Sub-regulations for protection of personal data transferred across borders

On March 24, 2024, two notifications issued by the Personal Data Protection Committee (PDPC) under Section 28 and Section 29 of the Personal Data Protection Act (PDPA) came into effect. These two notifications set criteria for protection of personal data transferred across borders from Thailand to other countries.

The key important points in the notifications may be highlighted as follows:

Subject to the provisions of the PDPA, if personal data is transferred overseas, the destination country or international organization which receives the personal data must have “adequate data protection standards”, the adequacy of which is based on the following factors:

• the presence of PDPA-compliant legal measures or mechanisms, especially those regulating the duties of the data controller, providing appropriate security measures and personal data protection measures which can be enforced in accordance with the rights of the data subject and effective legal remedies; and
• the agencies or organizations that have the duty and authority to enforce such laws.

If any doubt arises regarding the adequacy of the data protection standards of the destination country or international organization, the PDPC shall be empowered to make the decision.

Where personal data is transferred from one entity in Thailand to another entity overseas which is an affiliate in the same business, or is in the same group of undertakings, for purposes of jointly operating the business or group of undertakings, and the transfer of personal data takes place on the basis of binding corporate rules (BCRs) which have been reviewed and certified by the PDPC, such transfer of personal data can be conducted without any further requirements.

The PDPC’s approval of BCRs submitted for review and approval will be based on the following criteria:

• validity and legal enforceability of the BCRs in relation to all relevant parties;
• whether the BCRs are in line with the PDPA, and are legally binding on personnel, related parties, and the transfer and receipt of the personal data;
• inclusion of adequate provisions ensuring the protection of the personal data, retention of the owner's rights, and a procedure for handling complaints; and
• compliance of the provisions of the personal data protection measures and security measures  with the minimum standards of PDPA.

In cases where the PDPC has provided no decision on whether the data protection standards of the destination country or international organization are adequate, or where there are no BCRs in place, transfer of personal data overseas may still be allowed if “appropriate safeguards” are in place and enable enforcement of the rights of the owner, including having effective legal remedies. The “appropriate safeguards” may be in one of the following forms.

• Standard Contractual Clauses, if the Standard Contractual Clauses meet the requirements of the PDPC, ASEAN Model Contractual Clauses for Cross Border Data Flows, Standard Contractual Clauses for the Transfer of Personal Data to Third Countries issued under Article 46(1), Article 46(2) (c) and Article 28 (7) of Regulation (EU) 2016/679 of the European Union or the General Data Protection Regulation (GDPR) or Standard Contractual Clauses of other agencies or international organizations as specified by the PDPC.
• Certification which provides the appropriate safeguards in accordance with the recognized standards as prescribed by the PDPC.
• Agreements that are legally binding and enforceable between the government authorities of Thailand and those of other countries.

Failure to comply with the criteria for protection of personal data transferred across borders is subject to an administrative penalty of up to THB5 million.

Our dedicated team at KPMG Law is ready to provide expert advice and support for compliance with the criteria for protection of personal data transferred across borders, and other PDPA compliance matters, to help our clients ensure that they are conducting business in line with current legislation. For more information, please feel free to contact us.