On September 14, 2023, Thailand's Personal Data Protection Committee (PDPC) published a notification on the requirements for the appointment of a data protection officer (DPO) in the Government Gazette, taking effect on December 13, 2023.
The notification on appointing a DPO lays out the criteria for what constitutes processing of personal data requiring "regular monitoring of the personal data or the system" by reason of "having large-scale personal data," which requires data controllers and data processors to appoint a DPO under the Personal Data Protection Act B.E. 2562 (PDPA).
Criteria
After a hearing on the draft DPO appointment notification in July, the published version has been slightly amended while the main criteria for appointment of a DPO are still the same. These have been finalized as follows:
- When determining whether processing of personal data requires
regular monitoring due to having large-scale personal data, only
the "core activity" of the data controller or data
processor is to be taken into consideration. The term "core
activity" denotes an essential and integral activity directly
related to the primary operations of the data controller or data
processor and does not include any supplementary business
activities (e.g., human resources and information technology
activities).
- "Processing activities that require regular monitoring of
personal data" refers to activities relating to tracking,
monitoring, analyzing, or predicting the behavior, attitude, or
profile of individuals, and generally involves the processing of
personal data in a systemic manner on a usual or regular basis.
Examples include membership card programs, credit scoring,
insurance premium consideration, fraud prevention, processing of
personal data by computer network system service providers or
telecommunications operators, behavioral advertising, and so
on.
- To determine whether processing activities constitute
"large-scale processing of personal data," various
factors are considered:
- Volume, type, or nature of personal data processed;
- Duration or permanence of the processing of personal data;
- Number or proportion of data subjects whose personal data is processed, compared to the total number of potential data subjects; and
- Scope or areas of the processing of the personal data.
- This version of the notification specifies that processing personal data of 100,000 data subjects or more is considered "large-scale processing of personal data."
If the processing of personal data in core activities meets the criteria in (b) and (c) above, the data controller or data processor must appoint a DPO to handle personal data protection-related matters.
DPO Duties
The DPO appointment notification also emphasizes that the DPO can carry out other duties if the data controller or data processor warrants that these duties do not conflict with the DPO duties prescribed in the PDPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
