Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Thailand: Key considerations for multi-national corporations in cross-border data transfer under the Personal Data Protection Act

The Personal Data Protection Act B.E. 2563 (A.D. 2019) of Thailand (PDPA), effective from June 1, 2022, is the key legislation of Thailand that provides comprehensive protection for personal data. Local and foreign entities that collect, use, or disclose personal data of data subjects in Thailand are subject to the PDPA. Cross-border data transfers are subject to stringent requirements under the provisions of the PDPA and the applicable rules issued under the PDPA. Multinational corporations (MNCs) are required to have in place adequate data protection measures for the purpose of their cross-border data transfer activities.

Kowit Somwaiya and Usa Ua-areetham, from LawPlus Ltd., provide an overview of the key considerations for MNCs to consider when implementing cross-border data transfer mechanisms. The overview is focused on the key requirements for the Binding Corporate Rules (BCRs) and the Data Transfer Agreement (DTA) as set out in relevant notifications issued by the Personal Data Protection Committee (PDPC) under the PDPA, such as the implementing rules on the criteria for protecting personal data sent or transferred abroad according to Section 28 of the PDPA (PDPC rules).

Steve Proehl/The Image Bank via Getty Images

BCRs

Definition and purpose

BCRs is a term used by the PDPC for the purpose of protecting personal data when it is transferred from Thailand to another country and has a meaning similar to those used by other major data protection authorities, such as the European Data Protection Board (EDPB) and the UK Information Commissioner's Office (ICO).

BCRs are internal policies adopted by MNCs in the same group of entities to set out rules of their global approach for personal data protection when they transfer personal data to entities of the same group in countries where personal data protection law does not exist, or the existing data protection standards do not meet the personal data protection requirements under the PDPA.

The purpose of BCRs is to ensure that entities in the same MNC group are bound by the same and consistent data protection standards for cross-border data transfers.

Key requirements for BCRs

The PDPA and the PDPC rules require BCRs to:

  • be legally enforceable against all members of the MNC group, including their subsidiaries, branches, and employees;
  • provide data subjects with enforceable rights in relation to the processing of their personal data, including clear procedures for them to exercise those rights, regardless of where their data is kept within the MNC group;
  • comply with the PDPA requirements and implement appropriate security measures to protect personal data, including measures on:
    • ensuring lawful collection, use, and disclosure of personal data;
    • collecting personal data only as necessary for the specified purpose;
    • ensuring accuracy and completeness of personal data;
    • specifying the retention period of personal data;
    • maintaining appropriate security measures to prevent unauthorized or unlawful loss, access, use, alteration, correction, or disclosure of personal data;
    • obtaining explicit consent from the data subjects where required; and
    • providing specific protection for sensitive personal data; and
  • provide mechanisms for handling and reporting each data breach to the PDPC within 72 hours of becoming aware of the data breach and other relevant measures as required by the PDPA.

Implementation of BCRs

Organizations must prepare a draft of the BCRs and submit it to the Office of the PDPC (OPDPC) for the OPDPC to review and approve. Once the BCRs have been approved by the OPDPC, they must be adopted across the MNCs by approval of senior management, integrating the approved BCRs into existing policies and procedures, conducting extensive internal communication and training, updating IT systems, revising contracts with vendors and partners, and potentially reorganizing certain data flows within the MNC group.

Audits and updates of the BCRs are also necessary to ensure continued compliance with the PDPA and its future amendments at least annually or more frequently if there are significant changes in the data processing activities of the MNC group or changes in the regulatory compliance measures of the group.

DTA

If the MNCs do not have approved BCRs, they are required to enter into a DTA with terms and conditions that give adequate protection for personal data for the purpose of cross-border data transfer activities amongst the members of the MNCs group and the cross-border data transfers to vendors, service providers, and other third parties. The PDPC may issue standard clauses for MNCs to include in their DTA.

If the MNCs have their BCRs approved by the OPDPC, the DTA must also be adopted if the cross-border data transfers are also made to third parties outside the same MNCs group.

The DTA serves as a contractual means of ensuring adequate protection for personal data, which MNCs transfer to recipients in countries that do not have a personal data protection law or do not have personal data protection standards equivalent to those required under the PDPA. The DTA allows MNCs to establish binding obligations for both the transferors and recipients of personal data to be bound in relation to their collection, use, or disclosure of personal data in compliance with the PDPA.

Requirements for the DTA

The key terms and conditions required for the DTA include the following:

  • the collection, use, and disclosure of personal data that comply with the PDPA. When drafting the DTA, MNCs should consider the nature of their data transfers. For example, transfers of sensitive personal data would require additional safeguards beyond the standard DTA provisions;
  • the security measures that meet or exceed the minimum legal standards under the PDPA, which include both technical measures (such as encryption and access controls), physical measures (such as physical disposal or destruction of any hard copies and electronic files), and organizational measures (such as staff training and data handling procedures);
  • clear specification of the purposes for which the personal data can be processed. The data importer (data recipient) should be contractually bound to process the personal data only for these specified purposes;
  • provisions for protecting the rights of the data subjects, including the procedures for the data importer to assist the data exporter (data transferor) in responding to data subject requests;
  • requirements for the data importer to promptly report any personal data breach to the data exporter in Thailand so that the data exporter may report the breach within 72 hours to the OPDPC;
  • provisions that allow the data exporter to conduct audits or inspections of the data importer's data processing facilities to ensure ongoing compliance and allow the data exporter to meet its accountability obligations under the PDPA;
  • provisions that enable the data exporter to suspend the transfer of personal data to the data importer in cases where the data importer is in breach or unable to comply with the DTA;
  • provisions specifying the data retention periods and procedures for securing deletion or return of data once the processing is complete or the agreement terminates;
  • if applicable, conditions under which the data importer may engage sub-processors. This includes requiring prior written authorization from the data exporter and ensuring that any sub-processors are bound by the same data protection obligations;
  • provisions on the liability for data breaches and indemnification obligations; and
  • the governing law and jurisdiction for dispute resolution.

DTA and vendor privacy contracts

The DTA often intersects with vendor privacy contracts, regardless of whether the Thai entity is the data exporter or data importer. When engaging in cross-border data transfers, MNCs should ensure that their contracts incorporate necessary data protection clauses to comply with the PDPA and other relevant laws. This may include incorporating DTA provisions directly into vendor contracts, creating the separate DTA referenced in and attached to the vendor contracts, or ensuring that all parties have adequate data protection policies and procedures in place. The parties may be required to demonstrate ongoing compliance with relevant data protection laws, e.g., through certifications or third-party audits.

The vendor contracts should include provisions that allow for audits and inspections to verify ongoing compliance, particularly when processing sensitive personal data or large volumes of personal data. MNCs should also consider the long-term implications of their vendor relationships which includes planning for scenarios such as contract termination or vendor changes, ensuring that data can be securely transferred or deleted as needed.

Compliance challenges and solutions

MNCs that implement cross-border data transfer mechanisms under the PDPA may face several compliance challenges. These include complying with different data protection laws across countries where the MNCs operate, adapting to potential changes or new interpretations of the data privacy laws and its sub-regulations, and ensuring vendors, especially those outside Thailand, comply with the PDPA requirements.

To respond to these challenges, MNCs should regularly review and update their policies to ensure that they comply with the PDPA and other applicable laws. They should also stay updated on the PDPC notifications and announcements, consulting legal experts when necessary to understand new requirements.

Another challenge is understanding where personal data is kept and how it flows within the MNCs. Regular updates to the data inventories and the implementation of clear data classification systems can help identify and track personal data, especially sensitive personal data.

The PDPA requires MNCs to be accountable for their data protection practices. To comply with the PDPA, MNCs should maintain records of processing activities as required and be prepared to prove their compliance with the PDPC, if required. MNCs should also implement comprehensive data protection training programs for all staff involved in the processing of personal data to create a culture of data protection awareness and reduce the risk of unintentional non-compliance1.

Kowit Somwaiya Managing Partner
[email protected]
Usa Ua-areetham Partner
[email protected]
LawPlus Ltd., Bangkok

1. The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. or any of its directors, partners, and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained herein.