After the PDPA became effective on 1 June 2022, the PDPC has proactively issued a series of subordinate laws and regulations to further clarify unclear and debatable legal interpretation raised from the public to enhance the robust personal data protection practice. As the latest, the PDPC finally issued the Notification regarding the rules for protection of personal data transferred to other counties pursuant to section 28 of the PDPA B.E. 2566 (the “Rules under section 28”) and the PDPC Notification regarding the rules for protection of personal data transferred to other countries pursuant to section 29 of the PDPA B.E. 2566 (the “Rules under section 29”), which will come into force on 24 March 2024.
Generally speaking, the Rules under section 28 is a general provision ensuring adequate protection for personal data transferred internationally; while the Rules under section 29 regulates protection for personal data processed and transferred within corporate group entities under a binding corporate rule.
Pursuant to the Rules under section 28 and the Rules under section 29, the ‘Cloud computing service provider’ means a service provider who maintains or stores data for other persons and has a data management system on the internet for providing services. This, interpretably, includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), Data Storage as a Service (DSaaS), Serverless Computing, or Function as a Service (FaaS). Whereas, the term of ‘Send or transfer personal data’ simply refers to sending or transferring personal data by the sender or transferer to a receiver but excluding sending and receiving of personal data as intermediary for data transit between computer system, network system, or data storage, temporarily or permanently, where nobody has access to it other than a data controller or data processor sending such personal data, or their personnel, employees, workers.
As stated in section 28 of the PDPA, a data controller can only send or transfer personal data to a destination country or an international organization that receives such personal data, has adequate personal data protection standards, and satisfies at least one lawful basis set forth therein. The Rules under section 28 further provides that an adequate personal data protection standard is based on two determining criteria: (i) the legal measures and (ii) existence of regulatory bodies, in the destination country or international organization.
Notwithstanding, for any cross-border transfer of personal data among the same affiliated business or same group of undertakings, such transfer can be done under the Binding Corporate Rules (BCRs), approved by the PDPC. Simply speaking, the ‘Binding Corporate Rules’ is a policy or agreement regarding personal data protection to which the sender and the recipient of personal data transferred, jointly agree to be bound by it, in order to determine appropriate safeguard for personal data protection within the same affiliated business or in the same group of undertakings.
However, in all cases, in the absence of (i) unavailable decisions regarding adequate personal data protection standards of the destination country or the international organizations, issued by the PDPC under section 28 of the PDPA; or (ii) not having the approved BRCs, clause 8 of the Rules under section 29 still leaves a room for a data controller or a data processor to send or transfer of personal data to a foreign county under the condition that the foreign country has appropriate safeguards, under which the rights of data subject must be enforceable and have efficient legal remedies. In this regard, the appropriate safeguard can be in a form of contractual clauses, certification, or security measures terms in an instrument or an agreement.