Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Thailand: Regulations on data transfers under Sections 28 and 29 of PDPA enter into force

On March 24, 2024, the draft regulations on international data transfers, under Sections 28 and 29 of the Personal Data Protection Act 2019 (PDPA) came into effect, following its publication, on December 25, 2023, in the Official Gazette.

What are the key provisions for the implemented rules under Section 28?

The Personal Data Protection Committee (PDPC) implemented rules on the criteria for protecting personal data sent or transferred abroad according to Section 28 of the PDPA, which establishes the procedures for adopting an adequacy decision, stating that the PDPC will evaluate the level of protection the countries have and will consider cases submitted by data controllers. Furthermore, the regulation describes the requirements for meeting adequate data protection standards, including the need for the recipient country or organization to have laws or regulations, competent enforcement authorities, and effective legal and regulatory frameworks in place. Additionally, the regulation outlines exceptions to the rules, such as compliance with local laws, the consent obtained from data owners, the necessity for contract performance, and the protection of life, health, safety, or vital public interest.

What are the key provisions for the implemented rules under Section 29?

According to the PDPC's implemented rules regarding the criteria for protecting personal data sent or transferred abroad according to Section 29 of the PDPA, organizations may transfer personal data to other organizations involved in a related business or part of the same group of undertakings based on a policy for personal data protection (Binding Corporate Rules (BCRs)) reviewed and certified by the PDPC. The entities would be permitted to transfer data to foreign countries in the absence of adequacy decisions or BCRs provided that there are appropriate safeguards in place, such as contractual clauses, certifications, or agreements to which Thailand is a party. Furthermore, the regulation specifies the international model of contractual clauses that Thailand accepts.

You can read the implemented rules under Section 28 here and under Section 29 here, both only available in Thai.