Thailand's Personal Data Protection Committee (PDPC) recently issued notifications on December 25, 2023, regarding cross-border transfer of personal data under sections 28 and 29 of the Personal Data Protection Act 2019. These notifications will take effect on March 24, 2024.
Under Section 28, certain criteria have been established for the transfer of personal data to countries and international organizations. These criteria include the requirement for the receiving destination to have adequate data protection standards, which encompass aspects such as aligned legal measures, data protection obligations for controllers, and the existence of an authority overseeing data protection laws.
Moreover, the PDPC has the authority to review cases referred to them concerning data transfers and can make decisions on a case-by-case basis or establish a list of countries and organizations meeting the adequate data protection standards.
Section 29 outlines mechanisms for secure data transfer, emphasizing Binding Corporate Rules (BCR) and appropriate safeguards. BCRs involve implementing approved policies for safeguarding data within affiliated businesses, while safeguards ensure protection and enforcement of data subject rights through measures like standard contractual clauses.