The Office of the Personal Data Protection Committee (the “PDPA Committee”) published a draft regulation issued under the Personal Data Protection Act (2019) (the “PDPA”) relating to the cross-border transfer of personal data outside of Thailand (the “Draft Regulation”) on its website in September 2022.
Cross-Border Transfer of Personal Data under the Current Provisions of the PDPA
According to Section 28 of the PDPA, a data controller can transfer personal data to a foreign country if the receiving country has in place adequate personal data protection measures that are in line with the adequacy criteria issued by the PDPA Committee. The PDPA Committee will announce a list of countries that have in place such personal data protection measures (the “Whitelist Countries”) later on. However, if the personal data is not transferred to any Whitelist Countries, the cross-border transfer can still be conducted if the exemptions under Section 28 apply.
Moreover, Section 29 (Paragraphs 1 and 2) of the PDPA provides an alternative method to transfer personal data to a foreign country. It states that the transfer of personal data is permitted within the same group of companies that have established binding corporate rules (the “BCR”) relating to data protection, which must be reviewed and certified by the PDPA Committee pursuant to the regulations issued by the PDPA Committee. If the company has certified BCR, Section 28 no longer applies to the transfer of such personal data.
Under Section 29 (Paragraph 3) of the PDPA, the cross-border transfer of personal data may be carried out in the absence of any Whitelist Countries or certified BCR if the transferor provides appropriate safeguards which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the regulations issued by the PDPA Committee.
The Draft Regulation, once issued, will supplement the principles of intra-group transfers of personal data outside of Thailand under Section 29 of the PDPA.
Set out below is a summary of the key terms of the Draft Regulation:
(a) Binding Corporate Rules (BCR)
According to the Draft Regulation, if the BCR are established and have been reviewed and certified by the PDPA Committee, any data controller or data processor may transfer personal data outside of Thailand to any of the companies or entities within its group. The BCR must adhere to the following minimum standards:
- The BCR must be legally binding on, apply to, and be enforced by each company or entity within the group, including the data recipient, data processor and data transferor, and all other members of the group, as well as their employees, staff, or persons involved in the transfer or receipt of personal data within the group;
- The BCR must comply with Thai personal data protection laws;
- The BCR must contain a clause concerning the data subject’s rights under the PDPA and relevant sub-regulations thereof;
- The BCR must contain measures for personal data protection in relation to personnel and processes as well as security measures in accordance with the required technology standards for personal data protection.
(b) Appropriate Safeguards
As previously stated, a personal data transferor may transfer personal data to a recipient outside of Thailand without establishing the BCR if the transferor provides appropriate safeguards. The Draft Regulation provides the details regarding the appropriate safeguards that the personal data transferor must implement in order to satisfy the requirements under Section 29 (Paragraph 3) of the PDPA.
According to the Draft Regulation, appropriate safeguards may be provided in the form of “standard contractual clauses”, “code of conduct”, or “certification”. The standard contractual clauses must be filed with the PDPA Committee. The minimum standards applicable to the BCR, as outlined in (a) above, also apply to appropriate safeguards. Additionally, the appropriate safeguards must meet the minimum requirements for controller-to-controller and controller-to-processor cross-border transfers as outlined in the annexes of the Draft Regulation in order to provide the data subject with rights that are enforceable under Thai law, including remedial rights.
The annexes set out the minimum requirements that appropriate safeguards must meet, which are summarized in the Schedule.
We will continue to monitor updates on this regulation. Should you require further information, please contact the authors or your key contact in our firm.
KAP Cloud, a subsidiary of Kudun and Partners, together with various digital and technology solution providers are teaming up to provide a comprehensive solution for our client’s PDPA compliance. We believe technology and legal expertise need to come hand in hand to address this issue.
We have a dedicated team who is keen to understand our client’s business and in helping them achieve their purpose in navigating the complex regulation of data and achieving their goals and objectives.