January 13, 2023
The Office of the Personal Data Protection Committee (the “PDPA Committee”) published a draft regulation issued under the Personal Data Protection Act (2019) (the “PDPA”) relating to the cross-border transfer of personal data outside of Thailand (the “Draft Regulation”) on its website in September 2022. Cross-Border Transfer of Personal Data under the Current Provisions of the PDPA According to Section 28 of the PDPA, a data controller can transfer personal data to a foreign country if the receiving country has in place adequate personal data protection measures that are in line with the adequacy criteria issued by the PDPA Committee. The PDPA Committee will announce a list of countries that have in place such personal data protection measures (the “Whitelist Countries”) later on. However, if the personal data is not transferred to any Whitelist Countries, the cross-border transfer can still be conducted if the exemptions under Section 28 apply. Moreover, Section 29 (Paragraphs 1 and 2) of the PDPA provides an alternative method to transfer personal data to a foreign country. It states that the transfer of personal data is permitted within the same group of companies that have established binding corporate rules (the “BCR”) relating to data protection, which must be reviewed and certified by the PDPA Committee pursuant to the regulations issued by the PDPA Committee. If the company has certified BCR, Section 28 no longer applies to the transfer of such personal data. Under Section 29 (Paragraph 3) of the PDPA, the cross-border transfer of personal data may be carried out in the absence of any Whitelist Countries or certified BCR if the transferor provides appropriate...