Personal Data Protection Committee Establishes Criteria for Appointment of Data Protection Officer

On 14 September 2023, Thailand's Personal Data Protection Committee ("PDPC") issued a notification establishing the criteria for the appointment of a data protection officer ("DPO") for data controllers and data processors ("Notification"), enlarging the DPO requirements prescribed under section 41(2) of the Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). The Notification will become effective from 13 December 2023, meaning a DPO must be appointed by the effective date.

Criteria for Appointing a DPO

Under the Notification, data controllers and data processors are required to appoint a DPO when their processing activities, which are part of their core activities, require the regular monitoring of personal data or systems by reason of having personal data on a large scale. Whether data controllers and data processors are required to appoint a DPO will be determined based on the following criteria:

1. The processing activities are part of their core activities.

In brief, "core activities" means activities that are necessary and important so as to achieve the main objectives or goals in the business operation or mission of data controllers or data processors, but exclude supplementary activities which only support the operation of the data controller or the data processor, such as activities supporting human resources and information technology.


2. The processing activities require regular monitoring of personal data or systems.

Processing activities will be deemed as requiring the regular monitoring of personal data or systems when they involve tracking, monitoring, analysing, or forecasting behaviour, attitudes, or profiling, and typically involve a systematic and regular collection, use, or disclosure of personal data.

Examples of such activities include data processing relating to the utilisation of membership cards, public transport cards, electronic cards, credit scoring, consideration of insurance premiums, fraud prevention, data processing for behavioural advertising, data processing of customers or service receivers by computer network service providers or telecommunications business operators, and data processing for security surveillance of places.


3. The processing activities involve personal data on a large scale.

Whether a data controller or data processor has personal data on a "large scale" will be determined by many factors, such as the number of data subjects concerned, and the amount, category, or nature of personal data that has been collected, used, or disclosed. One of the key considerations is that collecting personal data from 100,000 data subjects or more will be deemed as having personal data on a large scale.

Interesting Note

Pursuant to section 41, paragraph 5 of the PDPA, once a DPO has been appointed, the data controllers and data processors are required to notify the PDPC office and data subjects of the details of the DPO including his/her contact details and contact address. However, the Notification does not set out a specified form, procedures or timeline for reporting to the PDPC office. We expect that a further notification relevant to this matter will soon be issued given such reporting requirements prescribed in the PDPA.