Thailand’s Office of the Personal Data Protection Committee (PDPC) has opened a public hearing period on its draft notification regarding cross-border transfer of personal data. The public hearing is open through October 24. The notification, once issued, will supplement the principle of cross-border transfer of personal data outside of Thailand set out in the Personal Data Protection Act (PDPA).

The notification sets out the following key matters:

Definitions

• “Transfer of personal data” means any sending or transferring of personal data by a transferor of personal data, either by way of a physical transfer or a remote transfer through a computer system or an internet network to the recipient of the personal data. It does not include sending personal data through an intermediary by transiting between computer systems or internet networks, or any storing or retaining of personal data, either permanently or temporarily, by a cloud computing service provider, whereby the personal data transferor and the personal data recipient (1) are not making the order, (2) are not involved with any data selection or the content of the personal data sent and received through the computer systems or internet networks, or (3) have the purpose of entering into an agreement or any juristic act.
• “Binding corporate rules” means the agreed terms or policy on personal data protection made between the personal data transferor and the personal data recipient to establish appropriate measures for safeguarding personal data within a group of corporations or companies.
• “Standard contractual clauses” means the contractual terms made between the personal data transferor and the personal data recipient to establish appropriate measures for safeguarding personal data.
• “Code of conduct” means a code that sets out the obligations of a personal data transferor and a personal data recipient outside of Thailand.
• “Certification” means an undertaking in relation to safeguarding personal data, in order to establish appropriate personal data safeguarding measures.

Binding Corporate Rules

For cross-border transfers within a group of corporations or companies, binding corporate rules (BCRs) can be established and submitted to the PDPC for approval. The BCRs must adhere to the following minimum standards:

• The effectiveness and legally binding nature of the BCRs apply to each company or entity within the group, including the data recipient, data processor, and data transferor, and the members belonging to the group, as well as their employees, staff, or persons related to the transfer or receipt of personal data within the group.
• The BCRs must comply with Thai laws on personal data protection.
• The BCRs must contain certification of data subject rights under the PDPA and sub-regulations.
• The BCRs must contain measures on personal data protection in relation to personnel, processes, and security measures in accordance with the required technology standards for personal data protection.

Appropriate Safeguards

In accordance with section 29, paragraph 3, of the PDPA, a personal data transferor may transfer personal data to a recipient outside of Thailand when procuring appropriate safeguard measures by way of “standard contractual clauses,” “code of conduct,” or “certification.” Such appropriate safeguards must at least ensure the enforceability of the data subject’s rights and effective legal remedial actions, as provided in the annexes of the notification.

The appropriate safeguards must at least have the following:

• Effectiveness and legal enforceability.
• Compliance with Thai laws on personal data protection.
• Certification of data subject rights under the PDPA and sub-regulations.
• Measures on personal data protection in relation to personnel, process, and security measures in accordance with the required technology standards for personal data protection.

The standard contractual clauses must be filed with the PDPC. The appropriate safeguard measures must be enforceable under Thai law, and they must provide data subject rights under Thai law. Such rights must also be enforceable and provide remedial rights for data subjects as stipulated under Thai law.

The notification also sets out standard contractual clauses for controller-to-controller and controller-to-processor international transfers. The clauses primarily stipulate the obligations of the transferor and the recipient, recognize the enforceability of the PDPA provisions on personal data protection, and ensure the ability of data subjects to exercise their rights (in the form of third-party rights).

For more information from Tilleke & Gibbins’ data privacy team regarding the draft notification, or any aspect of compliance with PDPA requirements, please contact Athistha (Nop) Chitranukroh at [email protected], Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Thammapas Chanpanich at [email protected].