Thailand’s Office of the Personal Data Protection Committee (PDPC) has opened a public hearing period on its draft notification regarding cross-border transfer of personal data. The public hearing is open through October 24. The notification, once issued, will supplement the principle of cross-border transfer of personal data outside of Thailand set out in the Personal Data Protection Act (PDPA). The notification sets out the following key matters: Definitions “Transfer of personal data” means any sending or transferring of personal data by a transferor of personal data, either by way of a physical transfer or a remote transfer through a computer system or an internet network to the recipient of the personal data. It does not include sending personal data through an intermediary by transiting between computer systems or internet networks, or any storing or retaining of personal data, either permanently or temporarily, by a cloud computing service provider, whereby the personal data transferor and the personal data recipient (1) are not making the order, (2) are not involved with any data selection or the content of the personal data sent and received through the computer systems or internet networks, or (3) have the purpose of entering into an agreement or any juristic act. “Binding corporate rules” means the agreed terms or policy on personal data protection made between the personal data transferor and the personal data recipient to establish appropriate measures for safeguarding personal data within a group of corporations or companies. “Standard contractual clauses” means the contractual terms made between the personal data transferor and the personal data recipient to establish appropriate measures for safeguarding personal data. “Code of conduct” means a code that sets out the obligations of a personal data transferor and a personal data recipient outside of Thailand. “Certification” means an undertaking in relation to

Thailand’s Personal Data Protection Committee (PDPC) has released separate guidelines for data controllers to follow in obtaining data subjects’ consent and notifying data subjects of required information (i.e., regarding collection, use, or disclosure of their personal data). By following the guidelines, data controllers can mitigate the risk of violating the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The Guidelines on Obtaining Consent from the Data Subject according to the PDPA and the Guidelines on Notification of Purposes and Details upon the Collection of Personal Data from the Data Subject according to the PDPA were issued on September 7, 2022. Consent Guidelines The PDPC’s guidelines on obtaining consent list the requirements for consent to be considered valid. These requirements include stipulations on timing of requests, elements that need to be included in requests, and the nature of requests. For instance, consent must be obtained before or at the time of obtaining personal data, and data subjects must be informed of both the purposes and details of the personal data handling, among other specific requirements. In turn, there must be a clear affirmative act of the data subject in giving consent. Obtaining consent from minors is subject to more stringent requirements, and data controllers should implement appropriate identification and age-verification measures when collecting personal data about minors. The guidelines give two sets of requirements, depending on the age of the minor—between 10 and 20, and under 10. In general, with the older age group, parental consent is not required in all circumstances, while for the younger age group, parental consent is compulsory for giving consent on behalf of the minor. For a person deemed to be “incompetent” or “quasi-incompetent,” consent must always be given by the legal guardian. Notification Guidelines The guidelines on notifying data subjects when collecting personal data

Tilleke & Gibbins’ insurance specialists in Cambodia, Laos, Myanmar, Thailand, and Vietnam have contributed to the Subrogated Recoveries – Asia Pacific guide produced by RPC Premier Law Firm. The guide addresses how insurers can recover indemnifiable losses. For each jurisdiction in the Asia Pacific region, the guide addresses the following topics: Local legal framework on subrogation; Insurers’ right to subrogate; Investigations prior to subrogated proceedings; Limitation period for subrogated action; Responsibility for costs in subrogated action; Enforcement of judgements for insurers; and Subrogated actions against co-insured parties. The Subrogated Recoveries – Asia Pacific guide is available below.

Thailand’s Personal Data Protection Committee (PDPC) has issued a regulation establishing procedures for filing and processing data subjects’ complaints under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The Regulation Re: Complaint Filing, Rejection, Termination, Consideration, and the Period for the Consideration of the Complaint B.E. 2565 (2022) was issued in July 2022 and took effect on July 12, 2022. The PDPA entitles data subjects to file complaints against data controllers, data processors, and employees or service providers of either whose operations fail to comply with the PDPA. This article lays out the various requirements and procedures for the filing and processing of such a complaint. Complaint Submission The body designated by the PDPA to be responsible for handling complaints and imposing administrative penalties is called the “Expert Committee.” Data subjects who would like to make a complaint can submit it to the Expert Committee directly at the Office of PDPC, send it to the office by post, or submit the complaint electronically. The written or electronic complaint must use clear, plain, polite, and appropriate language, and must not give an impression of being directly or indirectly extorting or intimidating. The complaint must include at least the following information: Name, address, and telephone number or email address of the complainant (or an authorized representative), together with identification card, passport, or other official identification document (plus a power of attorney if submitted by a representative); Details and facts of the noncompliance with or violation of the PDPA; Details of resulting damages or impact; Supporting evidence (e.g., documentary evidence, physical evidence, witness statements); and Action desired of the offender. The complaint must include a statement certifying its veracity, and must be signed by the complainant or the authorized representative. Complaint Consideration When a complaint is submitted, the receiving official will