Under the Thailand Personal Data Protection Act 2019, section 28. Personal data may not be transferred outside of the Kingdom of Thailand unless the country that is receiving the data has adopted in law data protection standards that match better the PDPA unless meeting the following exemptions:
- Where it is for compliance with a legal obligation;
- The data subject’s consent has been obtained, provided that the data subject has been informed of the destination country’s inadequate personal data protection standards of international organization. Or destination country.
- The transfer is necessary for the performance of a contract between the Data Controller and data subject; or
- The transfer is necessary to protect the vital interests of the data subject.
Section 29 of the PDPA states that multi-national data controllers or processors that are in the Kingdom of Thailand who transfer data to other legal entities within the same business who have put in place a group-wide data protection policy and that policy has been reviewed and certified by the Personal data protection committee (PDPC) then data transfers, can be carried out and shall be exempt from compliance with section 28.
But if the above does not apply to your international transfers what actions do you need to take.
Under the PDPA if the data Controller cannot meet either section 28 or 29, they may still transfer personal data. They must still provide the data subjects with effective legal remedial measures for data subjects whose personal data protection is violated.
Additional good practices for the data controller or data processors to have ready for inspection include
- A record of all processing activities involved with the transfer
- A data map
- A data processing contract with the third party
- Third-party due diligence