On 1 February 2021, through Thailand’s Ministry of Digital Economy and Society, the Office of Personal Data Protection Commission announced that it will arrange public hearing sessions for the first set of subordinate regulations under the Personal Data Protection Act B.E. 2562 (2019) (the PDPA).
Subordinate regulations on the following topics will be covered during the consultations:
- Privacy notices
- Responsibilities of data controllers
- Cross-border data transfers
- Data protection officers
- Security measures
- Compliance processes
- Sensitive personal data
It is anticipated that the draft subordinate regulations will be circulated (in Thai) to registered attendees ahead of the sessions. Participation by video conferencing will be available.
In addition, at the First ASEAN Digital Ministers’ Meeting on 21 January and 22, 2021, the ASEAN Data Management Framework (DMF) and the Model Contractual Clauses for Cross Border Data Flows (MCCs) were approved in order to promote the secure free flow of data between ASEAN countries, including Thailand.
The development of the Thai PDPA is expected to factor into these DMF and MCC initiatives, potentially allowing businesses in Thailand to transfer data between neighboring countries within the region, in addition to the permitted transfer between countries whitelisted under the European General Data Protection Regulation (GDPR). These initiatives were led by the Singapore Personal Data Protection Commission, and more details are expected in due course.
Prior to the PDPA effective date on 1 June 2021, substantial further developments are expected to give further clarification and guidance for businesses, and to ease their compliance concerns.
For more information on this development, or any other aspect of data protection in Thailand, please contact Tilleke & Gibbins’ data protection team led by Athistha (Nop) Chitranukroh ([email protected]).