THAILAND Law and Practice Contributed by: Pranat Laohapairoj, Suphakorn Chueabunchai and Pitchaya Roongroajsataporn, Chandler Mori Hamada
land. Only general PDPA provisions are applica - ble to this area.
Another exemption to the limitation of personal data transfer to only those countries included on the list applies when the following qualifications are fulfilled: • where such transfer is within a group of undertakings or enterprises; and • where the transferor of the personal data applies the binding corporate rules (BCRs), which have already been approved by the PDPC office, to such transfer. During the period when no list is prescribed for those countries deemed to have adequate personal data protection, or when the BCRs have not been approved by the PDPC office, the PDPA stipulates that the transferor provide appropriate security measures, to be enacted in accordance with the rights of the data sub - ject, as well as effective legal remedial meas - ures such as appropriate standard contractual clauses (SCCs) for cross-border transfer and a certificate. Under the PDPA’s notification, SCCs from the Association of Southeast Asian Nations (ASEAN) Model Contractual Clauses for Cross- Border Data Flows and GDPR SCCs are accept - able. 5.2 Government Notifications and Approvals Cross-border transfer does not require govern - ment notification or approval. 5.3 Data Localisation Requirements In certain cases, operators have to retain docu - ments on their premises, such as accounting documents and a VAT certificate. However, an operator can duplicate and transfer such data internationally (see 5.1 Restrictions on Interna- tional Data Transfers for more details).
5. International Considerations 5.1 Restrictions on International Data Transfers The PDPA does not provide for the concept of absolute restriction for any type of transfer of personal data outside the jurisdiction of Thai - land. Instead, controllers, as the transferors, may be subject to several obligations and/or must ensure that the transferee meets the qualifica - tions as prescribed under the PDPA. In general, in the case of transfer of personal data outside Thailand, the countries in which the transferee is located should have adequate personal data protection measures. The list of countries deemed to have adequate personal data protection measures is set to be prescribed by the PDPC; however, such list has not yet been prescribed. Two key criteria to consider in deter - mining whether a country has adequate personal data protection measures are as follows: • whether the legal safeguards for personal data protection in such country are of the same standard as or higher than those under the PDPA; and • whether such country has a proper authority or organisation for enforcing the above-men - tioned safeguards. In any event, even upon the prescription of such list, several exemptions exist where the control - ler may transfer the personal data to countries not on the list (regarding compliance with the law, obtaining consent from the data subject, the execution of a contract to which the data subject is one of the parties, etc).
465 CHAMBERS.COM
Powered by FlippingBook