Thailand: Implemented rules on the criteria for protecting personal data sent or transferred abroad according to Section 28 of PDPA

On 24 March 2024, Thailand’s Personal Data Protection Committee (PDPC) implemented rules regarding the criteria for protecting personal data sent or transferred abroad according to Section 28 of the Personal Data Protection Act (PDPA). The order outlines the rules for the adoption of an adequacy decision, noting that PDPC will assess the level of protection the countries have and will accept cases proposed by data controllers. Further, it outlines the criteria for sufficient data protection standards, such as having laws or regulations, competent enforcement authorities, and effective legal and regulatory mechanisms in place in the recipient country or organisation. Furthermore, it specifies that entities will be able to transfer data to countries and organisations that have an adequate level of protection and outlines exceptions, including compliance with local laws, the entity obtained consent from data owners, the necessity for contract performance, safeguarding life, health, safety, or vital public interest.