Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Thailand Cross Border Data Transfer Legislation

Published March 14, 2024
Contributors

Salma Khan

Data Privacy Analyst at Securiti

CIPP/Asia

Aman Rehan

Data Privacy Analyst

Listen to the content

1. Introduction

Thailand’s Personal Data Protection Act (“PDPA”) took effect on June 1st, 2022. The legislation aims to protect the personal information of data subjects. This brief specifically focuses on the cross-border transfers of personal data under the PDPA.

On December 25th, 2023, the Personal Data Protection Committee (“PDPC”) published notifications on cross-border transfers of personal data in Thailand’s royal gazette. These notifications include the Criteria on Protection of Personal Data transferred to third countries under Section 28 of the PDPA (2023) (the “Adequacy Notification”) and Criteria on Protection of Personal Data transferred to third countries under Section 29 of the PDPA (2023) (the “Non-adequate Countries Notification”). The Enforcement date of these notifications is March 24th, 2024.

2. Cross-Border Data Transfer Under the PDPA

The PDPA does not define the cross-border transfer of personal data. However, the PDPC’s Adequacy and Non-adequate Countries Notifications provide that cross-border data transfer comes into play when data is sent from Thailand to another country physically or through a computer system or network. For example, a cross-border transfer of data occurs when a server located in Thailand processes and transmits data to a cloud service provider based in another country for processing, use, or disclosure. Generally, there are certain legal requirements that a data controller or processor needs to comply with when sending or transferring data abroad.

The Adequacy Notification outlines that the following scenarios of data transfer do not qualify as cross-border data transfer and, therefore, the requirements of cross-border data transfer would not apply to them:

  • When personal data is passing through a system (such as an email server) without being accessed or altered.
  • When data is stored temporarily or permanently on a cloud server located abroad where no third party has access to it.

3. Requirements of Cross-Border Data Transfer

The key requirement for cross-border transfer of data, as per Section 28 of the PDPA, is that the destination country or the international organization that receives personal data from data controllers and processors in Thailand must have an adequate level of data protection. According to Section 5 of the Adequacy Notification, assessing the adequacy of protection standards involves careful consideration of the following factors:

  • Ensuring that the destination country or international organization has legal measures or mechanisms in place that mirror Thailand's personal data protection laws.
    • For instance, ensuring that the destination country has enacted comprehensive data protection legislation.
  • Assessing whether there is a designated agency or organization responsible for enforcing data protection laws in the destination country to ensure that the data protection framework is actively monitored and enforced.
    • For instance, the existence of a data protection authority with the power to investigate and penalize non-compliance would suffice.
  • Verify if there are legal remedies available for data owners in the destination country, providing individuals with recourse in case of data protection violations.
    • For instance, having a legal framework and legal avenues that allow individuals to file complaints and seek compensation in case of data breach.

The PDPC assesses the adequacy of data protection standards of destination countries or international organizations. In this regard, Section 28, Paragraph 3 of the PDPA enables the PDPC's office to review issues submitted by data controllers or independently gather relevant information. Additionally, the Adequacy Notification specifies that the PDPC may make decisions on a case-by-case basis or consider establishing a list of destination countries or international organizations with sufficient standards of personal data protection.

4. Exceptions to Key Requirements of Cross-Border Data Transfer

As per Section 28 of the PDPA, the adequate data protection standard requirement for cross-border transfer of data may be exempted in the following situations:

  • Where the cross-border data transfer is taking place for compliance with the law. It could include situations such as the disclosure of specific personal data for legal investigations mandated by the law.
  • Where the consent of the data subject has been obtained after he/she has been informed of the non-adequate personal data protection standards of the destination country or international organization. It could include instances where an organization transfers personal data to an international research institution located in a non-adequate country after informing the data subject about the destination country's insufficient data protection standards and obtaining explicit consent.
  • Where the transfer of personal data is essential to fulfilling contractual obligations on behalf of the data subject.
  • Where the transfer of personal data is essential for compliance with a contract between a person/entity based in Thailand making the cross-border data transfer effective, and another person/entity based abroad for the interests of the data subject. It could include a contract with an international organization to improve services for the benefit of data subjects.
  • Where sharing data abroad is necessary for a critical situation to prevent harm to the life, body, or health of the data subject or others, and the data subject is unable to provide consent.
  • Where it is necessary to carry out the activities concerning substantial public interest. It can include collaborating with an international organization for global health research or environmental protection activities.

5. Mechanisms for Transfer of Cross-Border Data to Non-adequate Countries

The Non-adequate Countries Notification prescribes, in further detail, two primary mechanisms available to data controllers or processors for the transfer of personal data to countries deemed non-adequate by the PDPC:

  • Binding Corporate Rules: Multinational corporations with subsidiaries in Thailand and a non-adequate country can transfer personal data across borders. This is permissible after a thorough review and certification of their personal data protection policy, known as Binding Corporate Rules (BCR) approved by the PDPC. These BCRs serve as an internal code of conduct, ensuring consistent and compliant handling of personal data within the corporate network.
  • Appropriate Safeguards: Data can be transferred to a non-adequate country from Thailand, if there are appropriate safeguards in place ensuring data subjects have effective legal remedies and their rights can be enforced. These appropriate safeguards include the following:
    • Model Contractual Clauses: Model Contractual Clauses allow both parties to agree on standardized terms that safeguard the personal data during the cross-border transfer. The Non-adequate Countries Notification outlines the following required elements for Model Contractual Clauses to qualify as appropriate safeguards:
        • It can be specific to regions or regulations (i.e., ASEAN, GDPR) and play a crucial role in standardizing and regulating cross-border data transfers.
        • It could also take the form of standard contractual terms for sending or transferring personal data abroad by agencies or international organizations as specified by the PDPC.

      It grants businesses the flexibility to tailor Model Contractual Clauses to their specific needs within certain boundaries, providing adaptability to diverse industries and operational contexts.

        • Model Contractual Clauses may be utilized in circumstances where a Thai e-commerce company wants to engage a cloud service provider located in a non-adequate country for data processing.
  • Certification Ensuring Appropriate Safeguards: As an appropriate safeguard, a certification can be obtained from the PDPC ensuring that the personal data transferred to a non-adequate country is handled in accordance with Thai law. The certification would reinforce the legal enforceability of the safeguards in place.
    • For example, these certifications might be employed when a Thai institution acquires certification from the PDPC to transfer personal data to a non-adequate country for specified purposes.
  • Legally Binding Instruments: Legally binding instruments may serve as appropriate safeguards for cross-border data transfer to non-adequate countries. It would ensure that data protection standards are maintained across borders.
    • A legally binding instrument may serve as an appropriate safeguard if the Thai government establishes a bilateral agreement with a non-adequate country to facilitate the secure exchange of personal data for law enforcement purposes.
  • Code of Conduct: A code of conduct, approved by the PDPC, for cross-border transfer of personal data may serve as an appropriate safeguard when sending personal data to non-adequate countries.
    • If a consortium of international businesses operating in Thailand adopts an approved code of conduct for cross-border data transfers it becomes a guiding framework for ensuring data protection compliance across diverse business operations.
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures View More
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures
The U.S. M&A landscape is back in full swing. May witnessed a significant rebound in deal activity, especially for transactions exceeding $100 million, signaling...
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS) View More
What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS)
Learn more about Quebec's AHSSS, including its obligations on healthcare providers, researchers, and technology providers, with Securiti's latest blog.
View More
What is Automated Decision-Making Under CPRA Proposed ADMT Regulations
Learn more about automated decision-making (ADM) under California's CPRA, its regulatory approach to the technology, and how to ensure compliance.
View More
Is Your Business Ready for the EU AI Act August 2025 Deadline?
Download the whitepaper to learn where your business is ready for the EU AI Act. Discover who is impacted, prepare for compliance, and learn...
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
View More
Enabling Safe Use of Data with Amazon Q
Learn how robust DSPM can help secure Amazon Q data access, automate sensitive data tagging, eliminate ROT data, and maximize AI productivity safely.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New