Thailand’s Personal Data Protection Act B.E.2562 (“PDPA”) governs the cross-border transfer of personal data. The PDPA sets out a condition, among other things, that personal data may be transferred to another country or to an international organization (the “Recipient”) provided that they have in place an adequate level of personal data protection according to the adequacy decision as decided on by the Personal Data Protection Committee.
The current absence of a whitelist of Recipients with adequate protection in place does not rule out a data transfer to another country. The PDPA states that a controller/processor may make a cross-border transfer of personal data if the controller/processor ensures appropriate safeguards are in place by referring to standard contractual clauses (“SCCs”).
Currently, no rules relating to such appropriate safeguards have been announced under the PDPA. Therefore, we will refer to the draft PDPA sub-regulations publicly released earlier this year (2021) in order to have an idea of the details of the SCCs under the PDPA (the “Thai SCCs”), which are similar to the former SCCs under the GDPR (i.e. Decision 2001/497/EC and Decision 2010/87/EU). However, in the aftermath of Schrems II, that invalidated the EU-U.S. Privacy Shield due to the lack of adequate data protection of the EU citizen against the U.S authority surveillance, a new set of SCCs under the GDPR (the “GDPR SCCs”) was recently released on 4 June 2021. We have therefore set out below a comparison summary of the Thai SCCs and GDPR SCCs.
|The Thai SCCs cover only two sets of transfer scenarios, i.e. data transfer between:
1. controller and controller (C2C) and
2. controller and processor (C2P).
|In addition to the scenarios under the Thai SCCs, the GDPR SCCs also cover data transfers between:
1. processor and processor (P2P) and
2. processor and controller (P2C).
|The Thai SCCs refer to only two contractual parties, i.e. data exporter and data importer, while they are silent on the case that any other persons could potentially become a party to the contract.
|According to the new “Docking Clause”, an entity that is not a party to a contract may, with the agreement of the existing parties, accede to the clauses at any time, either as a data exporter or as a data importer.
|The Thai SCCs generally state that the parties shall agree to process personal data in accordance with appropriate mandatory security measures under article 37(1) of the PDPA.
|Technical and organizational measures applied must be described in specific terms, and not generic terms. Data encryption and data pseudonymization are specifically encouraged.
|Local Laws and Practices Affecting Compliance with the Contract
|No specific warranty is required. The Thai SCCs only state that the data importer must warrant that it has no reason to believe that the laws and practices in the country of destination shall prevent the data importer from fulfilling its obligations under the contract.
|In addition to what is required by the Thai SCCs, the GDPR SCCs require that in order to provide such warranty, the parties must conduct a risk-based approach assessment. In doing so, the parties must take into consideration the following:
1. the specific circumstances of the transfer;
2. the laws and practices of the country of destination, including those requiring the disclosure of data to public authorities;
3. any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under the contract.
|Obligations of the Data Importer in Case of Access by Public Authorities
|In a C2P, when the data importer receives a legally binding request from a public authority for the disclosure of personal data, the data importer shall notify the data exporter without undue delay.
|Additionally, the data importer is also obliged to notify the data exporter, and where possible the data subject, when it becomes aware of any direct access by public authorities to personal data transferred pursuant to the contract in accordance with the laws of the country of destination.
|The data importer must review the legality of the request for disclosure, in particular whether this falls within the powers granted to the requesting public authority, and shall challenge the request if, after careful consideration, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination.
|The data importer shall provide the minimum amount of information permissible when responding to a request for disclosure.
|In a C2P, the data importer may refrain from notifying the data exporter of the request from a public authority if it is prohibited to do so by the laws of the country of destination.
|If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer must agree to document its best efforts in order to be able to demonstrate them at the request of the data exporter.
With numerous major changes to the new set of GDPR SCCs, it is yet to be established whether or not these changes will have any impact on the Thai SCCs, and if so, to what extent.
For more information, please get in touch with our Data Privacy and Protection lawyers or alternatively, please contact the authors.
KAP Cloud, a subsidiary of Kudun and Partners, together with various digital and technology solution providers are teaming up to provide a comprehensive solution for our client’s PDPA compliance. We believe technology and legal expertise need to come hand in hand to address this issue.
We have a dedicated team who is keen to understand our client’s business and in helping them achieve their purpose in navigating the complex regulation of data and achieving their goals and objectives.