The Office of the Personal Data Protection Committee (the “PDPA Committee”) published a draft regulation issued under the Personal Data Protection Act (2019) (the “PDPA”) relating to the cross-border transfer of personal data outside of Thailand (the “Draft Regulation”) on its website in September 2022.
Cross-Border Transfer of Personal Data under the Current Provisions of the PDPA
According to Section 28 of the PDPA, a data controller can transfer personal data to a foreign country if the receiving country has in place adequate personal data protection measures that are in line with the adequacy criteria issued by the PDPA Committee. The PDPA Committee will announce a list of countries that have in place such personal data protection measures (the “Whitelist Countries”) later on. However, if the personal data is not transferred to any Whitelist Countries, the cross-border transfer can still be conducted if the exemptions under Section 28 apply.
Moreover, Section 29 (Paragraphs 1 and 2) of the PDPA provides an alternative method to transfer personal data to a foreign country. It states that the transfer of personal data is permitted within the same group of companies that have established binding corporate rules (the “BCR”) relating to data protection, which must be reviewed and certified by the PDPA Committee pursuant to the regulations issued by the PDPA Committee. If the company has certified BCR, Section 28 no longer applies to the transfer of such personal data.
Under Section 29 (Paragraph 3) of the PDPA, the cross-border transfer of personal data may be carried out in the absence of any Whitelist Countries or certified BCR if the transferor provides appropriate safeguards which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the regulations issued by the PDPA Committee.
The Draft Regulation, once issued, will supplement the principles of intra-group transfers of personal data outside of Thailand under Section 29 of the PDPA.
Set out below is a summary of the key terms of the Draft Regulation:
- Binding Corporate Rules (BCR)
According to the Draft Regulation, if the BCR are established and have been reviewed and certified by the PDPA Committee, any data controller or data processor may transfer personal data outside of Thailand to any of the companies or entities within its group. The BCR must adhere to the following minimum standards:
- The BCR must be legally binding on, apply to, and be enforced by each company or entity within the group, including the data recipient, data processor and data transferor, and all other members of the group, as well as their employees, staff, or persons involved in the transfer or receipt of personal data within the group;
- The BCR must comply with Thai personal data protection laws;
- The BCR must contain a clause concerning the data subject’s rights under the PDPA and relevant sub-regulations thereof;
- The BCR must contain measures for personal data protection in relation to personnel and processes as well as security measures in accordance with the required technology standards for personal data protection.
- Appropriate Safeguards
As previously stated, a personal data transferor may transfer personal data to a recipient outside of Thailand without establishing the BCR if the transferor provides appropriate safeguards. The Draft Regulation provides the details regarding the appropriate safeguards that the personal data transferor must implement in order to satisfy the requirements under Section 29 (Paragraph 3) of the PDPA.
According to the Draft Regulation, appropriate safeguards may be provided in the form of “standard contractual clauses”, “code of conduct”, or “certification”. The standard contractual clauses must be filed with the PDPA Committee. The minimum standards applicable to the BCR, as outlined in (a) above, also apply to appropriate safeguards. Additionally, the appropriate safeguards must meet the minimum requirements for controller-to-controller and controller-to-processor cross-border transfers as outlined in the annexes of the Draft Regulation in order to provide the data subject with rights that are enforceable under Thai law, including remedial rights.
The annexes set out the minimum requirements that appropriate safeguards must meet, which are summarized in the Schedule.
We will continue to monitor updates on this regulation. Should you require further information, please contact the authors or your key contact in our firm.
Minimum Requirements for Appropriate Safeguards
Controller-to-Controller Cross-Border Transfers
(1) Obligations of the transferor of the personal data, as follows:
To warrant that the processing of personal data complies with the PDPA;
- To use reasonable efforts to determine that the transferee can fulfill its obligations under these requirements;
- To provide information on personal data protection laws to relevant data subjects;
- To respond to data subjects’ or government agencies’ questions regarding the processing of personal data by the transferee; and
- To provide information regarding the rights of data subjects as stipulated in (3).
(2) Obligations of the transferee of the personal data, as follows:
To implement appropriate security measures in accordance with the minimum standards provided under the PDPA;
- To ensure that third parties that can access personal data have committed to the confidentiality of such personal data;
- To confirm that it has reviewed the relevant laws and is not aware of any legal obstacles that would prevent the transferee from performing its obligation to protect the rights of data subjects under these requirements;
- To process personal data only for the specified purposes;
- To inform the transferor which of its internal divisions are responsible for responding to requests relating to personal data processing;
- To inform the transferor whether it has the financial capacity to comply with these requirements;
- To provide details of devices or tools used to process personal data upon the request of the transferor; and
- To process personal data in compliance with the PDPA.
(3) Liabilities to and rights of the data subject, as follows:
The transferor and the transferee will be liable for damages to the data subject caused by any breach of these requirements; and
- The transferor and the transferee agree that the data subject has the right (as a third party) to enforce his or her rights against the transferee upon the occurrence of any breach of these requirements.
(4) Any relevant laws that can be enforced in line with the requirements.
(5) The requirements must be subject to Thai laws.
(6) Dispute resolution with a data subject or a government agency, as follows:
- If a dispute arises between the transferor or transferee and a data subject or a government agency in relation to the processing of personal data, such transferor or transferee must notify the other of, and they must jointly resolve, the dispute; and
- The transferor and transferee agree to resolve any dispute by mediation.
(7) Legal remedies, as follows:
- If the transferee violates the obligations under these requirements, the transferor has the right to temporarily suspend transfers of personal data until such violation is resolved; and
- The transferor has the right to terminate these requirements in the following events:
- the transfer of personal data to the transferee has been suspended for more than 30 days;
- it appears that compliance with these requirements will cause the transferee to breach the legal obligations of its own country;
- the transferee has violated assurances or prescribed duties; or
- the transferee has been ordered to dissolve its business or to file for bankruptcy.
Controller-to-Processor Cross-Border Transfers
(1) Contractual clauses that allow the data subject to be able to enforce his or her rights against the transferor and the transferee.
(2) Obligations of the transferor, as follows:
- To warrant that the processing of personal data complies with the PDPA;
- To warrant that the transferor has instructed the transferee to process the personal data in accordance with the instructions of such transferor;
- To warrant that the transferee will implement appropriate security measures in accordance with the minimum standards provided under the PDPA;
- To warrant that security measures have been implemented to protect the transferred personal data from accidental or unlawful loss, destruction, alteration, unauthorized disclosure of or access to such personal data, especially in the case of transmission of personal data over a network, and to prevent any unlawful processing of personal data;
- To warrant compliance with the data controller’s security measures in accordance with the PDPA;
- To warrant that data subjects will be informed of the transfer of personal data to the destination country or an international organization receiving personal data in the case that the transfer involves personal data under Section 26 of the PDPA;
- To send the notification received from the transferee to the PDPA Committee in the case where the transferor decides to continue the transfer of personal data or to cancel the termination of the transfer of personal data.
- To send a summary of personal data protection measures and a copy of the service agreement for the sub-data processing to the data subject at his or her request; and
- To send the details of the sub-data processing.
(3) Obligations of the transferee of the personal data
- To warrant that personal data will be processed only by the data processor and in line with the instructions of the transferor;
- To warrant that it has reviewed the relevant laws and is not aware of any legal obstacle that would prevent the processing of personal data in accordance with the instructions of the transferor;
- To warrant that appropriate security measures have been implemented in accordance with the minimum standards provided under the PDPA;
- To inform the transferor of any legitimate requests to disclose personal data from government agencies without any delay, to the extent not prohibited by applicable laws;
- To respond to inquiries of the transferor on the processing of such transferred personal data;
- To provide details of devices or tools used to process personal data for review at the request of the transferor;
- To submit a summary of personal data protection measures and a copy of the service contract for the sub-data processing with the commercial data removed;
- To inform the transferor of the personal data on sub-data processing and obtain consent therefor; and
- To send a copy of the sub-data processing agreement to the transferor.
(4) Dispute resolution, as follows:
- In the case that the data subject enforces his or her right to claim for compensation or damages from the transferee, the transferee agrees to resolve the dispute by independent mediation or through the organization responsible for personal data protection (if any); and
- Dispute resolution as described above will not affect any claim for damages by data subjects who have rights under Thai law or international laws.
(5) Cooperation with the PDPA Committee
- Immediately upon request, the transferor agrees to send a copy of the appropriate safeguards to the PDPA Committee;
- The transferor and transferee agree that the PDPA Committee will have the right to investigate such transferee and its sub-data processor; and
- The transferee must notify the transferor of regulations that may obstruct the investigation of the transferee of personal data and its sub-data processor as mentioned above.
(6) Sub-processing of the personal data, as follows:
- The transferee will only allow sub-processing if the consent of the transferor is obtained; and
- In the case where the consent of the transferor is obtained, the transferee will enter into a written sub-data processing agreement which will require the sub-data processor to be subject to the same obligations as the transferee.
(7) Legal remedies
- The transferor and transferee agree that in the event of any damages caused to the data subject by non-performance under these provisions, either by the transferor, transferee, or sub-data processor, such data subject will be able to claim for damages against such transferor;
- In the event that the data subject is not able to claim for damages from the transferor due to the non-performance by the transferee under these provisions, or if the transferor cannot be found or is bankrupt, the data subject may claim compensation from the transferee;
- The transferee will not attempt to exclude or limit its liabilities in the event of non-performance by the sub-data processor; and
- In the event that the data subject is unable to claim for damages against either the transferor or the transferee because they cannot be found or are bankrupt, and the damage was caused by the default of the sub-data processor in relation to the personal data, the data subject may claim for damages from the sub-data processor.