Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Thailand: PDPC releases draft regulations on data transfers for public consultation

On October 27, 2023, the Personal Data Protection Committee (PDPC) released for public consultation draft regulations on international data transfers, under Sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA), respectively.

Data transfers under Section 28 of the PDPA

The draft regulation on data transfers under Section 28 of the PDPA addresses the transfer of personal data to a destination country or international organization that is deemed to have adequate data protection standards. Among other things, the draft regulation on data transfers under Section 28 of the PDPA establishes that said adequacy is to be determined based on certain factors, including the existence of legal measures or mechanisms, in the destination country or international organization, that shall not be less than those established in Thailand. 

Data transfers under Section 29 of the PDPA

The draft regulation on data transfers under Section 29 of the PDPA provides that the data controller or data processor located in Thailand may send or transfer personal data to the recipient of personal data located in a foreign country and engaging in the same affiliated business, or is in the same group of undertakings, if the sender or transferor of personal data and the recipient of personal data have established a policy for personal data protection in the same affiliated business or in the same group of undertakings (Policy) that has been reviewed and certified by the PDPC. The PDPC shall assess the content and substance of the Policy for personal data protection, which should, among other requirements, have legal effectiveness and enforceability.

Moreover, in the absence of a Policy or an adequacy decision regarding the destination country or international organization that receives the personal data, the draft regulation establishes that the data controller or data processor may send or transfer personal data to a foreign country, provided that the following safeguards are implemented:

  • contractual clauses;
  • a certification regarding the collection, use, and disclosure of personal data ensuring the appropriate safeguards in accordance with recognized standards; and
  • provisions for data protection measures in statutes or agreements that are legally binding and enforceable between state agencies in Thailand and state agencies of other countries in cases of cross-border or international transfers of personal data.

Next steps

Comments may be submitted via the dedicated portals here and here until November 10, 2023. The draft regulations would come into effect 90 days after their publication in the Government Gazette.

You can read the draft regulations here.

UPDATE (December 28, 2023)

PDPC announces publication of regulations on data transfers in Royal Gazette

On December 28, 2023, the PDPC announced two regulations on international data transfers under Sections 28 and 29 of the PDPA, respectively, as published in the Royal Gazette on December 25, 2023. 

In particular, the first regulation is titled 'Criteria for protecting personal data sent or transferred abroad according to Section 28 of the Personal Data Protection Act B.E. 2019, 2023.'

Furthermore, the second regulation, titled 'Criteria for protecting personal data sent or transferred abroad according to Section 29 of the Personal Data Protection Act B.E. 2019, 2023,' provides the following criteria for the appropriate protection measures to be implemented in the absence of a Policy or an adequacy decision regarding the destination country or international organization that receives the personal data transferred:

  • measures must be legally enforceable and provide access to legal remedies for all involved parties, regardless of location. These measures should be consistent with data protection laws and bind all relevant personnel, including controllers, processors, and recipients;
  • measures must uphold the rights of the data subject whose information is being transferred. This includes ensuring their ability to access, rectify, or erase their data, as well as file complaints and seek redress; and
  • adequate security measures must be implemented to protect the transferred data throughout the process. These measures should comply with data protection laws and meet at least the minimum standards set forth in relevant legislation.

Moreover, the regulations come into effect after 90 days from the date of publication in the Royal Gazette, i.e., on March 24, 2024.

You can read the first regulation here and the second regulation here, both only available in Thai.

UPDATE (March 25, 2024)

Regulations on data transfers under Sections 28 and 29 of the PDPA enter into force

On March 24, 2024, the PDPC's draft regulations on international data transfers under Sections 28 and 29 of the PDPA came into effect.

You can read the implemented rules under Section 28 here and under Section 29 here, both only available in Thai.