Search for:

Thailand: PDPA update – Sub-regulation regarding the designation of Data Protection Officers

By 4 Mins Read

In brief

Following our previous newsletter, the Notification of the Personal Data Protection Committee re: Designation of a Data Protection Officer under Section 41 (2) of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023) (“PDPC Notification re: DPO Designation“) has been published in the Government Gazette on 14 September 2023. This notification will be effective from 13 December 2023.

While most of the requirements under the PDPC Notification re: DPO Designation remain unchanged from its draft version, the published version specifies a minimum number of data subjects that would trigger the large-scale criteria and the data controller’s obligation to designate a data protection officer (DPO).

Businesses that are subject to the Personal Data Protection Act B.E. 2562 (2019) (PDPA) should consider if their processing activities meet the required criteria, designate a DPO, and notify to the regulator by 13 December 2023.

Further details can be found below.

In more detail

Background

Under Section 41 (2) of the PDPA, data controllers and data processors would be required to appoint a DPO if their processing activities require regular monitoring of the personal data or the system, by reason of possessing personal data on a large scale as announced by the Personal Data Protection Committee (PDPC).

The PDPC has recently announced the PDPC Notification re: DPO Designation, which was published in the Government Gazette on 14 September 2023 and will become effective from 13 December 2023.

Criteria to designate a DPO

Under the PDPC Notification re: DPO Designation, to determine whether to designate a DPO, the data controller or data processor must consider the following step-by-step criteria:

CASE2537493

Step 1: Core activities criteria

The PDPC Notification re: DPO Designation defines “core activities” as any operation that is necessary and significant to achieve the primary objectives or goals of the businesses. The definition also specifies samples of core activities. However, ancillary activities, which are activities that merely support the operation of the businesses, are not considered core activities.

Step 2: Regular monitoring criteria

The core activities would be considered as requiring regular monitoring of the personal data or system if they involve regular tracking, monitoring, analyzing, and profiling of personal data in a systematic way. The PDPC Notification re: DPO Designation also provides samples of activities, e.g., membership cards and electronic cards, credit scoring and fraud prevention, insurance premium consideration, behavioral advertising, computer networking services or telecommunications businesses, and surveillance and security services.

Step 3: Large-scale criteria

Various factors must be taken into account in order to consider if the core activities involve personal data on a large scale. One of the factors is whether the number of data subjects reaches 100,000 or more. However, there has not yet been any clarification on what type of data subjects would be counted as 100,000 data subjects for each company, e.g., whether corporate client’s business contacts would be counted with end customers or not. Additionally, activities such as behavioral advertising through widely used search engines or social media, normal operations of insurance companies and financial institutions, and telecommunications businesses, also trigger large-scale criteria. 

Next steps

Similar to its draft version, the PDPC Notification re: DPO Designation is still silent on the forms and qualifications of the DPO. As such, the data controller or data processor would still have some level of flexibility in designating the DPO. However, the PDPC may issue another sub-regulation prescribing the DPO qualifications at a later stage.

Businesses under the PDPA should consider if they meet any of the criteria to designate a DPO. If so, they must complete the designation process and notify the information of the DPO to the data subjects and the Office of the PDPC by 13 December 2023.

For more information, please contact us.

Related contentThailand: Digital Platform Royal Decree and its sub-regulations are now effective

Categories:
Author

Kritiyanee joined Baker McKenzie in 2013 and is a partner in the Intellectual Property and Technology practice. She has experience in data protection, cyber security, and complex technology matters.

Drafted the legal article “the Future is Now and Its Challenges Present: How to determine IP ownership and plan for regulatory compliance in the era of Artificial Intelligence (AI) and the Internet of Things (IoT) symbiosis” published in the Intellectual Property and International Trade Court Law Journal.

Drafted the legal article “Ready or not, Here It Comes - Blockchain and Its Legal Implications” published in the Intellectual Property and International Trade Court Law Journal: Special 20th Anniversary Issue.

Author

Pattaraphan joined Baker McKenzie in 2011 and is a Partner in the Intellectual Property and Technology practice. Before joining Baker McKenzie, she worked at the National Broadcasting and Telecommunications Commission (NBTC) as a legal officer. Pattaraphan is also one of the very few Thai lawyers that is a Certified Information Privacy Professional/Europe (CIPP/E).

Author

Chalermrat Chandranee is an Associate in Baker McKenzie, Bangkok office.

Author

Chayapisa Kositbenjapol is an Associate in Baker McKenzie, Bangkok office.

Related Posts

Write A Comment