Thailand’s Personal Data Protection Act B.E. 2562 (the “PDPA”) was announced and published in the Royal Thai Government Gazette on 27 May 2019, and became effective in June 2022. Similar to the GDPR, the PDPA sets out various data protection regulations, stipulates compliance liabilities, and puts in place effective remedial measures for data subjects whose rights to protection of personal data are violated. Subsequently, Thailand’s Personal data Protection Committee (the “PDPC”) was established to supervise and regulate the PDPA. As a result, the PDPC regularly releases sub-regulations to provide clarity on the PDPA’s existing principles and requirements. This is particularly important for organisations to adhere to as it provides new criteria and requirements under the obligations laid out in the PDPA. 

General PDPC’s Notification Updates 

As of April 2024, there are several updates from the PDPC. The Notifications are summarised as follows:

Notable PDPC’ Notification Update - DPO

Among the aforesaid updates, it is crucial to highlight the significance of the Notification on the Appointment of Data Protection Officers under Article 41 (2) of the PDPA (“Notable Notification”). This notification imposes obligations on specific entities to appoint and duly notify the appointed Data Protection Officer (“DPO”) to the PDPC. Failure to adhere to these requirements could result in significant penalties.

I.   Requirements under the PDPA

 According to Section 41 of the PDPA, the Date Controller or the Data Processor shall designate and appointe a DPO in the following circumstances: 

(1)   The Data Controller or the Data Processor is a public authority as prescribed and announced by the PDPC; OR 

(2)   The activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large scale of Personal Data as prescribed and announced by the PDPC; OR 

(3)   The core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the sensitive Personal Data. 

The aim of this Notable Notification is to provide clarity on Article 41(2) of the PDPA, by specifying the criteria that in the case where Data Controller or Data Processor has their core activities in collection, use, or disclosure of Personal Data which (A) requires regular or systematic monitoring of personal data and system; and (B) relates to a large scale of Personal Data. 

Therefore, we have outlined the criteria stipulated under the Notable Notification below.

II.  Determination of Regular Monitoring (or Systematic Monitoring) & Large Scale of Personal Data under the Notable Notification

 A.    Regular monitoring (or systematic monitoring) 

Pursuant to Article 5 of the Notification, the following cases shall be deemed as the cases that require regular monitoring of Personal Data, including the collection, use and disclosure of Personal Data: 

(1)   in relation to a membership cards or electronic cards that allow a card service provider to track activities of the card’s holder; 

(2)   before entering into contracts or providing services for risk invention i.e. credit scoring or fraud prevention; 

(3)   for the purpose of behavioural advertising; 

(4)   by internet service providers or telecom companies;

(5)   for security purposes; and 

(6)  other criteria as prescribed by the PDPC.

B.    A large scale of Personal Data 

This Notification prescribe the criteria to determine whether personal data is on a large scale under Article 6 of the Notification, as follow: 

(1)   Number of the data subjects involved or the ratio of the data subject whose personal data are collected, used or disclosed compared to all the potential data subjects;

(2)   The scale, type or characteristics of the Personal Data being collected, used, or disclosed; 

(3)   Duration or permanence of the collected, used or disclosed Personal Data for the purpose of core activities; and 

(4)   The scope of use of the Personal Data by the organization or size of the area or the number of countries related to the collection, use or disclosure of the Personal Data. 

Moreover, the Notable Notification mainly focuses on cases where the core activities of the Data Controller or the Data Processor consists of processing operation which requires regular or systematic monitoring of personal data on a large scale with the following details: 

(1)   Involving of more than 100,000 data subjects; 

(2)   For the purpose of behavioral advertising via search engine or social media; 

(3)   Carried out by an insurance company under life or non-life insurance laws and by financial institute under financial institution business laws; 

(4)   Carried out by a type 3 telecommunication licensee under telecommunication laws; and 

(5)   Other criteria as prescribed by the PDPC.

III.  Penalty 

Failure to appoint a DPO carries significant consequences, including potential administrative penalties of up to 1 million baht, as outlined in Section 82 of the PDPA. Therefore it is essential to understand and comply with these regulations to avoid such penalties and ensure the protection of personal data within your organization. 

The Notable Notification has provided a clearer guideline to assist entities in determining whether they need to appoint a DPO. Even so, navigating the complexities of whether your entity needs to appoint a DPO can be daunting. Should you find yourself in need of clarity or assistance throughout this process, please do not hesitate to reach out to:

Mr. Bunnasomboon Chaiparinya (Aaron) Ms. Kenika Srimanchantha

Partner / Head of Corporate Department Associate

[email protected] [email protected]