Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.
posted 2 years ago
The Personal Data Protection Act B.E. 2562 (2019) (“PDPA“), which became effective on 1 June 2022, specifies the rules and restrictions that Data Controller and Data Processor must adhere to. One important rule and regulation regarding the Data Protection Officer (“DPO“) is specified in Section 41 of PDPA that “The Data Controller and the Data Processor shall designate a data protection officer…” Therefore, many organizations might wonder, what is a DPO? What is its responsibility? And what qualifications are required to become one?
A DPO is a person who is responsible for the data protection of all personal data collected, used and disclosed by a legal entity, whether it is internal personal data or third-party personal data collected by the legal entity. Section 42 of the PDPA specifies the duties of the DPO as follows:
There are no officially announced sub-regulations governing DPO qualification; the PDPA only specifies the duties of the DPO as mentioned above. As a result, the following is only a guideline by Thailand Data Protection Guidelines regarding this such matter, which Data Controller and Data Processor should consider.
After the designation of a DPO by legal entities, the Data Controller and the Data Processor are also required by Section 41 paragraph 5 of the PDPA to inform the PDPC and Data Subject of the information, i.e. DPO’s information, contact address and contact channels. Plus, Any Data Controllers and Data Processors who are in the same affiliated business or group of undertakings and designate the same jointly DPO must also provide a list of all Data Controllers and/or Data Processors with whom such DPO works for. For the contact channel for informing the said information, it can be sent to PDPC via an email and telephone number as specified in the Announcement of the Office of the Personal Data Protection Committee Concerning Electronic Channels for Contacting the Office of Personal Data Protection Committee B.E. 2562 (2019) For an obligation to inform the Data Subject of the DPO’s information as mentioned above, this can be included in the privacy notice or privacy policy published by the Data Controller and Data Processor, as the same matter is also required by Section 23 (5) of the PDPA. Despite the fact that no sub-regulation regarding DPO qualifications has been announced, all Data Controllers, Data Processors, DPOs and other relevant parties should keep an eye on these upcoming regulations in order to comply with the PDPA and designate an appropriate DPO for your legal entity because DPO shall play an important role and directly affect your legal entity’s compliance with PDPA.
Author: Panisa Suwanmatajarn, Managing Partner.
posted 22 hours ago
posted 1 day ago
posted 1 day ago
posted 1 day ago
No results available
ResetSign up for the latest advisory briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.