Following our previous newsletter, the Notification of the Personal Data Protection Committee re: Designation of a Data Protection Officer under Section 41 (2) of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023) (“PDPC Notification re: DPO Designation“) has been published in the Government Gazette on 14 September 2023. This notification will be effective from 13 December 2023.
While most of the requirements under the PDPC Notification re: DPO Designation remain unchanged from its draft version, the published version specifies a minimum number of data subjects that would trigger the large-scale criteria and the data controller’s obligation to designate a data protection officer (DPO).
Businesses that are subject to the Personal Data Protection Act B.E. 2562 (2019) (PDPA) should consider if their processing activities meet the required criteria, designate a DPO, and notify to the regulator by 13 December 2023.
Further details can be found below.
In more detail
Under Section 41 (2) of the PDPA, data controllers and data processors would be required to appoint a DPO if their processing activities require regular monitoring of the personal data or the system, by reason of possessing personal data on a large scale as announced by the Personal Data Protection Committee (PDPC).
The PDPC has recently announced the PDPC Notification re: DPO Designation, which was published in the Government Gazette on 14 September 2023 and will become effective from 13 December 2023.
Criteria to designate a DPO
Under the PDPC Notification re: DPO Designation, to determine whether to designate a DPO, the data controller or data processor must consider the following step-by-step criteria:
Step 1: Core activities criteria
The PDPC Notification re: DPO Designation defines “core activities” as any operation that is necessary and significant to achieve the primary objectives or goals of the businesses. The definition also specifies samples of core activities. However, ancillary activities, which are activities that merely support the operation of the businesses, are not considered core activities.
Step 2: Regular monitoring criteria
The core activities would be considered as requiring regular monitoring of the personal data or system if they involve regular tracking, monitoring, analyzing, and profiling of personal data in a systematic way. The PDPC Notification re: DPO Designation also provides samples of activities, e.g., membership cards and electronic cards, credit scoring and fraud prevention, insurance premium consideration, behavioral advertising, computer networking services or telecommunications businesses, and surveillance and security services.
Step 3: Large-scale criteria
Various factors must be taken into account in order to consider if the core activities involve personal data on a large scale. One of the factors is whether the number of data subjects reaches 100,000 or more. However, there has not yet been any clarification on what type of data subjects would be counted as 100,000 data subjects for each company, e.g., whether corporate client’s business contacts would be counted with end customers or not. Additionally, activities such as behavioral advertising through widely used search engines or social media, normal operations of insurance companies and financial institutions, and telecommunications businesses, also trigger large-scale criteria.
Similar to its draft version, the PDPC Notification re: DPO Designation is still silent on the forms and qualifications of the DPO. As such, the data controller or data processor would still have some level of flexibility in designating the DPO. However, the PDPC may issue another sub-regulation prescribing the DPO qualifications at a later stage.
Businesses under the PDPA should consider if they meet any of the criteria to designate a DPO. If so, they must complete the designation process and notify the information of the DPO to the data subjects and the Office of the PDPC by 13 December 2023.
For more information, please contact us.