Thailand provides clarity on when a DPO must be appointed

The Thailand Personal Data Protection Committee (“PDPC”) released the Notification on the Appointment of Data Protection Officers (“Notification”) which took effect from 13 December 2023.

The Notification provides clarity on when data controllers and data processors are required to appoint a data protection officer (“DPO”) pursuant to section 41(2) of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).

Section 41(2) of the PDPA mandates the appointment of a DPO when the activities of the data controller or the data processor in the collection, use, or disclosure of personal data require or involve the following:

• First, regular monitoring of the personal data or the system (“Regular Monitoring”); and
• Second, processing of a large amount of personal data (“Large-Scale Processing”).

Key Articles of the Notification are as follows:

1. Definition and Examples of Core Activities: Only core activities or activities forming part of a core activity are relevant under section 41(2) of the PDPA. Core activities are defined as actions that are necessary and important in achieving the main objectives, goals or operations of the data controller or data processor (Article 3). Prescribed examples of necessary and important activities in achieving the main objectives, goals or operations of the data controller or data processor include:

1. Recording customer service information to provide freight forwarding services.
2. Collecting, using or disclosing information from CCTV cameras to provide security services.

Conversely, activities such as personnel and information technology (IT) support work conducted in conjunction with the aforementioned services would not constitute necessary and important activities.

2. Prescribed Core Activities requiring Regular Monitoring: If an activity that forms part of a core activity is tracked, monitored, analysed or profiled (such as predicting behaviours, attitudes or individual characteristics), it would require Regular Monitoring (Article 5 Paragraph 1). Additionally, prescribed examples of core activities that require Regular Monitoring include (Article 5 Paragraph 2):

1. Collecting, using or disclosing personal data regarding the use of membership cards, public transportation cards, or any other similar card that tracks card usage information that is accessible by the card holder or any other individual.
2. Collecting, using or disclosing personal data on a regular basis that requires examination of an individual’s status, history or qualification for risk assessment prior to entering into a contract with such individuals or provide services to them. This includes credit scoring, consideration of insurance premiums and fraud prevention. This excludes processing company, credit or member information pursuant to the laws governing credit information businesses.
3. Collecting, using or disclosing personal data for behavioural advertising.
4. Collecting, using or disclosing the personal data of customer or service recipients by computer network service provides or telecommunication operators.
5. Collecting, using or disclosing personal data for surveillance and security purposes.
6. Any other case as prescribed by the PDPC.

3. General determination of Large-Scale Processing: The following factors assist in determining whether the activities of the data controller or the data processor involve Large-Scale Processing (Article 6 Paragraph 1):

1. The number or proportion of data subjects whose personal data is collected, used or disclosed.
2. The quantity, type or nature of the personal data that is collected, used or disclosed.
3. The duration of the collection, use or disclosure of the personal data.
4. The scope of the organisation’s use of personal data, or the size of the area or number of countries involved in the collection, use or disclosure of personal data.

4. Specific determination of Large-Scale Processing: Despite the factors provided under Article 6 Paragraph 1 of the Notification, the following forms of processing will amount to Large-Scale Processing (Article 6 Paragraph 2):

1. More than 100,000 data subjects are involved.
2. For behavioural advertising through widely used search engines or social media.
3. The collection, use or disclosure is carried out by an insurance company in accordance with life insurance laws, casualty insurance laws, and laws governing financial institution businesses (excluding laws governing credit information businesses).
4. The collection, use or disclosure is carried out by a type 3 telecommunications licensee.
5. Any other case as prescribed by the PDPC.

On 6 December 2023, the Thai Personal Data Protection Committee (“PDPC”) released 2 notification forms (“Forms”). The Forms assist data controllers and data processors to determine whether they are required to appoint a DPO pursuant to section 41(2) of the PDPA and the Notification. The Forms include:

1. An assessment form or checklist for the appointment of a DPO under section 41(2) of the PDPA.
2. A notification form for the appointment of a DPO under section 41 of the PDPA (“Notification Form”).

Other instances where data controllers and/or data processors must appoint a DPO under section 41 of the PDPA include the following:

• The data controller or data processor is a public authority as prescribed and announced by the PDPC.
• The core activity of the data controller or data processor is the collection, use or disclosure of personal data pursuant to section 26 of the PDPA (collection of personal data that requires explicit consent from the data subject).

Since the Notification is already in effect, data controllers or data processors that are involved in such processing or core activities should review their activities to determine if they are required to appoint a DPO and then proceed to make such appointment by using the Notification Form. Data controllers or data processors that are required to appoint a DPO should have documents or evidence (such as an order or letter) supporting the appointment of the relevant DPO. Furthermore, if the appointed DPO is responsible for the performance of other duties or responsibilities, the appointing data controller or data processor must undertake that such duties and/or responsibilities are not contrary to or inconsistent with the duties of a DPO under the PDPA.

Click here to read more about the press release on the Forms (Thai only).

Click here for a copy of the PDPA (English unofficial translation).

Please get in touch with us if you wish to understand any of the above in more detail or the practical implications of the PDPA, the Notification or the Forms to your business.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Notification or PDPA; information, content, and materials stipulated above is based on our reading of the legislation and are for general informational purposes only.