Thailand: Adopted PDPC order on appointment of data protection officers under PDPA B.E. 2566 (2023)

On 31 August 2023, the Personal Data Protection Committee (PDPC) adopted the requirement for data controllers and data processors to appoint data protection officers (DPO). It specifies that data controllers and processors handling large-scale personal data processing activities, especially those requiring regular monitoring, must appoint a DPO. Large-scale collection, use, or disclosure of personal data includes instances where the data is part of core activities involving 100,000 or more data subjects, for behavioural advertising through widely used search engines or social media platforms, and for normal operations by life and non-life insurance companies and financial institutions, excluding data from credit reporting activities. It also encompasses data collected by licensed telecommunications operators and any other cases identified by the Personal Data Protection Committee. The order clarifies that DPOs may have other roles, provided they do not conflict with their data protection duties.