It has been over one year since the Personal Data Protection Committee (the "PDPC") published the first draft sub-regulation for the protection of cross-border personal data transfer for public review in October 2022. On 27 October 2023, the PDPC published two draft sub-regulations regarding cross-border transfer of the Personal Data Protection Act B.E. 2562 (2019) (the "PDPA") for public hearing purposes. This second round of review was open until 10 November 2023.

There are two drafts published concerning cross-border transfer of personal data. The drafts cover Section 28 (adequate protection standard, whitelisted countries) and Section 29 (Binding Corporate Rules, Appropriate Safeguards, Standard Contractual Clauses) of the PDPA respectively.

1. (Draft) PDPC Notification on the rules for an adequate protection standard for cross-border transfer to a foreign country (cross-border transfer of personal data under Section 28)

In summary, this draft notification dictates that in transferring personal data to a foreign country/organization, such country/organization must have adequate protection standard unless it falls within the exceptions listed in the notification, such as the transfer is for compliance with the law or consent from the data subject has been obtained for the transfer, etc.

This draft notification also provides criteria to determine whether a foreign country has adequate data protection standards based on:

1. the destination country/organization has personal data protection legal measures no less stringent than those provided under Thailand's personal data protection law, especially the Data Controller's obligations and measures which enable enforcement of Data Subject rights, including effective legal remedy;

2. the destination country/organization has an authority in respect to the enforcement of the personal data protection laws and regulations.

For PDPC determinations, the Data Controller may raise questions concerning the destination country/organization's adequate protection standards, or the PDPC itself may collect and propose said information. The PDPC also may publish lists of destination countries/organizations with adequate data protection standards.

2. (Draft) PDPC Notification on Binding Corporate Rules for Affiliated Businesses and Appropriate Safeguards (cross-border transfer of personal data under Section 29)

This draft notification provides several interesting issues covering the definition clarification, provisions on the Binding Corporate Rules for Affiliated Businesses, provisions on Appropriate Safeguards, and Standard Contractual Clauses, including rules on contract amendment.

Binding Corporate Rules

In exemption of Section 28 of the PDPA regarding the adequate protection standard for a cross-border transfer to a foreign country, the sender/transferer of personal data can send or transfer personal data to its overseas affiliated business or group undertaking if they have issued Binding Corporate Rules ("BCR") which have been reviewed and certified by the PDPC.

The BCR must be submitted for review and approval, and must contain a privacy policy which must, at least, meet the following criteria:

1. A legal effective privacy policy in relation to all related parties (e.g., processor, sender, receiver, employees, etc.) which must align with the law on personal data protection and must also be binding upon personnel, employees, or persons related to the sender or transferer and recipients of personal data;

2. warranty of the protection of personal data, rights of the Data Subject, and appropriate complaint mechanism for cross-border transfers; and

3. protection and security measures that comply with the minimum standards of Thailand's personal data protection laws.

Appropriate Safeguards

Another PDPA Section 28 exemption is noted in this notification. In each case the sender/transferer must provide Appropriate Safeguards that, at least, enable enforcement of Data Subject rights, including effective legal remedial measures.

An Appropriate Safeguard also may be in the format of:

  • 'Standard Contractual Clause' (of a Data Transfer Agreement)
  • 'Certification' (regarding cross-border transfer of personal data, for which the PDPC will further issue a certification standard), or
  • 'Code of Conduct' (of cross-border transfer between government agencies)

In the least, all the above must have legal effectiveness and be binding upon the related parties, guarantee the protection of personal data, protect the rights of Data Subjects, ensure the right to effective complaint regarding a cross-border transfer, and include protection and security measures similar to the minimum provisions of the BCR.

Standard Contractual Clause

The acceptable Standard Contractual Clause of a Data Transfer Agreement must, at least, meet one of the following requirements:

1. The Contract must include, at least, the following terms and conditions:

a. Collection, use, and disclosure, including sending and transferring of personal data must complying with the personal data protection law;

b. The Parties must provide security measures with the minimum standard according to the personal data protection law;

c. In the case the receiving party is the data processor – the receiving party must comply with certain obligations under the personal data protection law, including the obligations to act under the data controller's instructions, notify the related party in the case the data subject requests to exercise the rights, and return or destroy any personal data in possession once the contract is terminated;

d. In the case the receiving party is the data controller – the receiving party must notify the sending party in the case a personal data breach incident occurred.

e. Must have effective legal remedies for the Data Subject or the right of the Data Subject to receive effective legal remedies.

2. The Content is in accordance with the ASEAN Model Contractual Clauses for Cross Border Data Flows;

3. The Content is in accordance with the Standard Contractual Clauses of Regulation (EU) 2016/679 of the European Union or General Data Protection Regulation.

The amendments of the Model Contractual Clauses and Standard Contractual Clauses are limited to certain cases, such as, adding a citation to the local personal data protection law, translating it into another language, adopting contents from relevant modules as part of a contract, adding or removing optional clauses, adding other clauses without contradicting the original content, and have no greater impact on the rights and freedoms of the Data Subject, etc.

We expect that the finalized notifications will likely include all material clauses mentioned above. Also, the PDPC is responsible for providing details and information on Model Contractual Clauses and Standard Contractual Clauses which will be published on PDPC's website soon after the notification is finalized. We recommend that businesses prepare to comply with the necessary cross-border compliance components. We will provide an update again once the draft notifications are finalized and published.

Reference:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.