This depends on what legal basis the data controller (e.g., financial institution) relies on for the cross-border transfer of data. In the absence of any regulation on cross-border transfer of data, the following approaches can be considered:
- Not obtaining consent from customers (risk-based approach)
- Obtaining consent from customers (consent-based approach)
The Personal Data Protection Act B.E. 2562 (2019) ("PDPA") prescribes rules and requirements concerning requests for consent. The consent request should be in line with the consent requirements under Section 19 of the PDPA, where it prescribes, among others, that a request for consent should be made in a written statement or via electronic means, unless it is not practical to do so.
On 7 September 2022, the Office of the Personal Data Protection Committee published the Guideline on Seeking Consent from Data Subjects under the Personal Data Protection Act B.E. 2562 (2019) ("Consent Guideline"). The Consent Guideline provides an overview of consent requirements , which are generally in line with the provisions of the PDPA.