Rajah & Tann Regional Round-Up
your snapshot of key legal developments in Asia
Issue 3 - Jul/Aug/Sep 2023
 

Personal Data Protection Committee Establishes Criteria for Appointment of Data Protection Officer

On 14 September 2023, Thailand's Personal Data Protection Committee ("PDPC") issued a notification establishing the criteria for the appointment of a data protection officer ("DPO") for data controllers and data processors ("Notification"), enlarging the DPO requirements prescribed under section 41(2) of the Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). The Notification will become effective from 13 December 2023, meaning a DPO must be appointed by the effective date.


Criteria for Appointing a DPO


Under the Notification, data controllers and data processors are required to appoint a DPO when their processing activities, which are part of their core activities, require the regular monitoring of personal data or systems by reason of having personal data on a large scale. Whether data controllers and data processors are required to appoint a DPO will be determined based on the following criteria:


  1. The processing activities are part of their core activities.

  2. In brief, "core activities" means activities that are necessary and important so as to achieve the main objectives or goals in the business operation or mission of data controllers or data processors, but exclude supplementary activities which only support the operation of the data controller or the data processor, such as activities supporting human resources and information technology.

  3. The processing activities require regular monitoring of personal data or systems.

  4. Processing activities will be deemed as requiring the regular monitoring of personal data or systems when they involve tracking, monitoring, analysing, or forecasting behaviour, attitudes, or profiling, and typically involve a systematic and regular collection, use, or disclosure of personal data.

    Examples of such activities include data processing relating to the utilisation of membership cards, public transport cards, electronic cards, credit scoring, consideration of insurance premiums, fraud prevention, data processing for behavioural advertising, data processing of customers or service receivers by computer network service providers or telecommunications business operators, and data processing for security surveillance of places.

  5. The processing activities involve personal data on a large scale.

  6. Whether a data controller or data processor has personal data on a "large scale" will be determined by many factors, such as the number of data subjects concerned, and the amount, category, or nature of personal data that has been collected, used, or disclosed. One of the key considerations is that collecting personal data from 100,000 data subjects or more will be deemed as having personal data on a large scale.


Interesting Note


Pursuant to section 41, paragraph 5 of the PDPA, once a DPO has been appointed, the data controllers and data processors are required to notify the PDPC office and data subjects of the details of the DPO including his/her contact details and contact address. However, the Notification does not set out a specified form, procedures or timeline for reporting to the PDPC office. We expect that a further notification relevant to this matter will soon be issued given such reporting requirements prescribed in the PDPA.




Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice.

 

R&T Asia (Thailand)
973 President Tower, 12th Floor,
Units 12A - 12F , Ploenchit Road, Lumpini,
Pathumwan, Bangkok 10330, Thailand
http://th.rajahtannasia.com


Contacts:

Surasak Vajasit
Managing Partner
D +66 2656 1991
F +66 2656 0833
surasak.v@rajahtann.com

Melisa Uremovic
Deputy Managing Partner
D +66 2264 5055
F +66 2264 5057
melisa.u@rajahtann.com

Krida Phoonwathu
Partner
D +66 2656 1991
F +66 2264 5057
krida.phoonwathu@rajahtann.com

Nattarat Boonyatap
Partner
D +66 2656 1991
F +66 2264 5057
nattarat.boonyatap@rajahtann.com

Piroon Saengpakdee
Partner
D +66 2264 5055
F +66 2264 5057
Piroon.s@rajahtann.com

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This update is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this update.