Thailand: PDPA update – Sub-regulation regarding the designation of Data Protection Officers published in the Government Gazette

16 Oct 2023    2 minute read

In brief

Following our previous newsletter, the Notification of the Personal Data Protection Committee re: Designation of a Data Protection Officer under Section 41 (2) of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2566 (2023) ("PDPC Notification re: DPO Designation") has been published in the Government Gazette on 14 September 2023. This notification will be effective from 13 December 2023.

While most of the requirements under the PDPC Notification re: DPO Designation remain unchanged from its draft version, the published version specifies a minimum number of data subjects that would trigger the large-scale criteria and the data controller's obligation to designate a data protection officer (DPO).

Businesses that are subject to the Personal Data Protection Act B.E. 2562 (2019) (PDPA) should consider if their processing activities meet the required criteria, designate a DPO, and notify to the regulator by 13 December 2023.

Further details can be found below.

Contents

In more detail

Background

Under Section 41 (2) of the PDPA, data controllers and data processors would be required to appoint a DPO if their processing activities require regular monitoring of the personal data or the system, by reason of possessing personal data on a large scale as announced by the Personal Data Protection Committee (PDPC).

The PDPC has recently announced the PDPC Notification re: DPO Designation, which was published in the Government Gazette on 14 September 2023 and will become effective from 13 December 2023.

Criteria to designate a DPO

Under the PDPC Notification re: DPO Designation, to determine whether to designate a DPO, the data controller or data processor must consider the following step-by-step criteria:

CASE2537493

Step 1: Core activities criteria

The PDPC Notification re: DPO Designation defines "core activities" as any operation that is necessary and significant to achieve the primary objectives or goals of the businesses. The definition also specifies samples of core activities. However, ancillary activities, which are activities that merely support the operation of the businesses, are not considered core activities.

Step 2: Regular monitoring criteria

The core activities would be considered as requiring regular monitoring of the personal data or system if they involve regular tracking, monitoring, analyzing, and profiling of personal data in a systematic way. The PDPC Notification re: DPO Designation also provides samples of activities, e.g., membership cards and electronic cards, credit scoring and fraud prevention, insurance premium consideration, behavioral advertising, computer networking services or telecommunications businesses, and surveillance and security services.

Step 3: Large-scale criteria

Various factors must be taken into account in order to consider if the core activities involve personal data on a large scale. One of the factors is whether the number of data subjects reaches 100,000 or more. However, there has not yet been any clarification on what type of data subjects would be counted as 100,000 data subjects for each company, e.g., whether corporate client's business contacts would be counted with end customers or not. Additionally, activities such as behavioral advertising through widely used search engines or social media, normal operations of insurance companies and financial institutions, and telecommunications businesses, also trigger large-scale criteria. 

Next steps

Similar to its draft version, the PDPC Notification re: DPO Designation is still silent on the forms and qualifications of the DPO. As such, the data controller or data processor would still have some level of flexibility in designating the DPO. However, the PDPC may issue another sub-regulation prescribing the DPO qualifications at a later stage.

Businesses under the PDPA should consider if they meet any of the criteria to designate a DPO. If so, they must complete the designation process and notify the information of the DPO to the data subjects and the Office of the PDPC by 13 December 2023.

For more information, please contact us.

Related content: Thailand: Digital Platform Royal Decree and its sub-regulations are now effective

Contact Information
Kritiyanee Buranatrevedhya
Partner
Bangkok
Read my Bio
kritiyanee.buranatrevedhya@bakermckenzie.com
Pattaraphan Paiboon
Partner
Bangkok
Read my Bio
pattaraphan.paiboon@bakermckenzie.com
Chayapisa Kositbenjapol
Associate
Bangkok
chayapisa.kositbenjapol@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.