Law Update – New Personal Data Protection Regulation – Data Protection Officer (DPO)

In Thailand the Personal Data Protection Act (the “PDPA”) has been in effect since 1 June 2022 and several subsequent clarifying notifications have since been issued by the Personal Data Protection Committee (“PDP Committee”) regarding preparation, maintenance, and security of personal data records.

However, in 2023 another notification has been issued by the PDP Committee concerning the Data Protection Officer or DPO requirement, which is to be effective this December 2023.

To sum up, Section 41 of the PDPA requires designated Data Controllers and Data Processors to designate a Data Protection Officer (DPO) to coordinate and oversee several activities to be conducted by Data Controllers and Data Processors, as applicable.

The new 2023 notification clarifies what criteria determine whether a particular Data Controller or Data Processor must designate a DPO.

The general criteria is whether there is a requirement to regularly or systematically monitor or process personal data and whether there is a large scale of personal data being collected and processed.  The new 2023 notification from the PDP Committee provides some more clarity on these two factors to determine whether a DPO is required to be designated by the Data Controller or Data Processor and informed to the authorities.

The following is a summarized table to highlight such clarification from the latest 2023 notification issued by the PDP Committee under the authority of the PDPA:

The Data Controller or The Data Processor Core activities must contain both of the following elements (1+2)

1.   requires regular or systemic monitoring of personal data by tracking, monitoring, analyzing, predicting, or profiling with regular, systematic collection, use, or disclosure of personal data, including but not limited to the following purposes:

1.1  Membership cards, Public Transport cards, or other electronic cards;

1.2  Credit Scoring or fraud prevention (not including process regulated under the credit bureau regulations);

1.3  Behavioral advertising;

1.4  As clients of computer systems or telecommunication system service providers,

1.5  Surveillance and safety of premises

AND

2.   having a large scale of personal data

based on the following factors:

2.1  Number of data subjects involved;

2.2  Quantity, type and nature of personal data;

2.3  Duration and permanence of processing or core activities which disclose personal data; and

2.4  Scope of use of such personal data (by the region or number of countries concerned).

 The following specific circumstances are  automatically considered as having large-scale personal data processing:

a)    Numbers of data subjects involved are more than 100,000 persons.

b)    if the purposes of data collection or processing are for conduct of behavioral advertising via search engines or social media,

c)     if the purposes of data collection or processing are for the operation of insurance or financial businesses; or

d)    if the purposes of data collection or processing are for the personal data of customers/clients by the Licensees with Type 3 Telecommunication License.

must designate a data protection officer and inform the authorities

The designated (and reported) DPO required under the above threshold criteria would have several specific duties and responsibilities under the PDPA. Please let us know if your company wishes to learn more details of the DPO duties or needs any assistance in notifying the relevant authorities of the appointment of a DPO.

If you have questions, please feel free to contact us at psl@pricesanond.com.

All rights reserved © Copyright Price Sanond Limited

 This update is written for general information only. It does not constitute advice, and consultation with professional advisors is recommended.