Data Protection Officer (DPO) Appointment in Thailand

On September 14, 2023, Thailand's Personal Data Protection Committee (PDPC) enforced a pivotal notification, effective from December 13, 2023, setting up the criteria for appointing a Data Protection Officer (DPO) under the Personal Data Protection Act B.E. 2562 (PDPA) (the “Notification”).

The primary responsibilities of a Data Protection Officer (DPO) center on monitoring and advising on compliance with the law, and coordinating with the Office of PDPC when there is a case.

The Notification requires the appointment of a DPO where the core activities of an entity involve the processing of personal data which requires the "regular monitoring of the personal data" on a "large scale" basis.  Whether the processing of personal data by the data controller or data processor requires the oversight of a DPO is, therefore, based on the following key criteria:

Core Activity:
The processing of personal data is a part of the “core activities”. "Core activities" are those which are necessary and essential for achieving the main objective or goal of business of the entity, for example, the collecting of customers’ information for logistic business.

Regular Monitoring:
The processing of personal data requires “regular monitoring”. "Regular monitoring" occurs where the activities involve tracking, monitoring, analyzing, or predicting individual behavior, or developing a profile, which occurs systematically and regularly in the course of processing personal data, e.g. the processing of personal data of holders of membership cards, credit scoring, insurance premium consideration, fraud prevention, and behavioral advertising.

Large Scale:
The processing of personal data is on a “large scale” basis. The determination ”large scale” can involve various factors, such as: the volume, type, or kind of personal data processed; the duration of processing; the number or proportion of data subjects involved; and the scope of processing. Examples include the processing of personal data of 100,000 data subjects or more under the core activity, or for the purpose of behavioral advertising through the search engines or social media used by the subjects. 

Failure to appoint a DPO is subject to an administrative penalty of up to 1 million baht.

Our dedicated team at KPMG Law is ready to provide expert advice and support on DPO appointment compliance, and other PDPA compliance matters, to help our clients ensure they are conducting business in line with current legislation. For more information, please feel free to contact us.