On 25 December 2023, the Personal Data Protection Committee (PDPC) published two notifications detailing regulations for cross-border transfers of personal data under Sections 28 and 29 (Notifications) of the Personal Data Protection Act B.E. 2562 (2019) (PDPA). These Notifications are the Adequacy Country Notification and the Appropriate Safeguard Notificationrespectively.
In summary, the Adequacy Country Notification establishes guidelines for determining whether a destination country or international organisation (Destinations) meets the standards for receiving personal data transfers. This assessment contains two crucial factors: (1) the alignment of the Destination’s legal safeguards with the PDPA (particularly regarding security measures, data subject rights, and legal remedies) and (2) the existence of a competent and independent regulatory body to enforce its data protection laws. Additionally, the PDPC has the power to establish a list of approved Destinations and retains the authority to make case-by-case decisions for other Destinations as applicable.
On the other hand, the Appropriate Safeguard Notification permits the transfer of personal data to Destinations without having to comply with the Adequacy Country Notification, provided that the transferee is affiliated with the transferor. This can be done by establishing binding corporate rules (BCRs), the internal policies safeguarding data transfers within affiliated businesses or group. However, these BCRs are required to be approved by the PDPC prior to their implementation.
Additionally, when personal data transfers are necessary be transferred to Destinations that do not meet the standards for receiving personal data transfers without being covered by the BCRs, and not falling under limited exemptions, the Appropriate Safeguard Notification mandates the transferors to establish appropriate safeguards, such as, Standard Contractual Clauses (SCCs) or certifications, to transfer the personal data to such Destinations.
Therefore, it could be said that both the Adequacy Country Notification and the Appropriate Safeguard Notification mainly replicate the concept of the cross-border transfer of personal data from the General Data Protection Regulation.
Failure to comply with the Notifications could result in an administrative fine of up to THB 5,000,000. In limited circumstances, criminal penalties may also apply, including imprisonment for up to one year and/or a fine not exceeding THB 1,000,000.
The Notifications will take effect on 24 March 2024.
What is next?
Business operators engaging in cross-border personal data transfers should verify whether their Destinations meets the standards for receiving such transfers by submitting an inquiry to the PDPC. If the Destinations does not meet the standards and they cannot rely on a limited exemption, business operators must promptly establish BCRs to be approved by the PDPC or proceed with other appropriate safeguards as may be applicable on a case-by-case basis.