You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

July 31, 2023

Thailand Releases Draft Notification on Data Protection Officer Appointment

Subscribe to Updates

On July 13, 2023, Thailand’s Personal Data Protection Committee (PDPC) published a draft notification on the requirements for appointment of a data protection officer (DPO).

Under the Personal Data Protection Act B.E. 2562 (PDPA), data controllers or data processors must appoint a DPO if:

  • The data controller or data processor is a state agency as prescribed by the PDPC (the list of state agencies was published in the Government Gazette on July 18, 2023);
  • The activities of the data controller or data processor in relation to the processing of the personal data require “regular monitoring of the personal data or the system,” by reason of “having large-scale personal data” as prescribed by the PDPC; or
  • The core activity of the data controller or data processor is related to the processing of special categories of personal data (e.g., health-related data, biometric data, etc.).

The draft notification’s criteria for determining whether a processing activity (1) requires regular monitoring of the personal data or the system, and (2) involves large-scale personal data are outlined below.

General Principles

When determining whether processing of personal data requires regular monitoring due to having large-scale personal data, it is likely that only the “core activity” of the data controller or data processor is to be taken into consideration. The term “core activity” denotes an essential and integral activity directly related to the primary operations of the data controller or data processor and does not include any supplementary business activities.

Regular Monitoring of Personal Data or Systems

According to the draft notification, activities related to processing personal data require regular monitoring of the personal data or the system if:

  • The core part of the data controller’s or data processor’s activities consists of tracking, monitoring, analyzing, or predicting the behavior, attitude, or profile of individuals; and
  • These activities generally involve the processing of personal data in a systemic manner on a usual or regular basis.

Examples of processing activities that require regular monitoring of the personal data or the system include:

  • Processing activities relating to membership cards, public transportation cards, electronic cards, or any other similar cards in which the card issuer or any other person can review card usage data;
  • Regular or routine processing activities involving verification of the status, history, or characteristics of customers or service recipients to assess various related risks before entering into a contract or providing services of the same nature, such as credit scoring, insurance premium evaluation, and fraud prevention, but not including operations with data from credit bureau companies and their members pursuant to Thailand’s laws concerning credit information business;
  • Processing of personal data for purposes of behavioral advertising;
  • Processing of customers’ or service users’ personal data by computer network system service providers or telecommunications operators; and
  • Processing of personal data for surveillance and security purposes.

Large-Scale Personal Data

When determining whether the core activities of a data controller or data processor constitute the large-scale processing of personal data, the following factors must be considered:

  • The number or proportion of data subjects whose personal data is processed, compared to the total number of potential data subjects;
  • The volume, type, or nature of personal data processed;
  • The duration or permanence of the processing of personal data for the purpose of carrying out the core activities of the data controller or data processor; and
  • The territorial scope or geographical area in connection with the processing activities.

Examples of the processing of large-scale personal data include:

  • Activities for the purpose of behavioral advertising, performed through search engines, or relating to social media with a wide range of users;
  • Processing of customers’ or service recipients’ personal data by life insurance companies, non-life insurance companies, or financial institutions pursuant to the respective law, but not including the handling of data by credit bureau companies and their members pursuant to the laws concerning credit information business operations; or
  • Processing of customers’ or service recipients’ personal data by a licensee holding a type 3 license under the Telecommunication Business Act B.E. 2544 (2001).

In addition, the business standards and relevant risks affecting the rights and freedom of the data subjects will also be taken into consideration.

Other Requirements for DPOs

DPOs may undertake other duties or tasks, provided that the data controller or data processor certifies with the Office of the PDPC that these duties do not conflict with or violate the legal obligations outlined in the PDPA, which is similar to the current requirement under Section 42 of the PDPA.

For more information on these DPO appointment requirements, or on any aspect of compliance with Thailand’s data protection regulations, please contact Tilleke & Gibbins’ data privacy team at [email protected], [email protected], [email protected], or [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 24, 2024

Practical Law: Intellectual Property Transactions in Vietnam 2024

Experts from Tilleke & Gibbins’ intellectual property team have contributed an updated Intellectual Property Transactions in Vietnam to Thomson Reuters Practical Law, a high-level comparative overview of  laws and regulations across multiple jurisdictions. Intellectual Property Transactions focuses on business-related aspects of intellectual property, such as the value of intellectual assets in M&A transactions, and the licensing of IP portfolios. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations. IP audits. IP aspects of M&A: Due diligence, warranties/indemnities, and transfer of IPRs. Employee and consultant agreements. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Vietnam overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Practical Law: Intellectual Property Transactions in Thailand 2024

Intellectual property specialists from Tilleke & Gibbins in Thailand have contributed an updated Intellectual Property Transactions in Thailand overview for Thomson Reuters Practical Law, an online publication that provides comprehensive legal guides for jurisdictions worldwide. The Thailand overview was authored by Darani Vachanavuttivong, managing partner of Tilleke & Gibbins and managing director of the firm’s regional IP practice; Titikaan Ungbhakorn, senior associate and patent agent; and San Chaithiraphant, senior associate. The chapter delivers a high-level examination of critical aspects of IP law, including IP assignment and licensing, research and development collaborations, IP in mergers and acquisitions (M&A), securing loans with intellectual property rights, settlement agreements, employee-related IP issues, competition law, taxation, and non-tariff trade barriers. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations: Management of improvements, derivatives, and joint ownership of IP. IP aspects of M&A: Due diligence and critical considerations during mergers and acquisitions. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Thailand overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Acted for Nordic Transport Group in its Acquisition of Freightzen Logistics

Acted as lead counsel for Nordic Transport Group A/S (NTG), an international freight forwarding company based in Denmark, in its acquisition of a stake in Asia-based Freightzen Logistics Ltd., Inc. through a newly established subsidiary, NTG APAC Holding Pte. Ltd.
Read More
July 23, 2024

Tilleke & Gibbins Lawyers Recognized in Who’s Who Legal Southeast Asia Guide 2024

In the Who’s Who Legal (WWL) Southeast Asia guide for 2024, a total of 12 Tilleke & Gibbins lawyers have been distinguished as market leaders in various legal practice areas. The firm’s 12 recognized lawyers, singled out for their commitment to delivering exceptional legal services to Tilleke & Gibbins’ clients, are grouped into seven practice areas: Asset Recovery: Thawat Damsa-ard Data: Alan Adcock, Athistha (Nop) Chitranukroh Franchise: Alan Adcock, Jay Cohen Intellectual Property: Alan Adcock (Patents, Trademarks), Darani Vachanavuttivong (Patents, Trademarks), Kasama Sriwatanakul (Trademarks), Linh Thi Mai Nguyen (Trademarks), Somboon Earterasarun (Trademarks), Wongrat Ratanaprayul (Patents) Investigations: John Frangos and Thawat Damsa-ard Labor, Employment, and Benefits: Pimvimol (June) Vipamaneerut Life Sciences: Alan Adcock, Loc Xuan Le The annual WWL Southeast Asia rankings guide, published by the London-based group Law Business Research, aims to identify the foremost legal practitioners across a range of business law practice areas. The rankings are largely based on feedback and nominations received from other WWL-ranked and nominated attorneys around the world. These peer-driven recognitions highlight Tilleke & Gibbins’ dedication to maintaining the highest standards of legal service and helping clients achieve success. To read more about the WWL Southeast Asia guide, or to browse the full results, please visit the WWL website.
Read More
Load More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice