After the Personal Data Protection Committee (the “PDPC”) of Thailand issued two draft notices regarding the cross-border transfer of personal data under the Personal Data Protection Act B.E. 2562 (the “PDPA”), the official notices were announced and published in the Royal Gazette on 25 December 2023. The first notice is the “Notice of PDPC re Principle of Personal Data Protection for Cross-border Transfer according to Section 28 of PDPA B.E. 2566 (2023)” (the “Section 28 Notice”) and another is the “Notice of PDPC re Principle of Personal Data Protection for Cross-border Transfer according to Section 29 of PDPA B.E. 2566 (2023)” (the “Section 29 Notice”). The effective date is on 24 March 2024.

The PDPA provides several options for legal processes to be taken in regard to cross-border transfer of personal data. However, it is necessary to explain further details of such options in order to practice the feasible option. In this regard, the PDPC issued the Section 28 Notice and the Section 29 Notice which give detailed instructions for such several options and may make a great impact on personal data practices in Thailand in terms of cross-border transfer.

In both Notices, the “Personal Data Transfer” means a transfer of personal data by the data exporter physically or via a computer system or internet network to the data importer, excluding the sending and receiving of personal data in a manner that is only an intermediary for data transit between computer systems or network systems, or the data storage in a temporary or permanent form, which there is no third-party’s access to such data except for the data controller or data processor as the data exporter or its personnel, employees, staff.

The principal Details of each Notice are as follows:

Notice according to Section 28

(1) Adequate Personal Data Protection Standards

Section 28 of the PDPA prescribes that the destination country that receives personal data shall have adequate personal data protection standards. According to the Section 28 Notice, the factors to be considered regarding whether the destination country has “adequate personal data protection standards” are as follows:

(a) The destination country has legal measures or mechanisms regarding personal data protection that are not more lenient than Thailand's PDPA.
(b) There is an agency or organization that has duties and the authority to enforce laws and regulations regarding personal data protection which is not more lenient than Thailand's PDPA.

(2) Whitelist Countries

According to the Section 28 Notice, the PDPC may publish a whitelist of the destination countries to which personal data may be transferred from Thailand under the PDPA.

Notice according to Section 29

(1) Appropriate Safeguards

Section 29 Paragraph 3 of the PDPA prescribes as follows:

Section 29 Paragraph 3
In the absence of a decision by the Committee in accordance with section 28, or the Personal Data protection policy referred to in paragraph one, the Data Controller or the Data Processor may send or transfer the Personal Data to a foreign country in exemption to compliance with section 28, if the Data Controller or the Data Processor provides suitable protection measures which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Committee.

Under the Section 29 Notice, the appropriate safeguards subject to Section 29 paragraph 3 above may be set forth in the following forms:
 (a) A contractual clause that follows the acceptable contractual clause for the transfer of personal data, such clause is the contractual clause for personal data protection regarding cross-border transfer the PDPC determines that the data exporter and the data importer shall use to determine the duties and conditions of the parties in order to have appropriate personal data protection measures;
 (b) Certification that the data controller or data processor has appropriate safeguards about the collection, use and disclosure regarding the cross-border transfer, and is in accordance with acceptable standards; or
 (c) Requirements for personal data protection measures in instruments or agreements that are legally binding or enforceable between government agencies of Thailand and government agencies of other countries in case of a transfer between such government agencies

(2) Contractual Clause accepted under PDPA

The aforesaid contractual clause that follows the acceptable contractual clause for the transfer of personal data shall match one of the following requirements.
(I) The contractual clause the parties establish shall contain the details and clauses related to personal data protection as follows:
(a) The collection, use, and disclosure of personal data, including the personal data transfer to a data importer shall be in accordance with the PDPA.
(b) A data exporter and a data importer shall provide security measures meeting the minimum standard according to the PDPA.
(c) In case that a data importer is a data processor,
(c-1) The data importer shall collect, use, or disclose personal data only pursuant to the instruction given by a data exporter or on behalf of a data exporter and the purpose specified by the data exporter.
(c-2) The data importer shall contact the data exporter at the first possible opportunity if the data subjects request to exercise their rights according to the PDPA unless the data exporter has assigned the data importer to process such request instead of the data exporter.
(c-3) The data importer shall return personal data in accordance with the contractual clause to the data exporter or erase or destroy or anonymize such personal data by the appropriate means according to the criteria and conditions specified by the data exporter. The data importer shall ensure in writing to the data exporter when such action has been taken.
 (c-4) The data importer shall report a personal data breach according to the PDPA to the data exporter without delay and, where feasible, within 72 hours after having become aware of it.
(d) In cases where a data importer is a data controller, the data importer shall notify the data exporter of a personal data breach under the PDPA, if such data exporter is a data controller, without delay and, where feasible, within 72 hours after having become aware of it, unless such personal data breach is unlikely to result in a risk to the rights and freedoms of the Persons.
(e) There must be legal remedies for data subjects or the rights that data subjects will receive effective legal remedies.

(II) The contractual clause the parties establish following laws of foreign countries or international organizations and have the details and clauses related to personal data protection by using any of the following model contractual clauses
(a) ASEAN Model Contractual Clauses for Cross-Border Data Flows (MCC)
(b) Standard Contractual Clauses for the Transfer of Personal Data to Third Countries (SCC) of the General Data Protection Regulation (GDPR)
(c) Standard Contractual Clauses for the Transfer of Personal Data of other agencies or international organizations as prescribed by the PDPC

(3) Required details of the contractual clause

The contractual clause under (2)(II) above shall contain the following details of personal data protection.
(a) Measures to notify data subjects of transferring their personal data;
(b) Measures to limit the transfer of personal data to the extent necessary and related to the collection use and disclosure of personal data only;
(c) Alternative measures for data subjects to exercise their right to cancel the transfer of personal data to third parties or cancel the use of personal data beyond the scope of purposes;
(d) Measures to specify the responsibility of the transfer of personal data in the contractual clause to determine the appropriate personal data protection measures including the protection of the transfer of personal data to third parties;
(e) Security measures for the transfer of personal data to prevent a personal data breach;
(f) Measures to determine the rights to access personal data, to ensure that personal data remains accurate, up-to-date, complete and not misleading, and to delete or destroy or anonymize personal data to become the anonymous data which cannot identify the data subject;
(g)  Measures of effective legal remedies, enforcement of laws, and determination of liability arising from the wrongful transfer of personal data.

(4) Amendment of the contractual clause

In case of the use of the contractual clause under (2)(II) above, the following actions, which are not contrary to the aforementioned principal details of the contractual clause and do not affect the rights and freedom of data subjects, are accepted. 

(a) To refer to applicable laws;
(b) To amend other details in the contractual clause;
(c) To add the appropriate personal data protection measures; or
(d) To amend and add details in non-essential parts.

Authors:
Monchai Varatthan
Shota Sugiura
Marin Viriyapongpanich (Lin)