On July 13, 2023, Thailand’s Personal Data Protection Committee (PDPC) published a draft notification on the requirements for appointment of a data protection officer (DPO).
Under the Personal Data Protection Act B.E. 2562 (PDPA), data controllers or data processors must appoint a DPO if:
- The data controller or data processor is a state agency as prescribed by the PDPC (the list of state agencies was published in the Government Gazette on July 18, 2023);
- The activities of the data controller or data processor in relation to the processing of the personal data require “regular monitoring of the personal data or the system,” by reason of “having large-scale personal data” as prescribed by the PDPC; or
- The core activity of the data controller or data processor is related to the processing of special categories of personal data (e.g., health-related data, biometric data, etc.).
The draft notification’s criteria for determining whether a processing activity (1) requires regular monitoring of the personal data or the system, and (2) involves large-scale personal data are outlined below.
General Principles
When determining whether processing of personal data requires regular monitoring due to having large-scale personal data, it is likely that only the “core activity” of the data controller or data processor is to be taken into consideration. The term “core activity” denotes an essential and integral activity directly related to the primary operations of the data controller or data processor and does not include any supplementary business activities.
Regular Monitoring of Personal Data or Systems
According to the draft notification, activities related to processing personal data require regular monitoring of the personal data or the system if:
- The core part of the data controller’s or data processor’s activities consists of tracking, monitoring, analyzing, or predicting the behavior, attitude, or profile of individuals; and
- These activities generally involve the processing of personal data in a systemic manner on a usual or regular basis.
Examples of processing activities that require regular monitoring of the personal data or the system include:
- Processing activities relating to membership cards, public transportation cards, electronic cards, or any other similar cards in which the card issuer or any other person can review card usage data;
- Regular or routine processing activities involving verification of the status, history, or characteristics of customers or service recipients to assess various related risks before entering into a contract or providing services of the same nature, such as credit scoring, insurance premium evaluation, and fraud prevention, but not including operations with data from credit bureau companies and their members pursuant to Thailand’s laws concerning credit information business;
- Processing of personal data for purposes of behavioral advertising;
- Processing of customers’ or service users’ personal data by computer network system service providers or telecommunications operators; and
- Processing of personal data for surveillance and security purposes.
Large-Scale Personal Data
When determining whether the core activities of a data controller or data processor constitute the large-scale processing of personal data, the following factors must be considered:
- The number or proportion of data subjects whose personal data is processed, compared to the total number of potential data subjects;
- The volume, type, or nature of personal data processed;
- The duration or permanence of the processing of personal data for the purpose of carrying out the core activities of the data controller or data processor; and
- The territorial scope or geographical area in connection with the processing activities.
Examples of the processing of large-scale personal data include:
- Activities for the purpose of behavioral advertising, performed through search engines, or relating to social media with a wide range of users;
- Processing of customers’ or service recipients’ personal data by life insurance companies, non-life insurance companies, or financial institutions pursuant to the respective law, but not including the handling of data by credit bureau companies and their members pursuant to the laws concerning credit information business operations; or
- Processing of customers’ or service recipients’ personal data by a licensee holding a type 3 license under the Telecommunication Business Act B.E. 2544 (2001).
In addition, the business standards and relevant risks affecting the rights and freedom of the data subjects will also be taken into consideration.
Other Requirements for DPOs
DPOs may undertake other duties or tasks, provided that the data controller or data processor certifies with the Office of the PDPC that these duties do not conflict with or violate the legal obligations outlined in the PDPA, which is similar to the current requirement under Section 42 of the PDPA.
For more information on these DPO appointment requirements, or on any aspect of compliance with Thailand’s data protection regulations, please contact Tilleke & Gibbins’ data privacy team at [email protected], [email protected], [email protected], or [email protected].