After the announcement and enforcement of Thailand’s Personal Data Protection Act B.E. 2562 (“PDPA”), some provisions or contents of the PDPA are ambiguous and need to be interpreted or prescribed by the Personal Data Protection Committee (“PDPC”). The obligation of designating a Data Protection Officer (“DPO”) is one of the provisions in question. In this regard, subject to Section 41(2), the “Notice of the PDPC re: the designation of a Data Protection Officer under Section 41(2) of the Personal Data Protection Act B.E. 2562 B.E. 2566” (the “Notice”) has been officially published in the Royal Gazette on September 14, 2023, and will be effective on December 13, 2023. 

The purpose of the Notice is to elucidate the criteria of the data controller and data processor who fall under Section 41(2) and have a duty to designate the DPO. Subject to this Notice, a data controller or data processor must designate a DPO if (1) its activities in the collection, use, or disclose of personal data that are a part of its core activities (2) require regular monitoring of personal data or the system, (3) by the reason of having a large scale of personal data. In this regard, this Notice elaborates on each factor as follows:

（1）“Activities” means any activities done by a data controller or data processor to collect, use, or disclose personal data whether such activities are in relation to the core activities or supplementary activities.

（2）“Core Activities” means necessary and essential actions to carry out a purpose or main goal in the operation of the business or mission of the data controller or data processor which is not a supplementary activity.

（3）The Activities which require regular “monitoring” of the personal data are the Activities (i) being part of the Core Activities of the data controller and data processor and (ii) containing tracking, monitoring, analyzing, or predicting behavior, attitude or personal profile which generally collect, use, or disclose personal data systematically and regularly, including but not limited to the collection, use disclosure of personal data in the following case.

• The collection, use, or disclosure of personal data regarding the use of membership cards, public transportation cards, electronics cards, or any other card in the same manner that the card providers or any other persons can examine the details of such card usage information;
• The collection, use, or disclosure of personal data of customers or service recipients on a regular basis that reviews the status, history, or qualification of such customers or service recipients prior to entering into a contract in order to assess the relevant risk such as credit scoring, fraud prevention, etc;
• The collection, use, or disclosure of personal data for the purpose of behavioral advertising;
• The collection, use, or disclosure of personal data of customers or service recipients by computer network service providers or telecommunication operators;
• The collection, use, or disclosure of personal data for surveillance and security at various places;
• Any other cases as prescribed by the PDPC.

（4）The factors to be considered that the Activities of the data controller and the data processor, which are a part of the Core Activities, have “a large scale” of personal data are as follows:

• The number of relevant data subjects or the proportion of the number of data subjects whose personal data are collected, used, or disclosed, compared to the total number of potential data subjects;
• Amount, categories, or nature of personal data that is collected, used, or disclosed;
• Duration or permanence of collection, use, or disclosure of personal data for the interest of carrying out the Core Activities of the data controller or the data processor;
• Scope of use of personal data by an organization or according to the size of area or number of countries involved in the collection, use, or disclosure of personal data.

In addition, the following cases of the collection, use, or disclosure of personal data are also considered as having a large scale of personal data.

• The collection, use, or disclosure of personal data, which is a part of the Core Activities, has the number of data subjects 100,000 persons and above;
• The collection, use, or disclosure of personal data for the purpose of behavioral advertising through search engines or social media used broadly;
• The collection, use, or disclosure of customers’ or service recipients’ personal data according to the normal operation of the businesses such as insurance, and financial institution;
• The collection, use, or disclosure of customers’ or service recipients’ personal data by type 3 telecommunication business licensees (the license for a telecommunication operator having its own network which has the purpose of providing service to a large number of individuals, or may have a significant effect on free competition, or may affect the public interest, or there is a necessity to protect the consumer especially.) under the law on telecommunication business;
• Any other cases as prescribed by the PDPC.

In considering the criteria of (3) and (4), the standards and practices of such business, as well as the risk and effect on data subjects shall be taken into account.

With the aforesaid criteria, the data controller and data processor may be able to comply with Section 41(2) of the PDPA efficiently.

Authors:
Monchai Varatthan
Shota Sugiura
Marin Viriyapongpanich (Lin)