Thailand: Draft Of The PDPC Notification On International Transfers Of Personal Data

2. General principle for the international transfer of personal data

In principle, a data controller may transfer personal data to a recipient in overseas countries or an international organization if the destination country has an adequate data protection standard that is in compliance with the criteria prescribed by the PDPC.¹ Until present, the PDPC has not issued the notification in relation thereto.

Therefore, until now, practically, a data controller is able to transfer personal data internationally only if the transfer is necessary for the performance of contract to which the data subject is the party or the performance of the data subjects' request prior to such contract, the data subject has explicitly consented to the proposed transfer of personal data after having been informed of the inadequate data protection standard of the destination country or the international organization which receives the personal data, or the transfer is necessary for the compliance with a legal obligation,² etc.

In addition to above, a data controller or a data processor in Thailand is able to rely on the BCRs³ or the appropriate safeguards⁴ approaches for the transfer of personal data to foreign countries. Subject to compliance with the requirements of the BCRs or the appropriate safeguards, the data controller or the data processor may make such transfer without ensuring the adequacy of the data protection standard of the destination country or without obtaining explicit consent from the data subject.

3. Overview of the requirements for the BCRs and the appropriate safeguards

The overview of the requirements of the BCRs and the appropriate safeguards are as follows:

1. BCRs

The BCRs may be provided for the transfer of personal data particularly to the affiliates in the foreign countries.⁵

Under the Draft Notification, the BCRs must contain at least the following details:

1. effectiveness and legal binding effect applicable to entities of the affiliates, including their employees, staffs, and personnel related to the transferor and the transferee of personal data, the transfer of personal data, and the receipt of personal data;
2. rights of the data subject with respect to the personal data as stipulated under the PDPA and other related sub-regulations; and
3. measures for the protection of personal data in aspects of people and process, and standard security measures for personal data in the technological process in accordance with the rules, procedures, and notifications to be prescribed by the PDPC.

The BCRs must be submitted to the PDPC for their verification and certification.⁶

2. Appropriate safeguards

Under the Draft Notification, the appropriate safeguards may be provided in the following forms:

• Standard Contractual Clauses ("SCCs"), i.e., contractual clauses agreed upon between the transferor and the transferee of personal data to ensure the establishment of the due personal data protection standard by stipulating obligations of the parties to the SCCs and the protection of the data subject's rights;
• Code of Conduct, i.e., a code of conduct prescribing obligations of the transferor of personal data and the transferee of personal data overseas to be prepared by, among others, trade associations; or
• Certification, i.e., certification on the personal data protection standards to establish appropriate safeguards thereof to be certified by accredited certification bodies.

Each form of the appropriate safeguards must contain at least the following details:

1. effectiveness and legal binding effect applicable to companies, juristic persons, individuals, including relevant members, consignor and consignee of personal data, transferor and transferee of personal data, or the business of the data controller or the data processor. Such legal binding effect must also extend to relevant employees, staffs, and personnel of the above-mentioned entities;
2. rights of the data subject with respect to the personal data as stipulated under the PDPA and other related sub-regulations; and
3. measures for the protection of personal data in aspects of people and process, and standard security measures for personal data in the technological process in accordance with the rules, procedures, and notifications to be prescribed by the PDPC.

The appropriate safeguards must be certified by the data controller and the data processor and must be subsequently submitted to the PDPC.⁷

4. Conclusion

After the PDPC considers comments from the public hearing, changes may be made to the Draft Notification. The tentative timeline for the official announcement of such Draft Notification is not confirmed.

Although the Draft Notification is uncertain, it can illustrate the BCRs and appropriate safeguards approaches which may be alternatively performed by the data controller or the data processor in Thailand for the transfer of personal data to foreign countries, regardless of the adequacy of the data protection standard in the destination countries.

Footnotes

1. Section 28 of the PDPA

2. Section 28 of the PDPA

3. Section 29 paragraph 1 of the PDPA

4. Section 29 paragraph 3 of the PDPA

5. Section 29 paragraph 1 and Clause 5 of the Draft Notification

6. Clause 6 of the Draft Notification

7. Clause 7 of the Draft Notification