Thailand: Operationalising PDPA - Data transfers and localisation - Part two
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.
Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. As part two of the Insight series on the operationalisation of the PDPA, Dhiraphol Suwanprateep and Thananya Chaikamonsuk, from Baker & McKenzie Limited Attorneys at Law, discuss the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.
What is required by the PDPA regarding data transfers and data localisation?
There is no data localisation requirement under the PDPA so the personal data can be stored outside of Thailand. Nonetheless, there are requirements and restrictions under the PDPA for the cross-border transfer of personal data outside of Thailand, which are categorised as follows:
Adequate data protection standards
According to Section 28 of the PDPA, when a data controller sends or transfers personal data to a foreign country, the destination country should have adequate data protection standards, except in the following circumstances:
- where it is for compliance with the law;
- where the consent of the data subject has been obtained;
- where it is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering a contract;
- where it is for compliance with a contract between the data controller and other persons or juristic persons for the interests of the data subject;
- where it is to prevent or suppress danger to the life, body, or health of the data subject or other persons, when the data subject is incapable of giving consent at such time; or
- where it is necessary for substantial public interest.
Data protection policy for intra-group cross-border data transfer (i.e. Binding Corporate Rules ('BCRs'))
In the event that a data controller or data processor (who is in Thailand) puts in place a personal data protection policy regarding the transfer of personal data to another data controller or data processor (who is in a foreign country and is in the same affiliated business or the same group of undertakings), if such personal data protection policy has been reviewed and certified by the Office of the Personal Data Protection Committee ('PDPC'), the transfer of personal data to the foreign country can be carried out and should be exempt from the requirements under Section 28 of the PDPA, as mentioned above.
Appropriate safeguard measures (i.e. Standard Contractual Clauses ('SCCs'))
A data controller or data processor may send or transfer the personal data to a foreign country in exemption of compliance with Section 28 of the PDPA, if the data controller or data processor provides suitable protection measures which enable the enforcement of the data subject's rights, including effective legal remedial measures.
The draft sub-regulation under the PDPA further specifies a list of minimum clauses which should be incorporated in the BCRs and SCCs, which organisations should keep monitoring and following for full compliance.
Who should comply with the data transfer requirements under the PDPA?
The data controller and/or data processor must comply with the requirements above as applicable to certain scenarios.
In case of a sender, if the personal data is to be provided to other persons or legal persons, action should be taken to prevent such person from using or disclosing such personal data unlawfully or without authorisation.
For a recipient who obtains personal data as a result of the disclosure, such recipient should not disclose such personal data for any purpose other than the purpose previously notified to the data controller in the request to obtain such personal data.
What should the organisation prepare to comply with the data transfer requirements?
- An organisation should adopt BCRs and have them reviewed and certified by the PDPC for transfer of personal data to its group companies located overseas;
- The data transfer agreement should be revisited or conducted for compliance with the PDPA and its sub-regulation requirement; and
- When transferring personal data, both within and outside of Thailand, such transfer activities should be recorded in the organisation's records of processing activities, regardless of whether the organisation is deemed as a data controller or a data processor.