Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Thailand: PDPC announces publication of regulations on data transfers in Royal Gazette

On December 28, 2023, the Personal Data Protection Committee (PDPC) announced two regulations on international data transfers under Sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA), respectively, as published in the Royal Gazette on December 25, 2023. The regulations were assented to following public consultation of the draft regulations.

In particular, the first regulation, titled 'Criteria for protecting personal data sent or transferred abroad according to Section 28 of the Personal Data Protection Act B.E. 2019, 2023,' relates to the transfer of personal data to a destination country or international organization that is deemed to have adequate data protection standards.

Notably, the second regulation, titled 'Criteria for protecting personal data sent or transferred abroad according to Section 29 of the Personal Data Protection Act B.E. 2019, 2023,' provides the following criteria for the appropriate protection measures to be implemented in the absence of a policy or an adequacy decision regarding the destination country or international organization that receives the personal data transferred. Specifically, the second regulation provides that:

  • measures must be legally enforceable and provide access to legal remedies for all involved parties, regardless of location. These measures should be consistent with data protection laws and bind all relevant personnel, including controllers, processors, and recipients;
  • measures must uphold the rights of the data subject whose information is being transferred. This includes ensuring their ability to access, rectify, or erase their data, as well as file complaints and seek redress; and
  • adequate security measures must be implemented to protect the transferred data throughout the process. These measures should comply with data protection laws and meet at least the minimum standards set forth in relevant legislation.

Finally, the regulations come into effect 90 days from the date of publication in the Royal Gazette on March 24, 2024.

You can read the first regulation here and the second regulation here, both only available in Thai.