Global Data and Cyber Handbook

Thailand

Select a Topic
Start Comparison
DPOs and Notification Requirements
Jump to
DPOs and Notification Requirements Start Comparison
Is the concept of data protection officer (DPO) recognized in the jurisdiction?

Last review date: January 2025

Yes.

Are there circumstances in which it is mandatory to appoint a DPO or similar position?

        the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
        other

  • The core activity of the personal data controller or the personal data processor is the collection, use, or disclosure of sensitive personal data.
  • The activities of the personal data controller or the personal data processor in the collection, use or disclosure of personal data require regular monitoring of the personal data or the system because of the large number of personal data, as prescribed and announced by the Personal Data Protection Committee.

The PDPC Notification re: DPO Designation was published in the Government Gazette on 14 September 2023 and became effective on 13 December 2023. Under the Notification, the data controller or data processor must consider the following criteria when determining whether to designate a DPO:

  • Core activities criteria. The processing activities of the data controller or data processor are part of its core activities, defined as any operation that is necessary and significant to achieve the primary objectives or goals of the business.
  • Regular monitoring criteria. The core activities require regular monitoring of the personal data or system if they involve tracking, monitoring, analyzing and profiling of personal data in a systemic way. Sample activities include membership cards and electronic cards, credit scoring and fraud prevention, insurance premium consideration, behavioral advertising, computer networking services or telecommunications businesses, and surveillance and security services.
  • Large-scale criteria. Various factors must be considered to determine if the core activities involve personal data on a large scale. One of the factors is whether the number of data subjects reaches 100,000 or more. However, there has been no clarification yet on what type of data subjects would be counted towards the 100,000 figure, e.g., whether corporate client's business contacts would be counted together with end customers. In addition, activities such as behavioral advertising through widely used search engines or social media, normal operations of insurance companies and financial institutions and telecommunications businesses also trigger large-scale criteria.

Businesses that meet any of the criteria to designate a DPO should complete the designation process and notify data subjects and the PDPC.

Are there circumstances in which it is mandatory to appoint a DPO or similar position?

☒        the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
☒        other

  • The core activity of the personal data controller or the personal data processor is the collection, use, or disclosure of sensitive personal data.
  • The activities of the personal data controller or the personal data processor in the collection, use or disclosure of personal data require regular monitoring of the personal data or the system because of the large number of personal data, as prescribed and announced by the Personal Data Protection Committee.

The PDPC Notification re: DPO Designation was published in the Government Gazette on 14 September 2023 and became effective on 13 December 2023. Under the Notification, the data controller or data processor must consider the following criteria when determining whether to designate a DPO:

  • Core activities criteria. The processing activities of the data controller or data processor are part of its core activities, defined as any operation that is necessary and significant to achieve the primary objectives or goals of the business.
  • Regular monitoring criteria. The core activities require regular monitoring of the personal data or system if they involve tracking, monitoring, analyzing and profiling of personal data in a systemic way. Sample activities include membership cards and electronic cards, credit scoring and fraud prevention, insurance premium consideration, behavioral advertising, computer networking services or telecommunications businesses, and surveillance and security services.
  • Large-scale criteria. Various factors must be considered to determine if the core activities involve personal data on a large scale. One of the factors is whether the number of data subjects reaches 100,000 or more. However, there has been no clarification yet on what type of data subjects would be counted towards the 100,000 figure, e.g., whether corporate client's business contacts would be counted together with end customers. In addition, activities such as behavioral advertising through widely used search engines or social media, normal operations of insurance companies and financial institutions and telecommunications businesses also trigger large-scale criteria.

Businesses that meet any of the criteria to designate a DPO should complete the designation process and notify data subjects and the PDPC.

Where a DPO is appointed, does the DPO have to meet specific requirements?

Last review date: January 2025

Currently, no, but future sub-regulations may prescribe specific requirements.

Are there obligations to notify, submit filings to, register with or obtain approval from local data protection authorities to collect and/or process personal data generally?

Last review date: January 2025

No.

{{ $store.state.loadingScreen.message }} ...