Belaws Home ›› Thailand ›› Blog ›› New Regulations for Cross-Border Transfer of Personal Data
news
New Regulations for Cross-Border Transfer of Personal Data
29/01/2024
In order to strengthen data protection and privacy measures, Thailand’s Personal Data Protection Committee (PDPC) recently issued new regulations regarding the cross-border transfer of personal data. The regulations will take effect on March 24, 2024, and will make significant changes to the existing framework and introduce a stricter approach to protecting personal data. The new measures aim to align Thailand with international standards to ensure adequate data protection measures, enhance data security and promote responsible data management practices.
Key points
- When sending personal data abroad the destination country or international organization receiving transferred personal data must meet “adequate data protection standards.”
- two new measures will be used to ensure the secure and compliant transfer of personal data, Binding Corporate Rules (BCRs) and appropriate safeguards.
- Binding Corporate Rules involve the enforcement of approved policies for safeguarding personal data transferred among affiliated businesses or within the same group of undertakings.
- Appropriate safeguards, protect personal data and enforce the rights of data subjects.
- The new measures for the PDPA will come into effect in March 2024
What are the new measures introduced to the Personal Data Protection Act?
As of March 2024, the following new measures relating to the PDPA in Thailand will come into effect.
Adequate Data Protection Standards for International Data Transfers
Under the new regulations, when sending personal data abroad the destination country or international organization receiving transferred personal data must meet “adequate data protection standards.”
To ensure the receiving country or organization satisfies this requirement, several factors are considered, including:
- legal measures and mechanisms,
- the presence of a regulatory authority, and
- the establishment of effective legal remedial measures.
The aim of these requirements is to ensure that data controllers in the receiving country or organization are committed to providing appropriate security measures, implementing personal data protection measures, and enabling the exercise of data subjects’ rights.
The PDPC will also have the authority to refer cases to the PDPC for review, in order to determine whether a destination country or international organization meets the required data protection standards. Additionally, the PDPC can now establish a list of destination countries or international organizations that it considers to have adequate data protection standards.
Creating Binding Corporate Rules and/or Appropriate Safeguards
Under the new measures introduced by the PDPC, two new measures will be used to ensure the secure and compliant transfer of personal data: Binding Corporate Rules (BCRs) and appropriate safeguards.
BCRs involve the enforcement of approved policies for safeguarding personal data transferred among affiliated businesses or within the same group of undertakings. This ensures that data controllers within the organization collectively operate in compliance with data protection laws.
Appropriate safeguards, on the other hand, protect personal data and enforce the rights of data subjects. These safeguards can take various forms, such as standard contractual clauses (SCCs). By implementing SCCs, data controllers establish a foundational framework for establishing legal agreements in relation to cross-border data transfers.
To be deemed effective mechanisms for cross-border data transfer, both BCRs and appropriate safeguards must maintain legal enforceability for all parties. They must also recognize personal data protection, the rights of data subjects, and provide personal data protection measures that comply with all legal requirements.
How can Companies Ensure Compliance with the New PDPA Measures?
Failure to comply with the PDPA can result in significant penalties being placed on the offending company. Therefore, it is essential for businesses to review their data protection strategies, reassess cross-border data transfer practices, and ensure their security measures are up-to-date before the new measures are in place.
To ensure compliance, organizations should consider the following actions:
Review Data Protection Policies: Organizations should review their data protection policies to ensure complaince with the new regulations. This includes assessing the adequacy of existing security measures, revisiting data transfer agreements, and implementing necessary changes.
Implement Binding Corporate Rules: If applicable, organizations should establish and enforce Binding Corporate Rules within their affiliated businesses or group of undertakings. This will ensure consistent data protection practices across the organization and strengthen compliance with the PDPA.
Adopt Appropriate Safeguards: Should the company not have any Binding Corporate Rules, organizations should implement appropriate safeguards, such as standard contractual clauses, to protect the personal data being transferred. These safeguards provide a legal framework for secure cross-border data transfers.
Conduct Data Protection Impact Assessments: Organizations should conduct regular data protection impact assessments to identify and address aby risks associated with cross-border data transfers. This involves evaluating the potential impact on data subjects and implementing measures to minimize any adverse effects.
Establish Data Protection Officer (DPO) Roles: Organizations that meet the criteria for appointing a Data Protection Officer (DPO) should ensure they have appointed individuals to fulfil this role. DPOs are responsible for overseeing data protection practices, ensuring compliance with the PDPA, and serving as a point of contact for data subjects.
Train Employees: It is important to educate employees on data protection practices, their roles and responsibilities, and the importance of complying with the PDPA. Training programs should cover topics such as data handling, security measures, and incident response procedures.
More information about the PDPA
For more information about the PDPA in Thailand, please take a look at these blog posts.
Consent and notification requirements under the PDPA
How can Belaws help?
For more information about the PDPA and how it affects your company, why not talk to one of our experts now?
Please note that this article is for information purposes only and does not constitute legal advice.
Our consultations last for a period of up to 1 hour and are conducted by expert Lawyers who are fluent in English, French and Thai.
Consultations can be hosted via WhatsApp or Video Conferencing software for your convenience. A consultation with one of our legal experts is undoubtedly the best way to get all the information you need and answer any questions you may have about your new business or project.
USD 150
Up to 1 hour
Online payment (Paypal or Credit card)
Legal consultation can be conducted in English, French or Thai
Legal consultations are handled by experienced lawyers from the relevant fields of practice
Frequently asked questions
When do the new regulations for cross-border transfer of personal data in Thailand take effect?
The new regulations will take effect on March 24, 2024.
What are the key measures introduced by the PDPC to strengthen data protection under the PDPA?
The PDPC has introduced measures such as requiring destination countries to meet “adequate data protection standards,” creating Binding Corporate Rules (BCRs), and implementing appropriate safeguards for secure and compliant data transfers.
What factors does the PDPC consider to determine if a destination country meets adequate data protection standards?
The PDPC considers factors such as legal measures, the presence of a regulatory authority, and the establishment of effective legal remedial measures in the destination country.
What are Binding Corporate Rules (BCRs) in the context of the new regulations?
BCRs involve the enforcement of approved policies for safeguarding personal data transferred among affiliated businesses or within the same group of undertakings, ensuring collective compliance with data protection laws.
What are Appropriate Safeguards, and how do they contribute to secure cross-border data transfers?
Appropriate Safeguards, such as standard contractual clauses (SCCs), protect personal data and enforce the rights of data subjects during cross-border data transfers, providing a legal framework for compliance.
What actions should companies take to ensure compliance with the new PDPA measures?
Companies should review data protection policies, implement Binding Corporate Rules or appropriate safeguards, conduct data protection impact assessments, appoint a Data Protection Officer (DPO), and provide training to employees on data protection practices.
Related articles
Subscribe today
Subscribe today
To our newsletter for all the latest legal news
in South East Asia, Belaws updates and
special promotions on our services.
To our newsletter today for all the latest legal news in South East Asia,
Belaws updates and special promotions on our services.
We are open:
Monday – Friday
9 am – 6 pm (UTC+7)