On December 12, 2033, Thai Personal Data Protection Committee (“PDPC”) issued
Notifications on Criteria for Protecting Personal Data Sent or Transferred Abroad under Section 28 and 29 of Thai Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), namely PDPC Notification re: Principles of Protection of Personal Data being Sent or Transferred Overseas Pursuant to Section 28 of the PDPA (“Notification under Section 28”) and PDPC Notification re: Principles of Protection of Personal Data being Send or Transferred Overseas Pursuant to Section 29 of the PDPA (“Notification under Section 29”). Both Notifications will become effective from March 24, 2024.
泰國個人資料保護委員會(“PDPC”) 在2033 年 12 月 12 日發布關於根據佛曆2562年(2019)《泰國個人資料保護法》第 28 條和第 29 條保護向國外發送或傳輸的個人資料的標準的通知 (“PDPA”),即關於根據 PDPA 第 28 條發送或轉移到海外的個人資料的保護原則的 PDPC 通知(“第28條的通知”)和關於保護原則的 PDPC 通知根據PDPA第29 條(“第29條的通知”)向海外發送或轉移的個人資料。兩項通知均將於2024年3月24日生效。
Below is summary of the two Notifications:
以下是這兩個通知的摘要:
1. “Transfer” is defined to include both physical and electronic transfer. However, it excludes data transit and data storage (such as cloud computing services) by which the transited or stored data is not accessible by any third party - other than the data controller or processor who transfers such data.
“轉讓”的定義包括實體轉讓和電子轉讓。但是,它不包括資料傳輸和資料儲存(例如雲端運算服務),任何第三方(傳輸此類資料的資料控制者或處理者除外)都無法存取所傳輸或儲存的資料。
2. Data controllers can only transfer personal data to recipients overseas if the destination country has adequate data protection measures. In this case, the PDPC may issue a list of countries or international organizations which are recognized as having adequate data protection measures (“Adequacy Decision”) in the future.
只有在目的地國家有充分的資料保護措施的情況下,資料控制者才能將個人資料傳輸給海外的接收者。這樣的情況下,PDPC 未來可能會發布一份被認為擁有充分資料保護措施的國家或國際組織名單(“充分性決定”)。
3. In absence of the PDPC’s Adequacy Decision, data controllers may rely on the following mechanisms to transfer personal data to a recipient based overseas:
在沒有 PDPC 充分性決定的情況下,資料控制者可以依靠以下機制將個人資料傳送給海外接收者:
Ø Binding Corporate Rules (“BCR”) for the transfer of personal data to entity(s) within the data controller’s group of companies. The BCR requires approval from the PDPC. Notification under Section 29 also describes the requirements for BCR compliance, such as enforceability, data subject’s rights, and security measures.
用於將個人資料傳輸至資料控制者公司集團內的實體的具有約束力的公司規則(“BCR”)。 BCR需要獲得 PDPC的核准。第 29 條的通知也描述BCR 合規性要求,例如可執行性、資料主體權利和安全措施。
Ø Standard Contractual Clauses (“SCC”) for the transfer of personal data to entity(s) which may or may not belong to the data controller’s group of companies. The SCC does not require approval from the PDPC. However, the Notification under Section 29 specifies recognized model clauses that data controllers can adopt and the requirements for SCC compliance.
用於將個人資料傳輸到可能屬於或不屬於資料控制者公司集團的實體的標準合約條款(“SCC”)。 SCC 不需要 PDPC 的核准。然而,第29條的通知規定資料控制者可以採用的公認的示範條款以及 SCC 合規性要求。
Ø Certification of the implementation of the appropriate safeguards in accordance with recognized standards to be determined by the PDPC. These must include the personal data protection contents as prescribed in the notification.
根據 PDPC 確定的公認標準,對適當保障措施的實施情況進行認證。其中必須包括通知規定的個人資料保護內容。
4. Failure to comply with the Notifications could result in an administrative fine of up to THB 5,000,000. In limited circumstances, criminal penalties may also apply, including imprisonment for up to one year and/or a fine not exceeding THB 1,000,000.
不遵守通知可能會導致最高 5,000,000 泰銖的行政罰款。在有限的情況下,也可能適用刑事處罰,包括最高一年的監禁和/或不超過 1,000,000 泰銖的罰款。
Comentários