Under the Thailand Personal Data Protection Act 2019, section 28. Personal data may not be transferred outside of the Kingdom of Thailand unless the country that is receiving the data has adopted in law data protection standards that match better the PDPA. Section 29 of the PDPA states that multi-national data controllers or processors that are in the Kingdom of Thailand who transfer data to other legal entities within the same business who have put in place a group-wide data protection policy
Thailand’s new PDPA international transfer requirements
Now that Thailand’s new international transfer requirements are in place, how are entities going to ensure that there are no legal problems down the line? It is the responsibility of the data controller and processor to establish a data protection policy and implement a group-wide data protection management system that will ensure compliance. In cases where a company’s operations are in multiple countries, the company must establish a group-wide data protection policy with a single purpose. In this case, the policy must make every effort to include all data that was processed in the same country and must request authorization from the individual country where the entity wants to transfer the data.
What is the PDPA?
This article will outline the key developments, including the drafting and enactment of Thailand’s own personal data protection bill, the statute, and the specific enforcement provisions, associated with Thailand’s Data Protection Act, 2015 and the upcoming new PDPA provisions. What is the PDPA? Introduced into Thailand’s parliament on 25 July 2015, the PDPA received royal approval in November 2017, signed by Her Royal Highness Princess Maha Chakri Sirindhorn on 8 June 2018, and was published as a Royal Gazette on 27th May 2019.
On May 5th, 2021, the Minister of the Ministry of Digital Economy and Society (MDES) has announced that the Thai Cabinet had approved a postponement of the enforcement of the Thailand Personal Data Protection Act B.E. 2562 (2019) (PDPA) to June 1, 2022. Due to the Covid-19 pandemic, businesses in Thailand and international locations covered by the PDPA were facing mounting challenges to meet the June 1st, 2021 deadline. We estimate that as many as 76% of organisations would not have been compliant on that date. Now that the date has been further delayed to 2022, it gives both the ministry and all covered organisations to plan well in advance and ensure that you are ready and achieved compliance by 1st June 2022. The PDPA is the Thai law on personal data, established to harmonise Thai personal data laws with the European Union’s (EU) General Data Protection Regulation (GDPR), which entered into force in May 2018.
PDPA and the GDPR
The Personal Data Protection Act is being compared to the General Data Protection Regulation (GDPR) because the PDPA represents the first comprehensive law for data protection in Thailand. The GDPR is the European Union’s data protection law. However, Thailand was ahead of the EU when it passed its data protection law and the GDPR will supersede the PDPA as of 25 May 2019. Under the GDPR, the GDPR applied to all EU residents regardless of where they live. The PDPA, as of 25 May 2019, applies only to Thai residents unless the entity offering the personal data (VCP) is located outside the Kingdom of Thailand. To export data outside the PDPA, you must certify to the PDPA that the VCP applies to Thai citizens. What personal data does Thailand share with the EU?
Transferring Data to Non-PDPA Countries
Transferring personal data outside of the Kingdom of Thailand must be either on an individual basis or a business group-wide basis. Personal data is transferred only if it is necessary for the processing of personal data. Contact Information Please click here to contact our office.
The PDPA is only effective if it is implemented. We can’t legislate in the absence of a framework. We can however encourage and support companies to adopt a data protection policy, to develop a training program for employees and to promote data protection awareness. Remember that data protection and security have to be both voluntary and mandatory. While it is admirable to hear of companies who are taking these steps, I would encourage businesses to do more. I would like to see them encourage their employees to talk to their customers about data protection, hold privacy training for employees, ensure they comply with the PDPA and communicate their efforts to the general public.