news
New Regulations for Cross-Border Transfer of Personal Data
29/01/2024
In order to strengthen data protection and privacy measures, Thailand’s Personal Data Protection Committee (PDPC) recently issued new regulations regarding the cross-border transfer of personal data. The regulations will take effect on March 24, 2024, and will make significant changes to the existing framework and introduce a stricter approach to protecting personal data. The new measures aim to align Thailand with international standards to ensure adequate data protection measures, enhance data security and promote responsible data management practices.
Points clés
- When sending personal data abroad the destination country or international organization receiving transferred personal data must meet “adequate data protection standards.”
- two new measures will be used to ensure the secure and compliant transfer of personal data, Binding Corporate Rules (BCRs) and appropriate safeguards.
- Binding Corporate Rules involve the enforcement of approved policies for safeguarding personal data transferred among affiliated businesses or within the same group of undertakings.
- Appropriate safeguards, protect personal data and enforce the rights of data subjects.
- The new measures for the PDPA will come into effect in March 2024
What are the new measures introduced to the Personal Data Protection Act?
As of March 2024, the following new measures relating to the PDPA in Thailand will come into effect.
Adequate Data Protection Standards for International Data Transfers
Under the new regulations, when sending personal data abroad the destination country or international organization receiving transferred personal data must meet “adequate data protection standards.”
To ensure the receiving country or organization satisfies this requirement, several factors are considered, including:
- legal measures and mechanisms,
- the presence of a regulatory authority, and
- the establishment of effective legal remedial measures.
The aim of these requirements is to ensure that data controllers in the receiving country or organization are committed to providing appropriate security measures, implementing personal data protection measures, and enabling the exercise of data subjects’ rights.
The PDPC will also have the authority to refer cases to the PDPC for review, in order to determine whether a destination country or international organization meets the required data protection standards. Additionally, the PDPC can now establish a list of destination countries or international organizations that it considers to have adequate data protection standards.
Creating Binding Corporate Rules and/or Appropriate Safeguards
Under the new measures introduced by the PDPC, two new measures will be used to ensure the secure and compliant transfer of personal data: Binding Corporate Rules (BCRs) and appropriate safeguards.
BCRs involve the enforcement of approved policies for safeguarding personal data transferred among affiliated businesses or within the same group of undertakings. This ensures that data controllers within the organization collectively operate in compliance with data protection laws.
Appropriate safeguards, on the other hand, protect personal data and enforce the rights of data subjects. These safeguards can take various forms, such as standard contractual clauses (SCCs). By implementing SCCs, data controllers establish a foundational framework for establishing legal agreements in relation to cross-border data transfers.
To be deemed effective mechanisms for cross-border data transfer, both BCRs and appropriate safeguards must maintain legal enforceability for all parties. They must also recognize personal data protection, the rights of data subjects, and provide personal data protection measures that comply with all legal requirements.
How can Companies Ensure Compliance with the New PDPA Measures?
Failure to comply with the PDPA can result in significant penalties being placed on the offending company. Therefore, it is essential for businesses to review their data protection strategies, reassess cross-border data transfer practices, and ensure their security measures are up-to-date before the new measures are in place.
To ensure compliance, organizations should consider the following actions:
Review Data Protection Policies: Organizations should review their data protection policies to ensure complaince with the new regulations. This includes assessing the adequacy of existing security measures, revisiting data transfer agreements, and implementing necessary changes.
Implement Binding Corporate Rules: If applicable, organizations should establish and enforce Binding Corporate Rules within their affiliated businesses or group of undertakings. This will ensure consistent data protection practices across the organization and strengthen compliance with the PDPA.
Adopt Appropriate Safeguards: Should the company not have any Binding Corporate Rules, organizations should implement appropriate safeguards, such as standard contractual clauses, to protect the personal data being transferred. These safeguards provide a legal framework for secure cross-border data transfers.
Conduct Data Protection Impact Assessments: Organizations should conduct regular data protection impact assessments to identify and address aby risks associated with cross-border data transfers. This involves evaluating the potential impact on data subjects and implementing measures to minimize any adverse effects.
Establish Data Protection Officer (DPO) Roles: Organizations that meet the criteria for appointing a Data Protection Officer (DPO) should ensure they have appointed individuals to fulfil this role. DPOs are responsible for overseeing data protection practices, ensuring compliance with the PDPA, and serving as a point of contact for data subjects.
Train Employees: It is important to educate employees on data protection practices, their roles and responsibilities, and the importance of complying with the PDPA. Training programs should cover topics such as data handling, security measures, and incident response procedures.
More information about the PDPA
For more information about the PDPA in Thailand, please take a look at these blog posts.
Consent and notification requirements under the PDPA
Comment Belaws peut-il vous aider ?
For more information about the PDPA and how it affects your company, why not talk to one of our experts now?
Veuillez noter que cet article est fourni à titre d'information seulement et ne constitue pas un avis juridique.
Nos consultations durent jusqu'à une heure et sont menées par des juristes experts qui parlent couramment l'anglais, le français et le thaï.
Les consultations peuvent être organisées sur WhatsApp ou sur le Logiciel de Vidéoconférence de votre convenance. Une consultation avec l’un de nos experts juridiques est sans aucun doute le meilleur moyen d’obtenir toutes les informations dont vous avez besoin et de répondre à toutes les questions que vous pourriez avoir sur votre nouvelle entreprise ou votre projet.
150 USD
Jusqu'à 1 heure
Paiement en ligne (Paypal ou carte bancaire)
Les consultations juridiques peuvent être menées en anglais, en français ou en thaï.
Les consultations juridiques sont assurées par des des avocats expérimentés dans les domaines concernés.
Questions fréquemment posées
When do the new regulations for cross-border transfer of personal data in Thailand take effect?
The new regulations will take effect on March 24, 2024.
What are the key measures introduced by the PDPC to strengthen data protection under the PDPA?
The PDPC has introduced measures such as requiring destination countries to meet “adequate data protection standards,” creating Binding Corporate Rules (BCRs), and implementing appropriate safeguards for secure and compliant data transfers.
What factors does the PDPC consider to determine if a destination country meets adequate data protection standards?
The PDPC considers factors such as legal measures, the presence of a regulatory authority, and the establishment of effective legal remedial measures in the destination country.
What are Binding Corporate Rules (BCRs) in the context of the new regulations?
BCRs involve the enforcement of approved policies for safeguarding personal data transferred among affiliated businesses or within the same group of undertakings, ensuring collective compliance with data protection laws.
What are Appropriate Safeguards, and how do they contribute to secure cross-border data transfers?
Appropriate Safeguards, such as standard contractual clauses (SCCs), protect personal data and enforce the rights of data subjects during cross-border data transfers, providing a legal framework for compliance.
What actions should companies take to ensure compliance with the new PDPA measures?
Companies should review data protection policies, implement Binding Corporate Rules or appropriate safeguards, conduct data protection impact assessments, appoint a Data Protection Officer (DPO), and provide training to employees on data protection practices.
Articles connexes
Are you PDPA compliant?
The date for Thailand's Personal Data Protection Act or PDPA coming into full effect has been set for June 1st 2022.
What are the penalties for breaching the PDPA?
Failure to comply with the PDPA could result in civil, criminal, and/or administrative penalties handed to the offending party.
4 new updates to the PDPA announced
On 21 June 2022, the Data Protection Committee published four new updates to the PDPA.
Abonnez-vous aujourd'hui
Abonnez-vous aujourd'hui
À notre newsletter pour les dernières actualités juridiques
en Asie du Sud-Est, les mises à jour de Belaws et
les offres spéciales sur nos services.
To our newsletter today for all the latest legal news in South East Asia,
Belaws updates and special promotions on our services.
Belaws 2017 - 2024.
Belaws ne fournit que des informations et une plateforme technologique. Belaws n'est pas un "service de mise en relation avec des avocats" et ne fournit pas de services juridiques ni ne participe à aucune représentation juridique.
Belaws n'est pas un cabinet d'avocats ou un substitut à un avocat ou un cabinet d'avocats.
