Under Section 41(2) of the Personal Data Protection Act B.E. 2562 (PDPA), the data controller and the data processor must appoint a DPO if they carry out activities for collection, use or disclosure (processing) of personal data that require regular monitoring of personal data or systems and a large scale of personal data.

The Personal Data Protection Committee (PDPC) of Thailand issued its Notification on Appointment of Data Protection Officers on 31 August 2023.  The notification was published in the Royal Gazette on 14 September 2023.  It will become effective on and from 13 December 2023.  We have summarized the key provisions of the notification as follows:

1.   The data controller and the data processor who carry out activities for collecting, using or disclosing personal data which form parts of their core activities that require regular monitoring of personal data or systems, and processing a large scale of personal data must appoint a DPO.

2.   The activities of the data controller and the data processor which are part of their core activities carried out as tracking, monitoring, analyzing or profiling the behaviors or attitudes or characteristics of data subjects and generally consist of systematic collection, use or disclosure of personal data on a regular basis are deemed the activities that require regular monitoring of personal data or systems.

3.   Collection, use or disclosure of the personal data in the following cases are deemed as the cases that require regular monitoring of personal data or systems:

(1)   Use of membership or public transportation cards that allow tracking.

(2)   Ongoing collection of customer or service recipient data for risk evaluations, such as credit scoring or fraud prevention, before entering into contracts or providing services.

(3)   Use of personal data for targeted advertising (behavioral advertising).

(4)   Data collection by internet service providers or telecom companies.

(5)   Data collection for security purposes at multiple sites.

4.   The following factors shall be taken into account in determining whether the activities of the data controller and the data processor are involved with a large scale of personal data:

(1)   The number of the data subjects involved or the ratio of the data subjects whose personal data are processed when compared with all the potential data subjects.

(2)   The quantities, types or characters of the personal data which are processed.

(3)   The duration or the permanence of the personal data processing for the core activities.

(4)   The scope of use of the personal data by the organization or the size of the geographical areas or the number of the countries related to the personal data processing activities.

The activities that are deemed activities involved with a large scale of personal data also include the activities involving at least 100,000 data subjects, or the behavioral advertising through search engine or social media with a large user base, or the data processing by life insurance companies or financial institutions or telecom companies.

5.   In considering factors for determining the core activities that require regular monitoring of personal data or systems and the large scale of the personal data, the standards and practices of the business and the risks to and impacts on the data subjects must be taken into account.

6.   A DPO can also perform other roles or duties if the data controller or the data processor who appointed such DPO warrants to the PDPC that such roles or duties of the DPO do not conflict with his DPO duties as required under the PDPA.

To see the archive of our past newsletters and articles please click here.