, IP and e-commerce related matters. She also gained comprehensive knowledge of contracts and telecommunications working with government agencies while she was an in-house legal counsel. Pavinee was a guest lecturer and speaker on IP and information law at various forums. Currently, Pavinee routinely advises major clients on matters relating to trademark and patent registrations, copyright recordation, license agreements, as well as trademark, patent and copyright infringement. Versatile and keen, she also assists with overseas trademark and patent registration applications and acts as counsel providing expert guidance to clients throughout IP enforcement process and litigation proceedings. She has been consistently consulted with on cases involving electronic trade and commerce, domain name registrations and personal data and privacy protection. Representing numerous international and domestic organizations in both public and private organizations, Pavinee takes advantage of a refined understanding of IP prosecutions and commercial risk to deliver to the clients borderless and practical legal advice based upon reliable and comprehensive understanding of the laws, regulations and best practices in Thailand. With her comprehensive knowledge and extensive experience, she is well-equipped to meet the clients’ diverse needs whereby she tailors her legal service and professional advice to suit the particular needs of each client.