IBC泰國法律金融會計事務所International Business Consultancy

Draft Notification on Data Protection Officer Appointment is

Released in Thailand

泰國發布關於資料保護長任命的通知草案

Thailand’s Personal Data Protection Committee (PDPC) published a draft notification on 13 July 2023 on requirement for the appointment of a data protection officer (DPO). According to Personal Data Protection Act B.E. 2562 (2019) (PDPA), Section 41, data controllers or data processors must appoint a DPO when:

泰國個人資料保護委員會 (PDPC) 於 2023 年 7 月 13 日發布一份關於任命資料保護長 (DPO) 要求的通知草案。根據佛曆2562年(西元2019年)《個人資料保護法》第41條，資料控制者或資料處理者在以下情況必須指定 DPO：

• The data controller or data processor is a state agency as prescribed by the PDPC (the list of state agencies was published in the Government Gazette on July 18, 2023);

       資料控制者或資料處理者是 PDPC規定的國家機構(國家機構名單於2023年7月18日公佈在政府公報);

• The activities of the data controller or data processor in relation to the processing of the personal data require “regular monitoring of the personal data or the system,” by reason of “having large-scale personal data” as prescribed by the PDPC; or

    資料控制者或資料處理者與個人資料處理相關的活動需要 “定期監控個人資料或系統”，因為PDPC規定“擁有大量個人資料”；或

• The core activity of the data controller or data processor is related to the processing of special categories of personal data (e.g., health-related data, biometric data, etc).

     資料控制者或資料處理者的核心活動與特殊類別的個人資料(例如健康相關數據、生物識別資料等)的處理有關。

Based on the draft notification, activities in relation to processing personal data require regular monitoring of the personal data or the system, when (1) the core part of the data controller’s or data processor’s activities consists of tracking, monitoring, analyzing, or predicting the behavior, attitude, or profile of individuals; and (2) the activities generally involve the processing of personal data in a systemic manner on a usual or regular basis.

根據通知草案，與處理個人資料相關的活動需要定期監控個人資料或系統，當(1) 資料控制者或資料處理者活動的核心部分包括跟踪、監控、分析或預測個人的行為、態度或概況； (2) 這些活動通常涉及通常或定期以系統方式處理個人資料。

Following are examples of processing activities that require regular monitoring of the personal data or the system:

以下是需要定期監控個人資料或系統的處理活動的範例：

• Processing activities relating to membership cards, public transportation cards, electronic cards, or any other similar cards in which the card issuer or any other person can review card usage data;

    與會員卡、公共交通卡、電子卡或任何其他類似卡相關的處理 活動，其中發卡機構或任何其他人可以審查卡的使用資料;

• Regular or routine processing activities involving verification of the status, history, or characteristics of customers or service recipients to assess various related risks before entering into a contract or providing services of the same nature, such as credit scoring, insurance premium evaluation, and fraud prevention, but not including operations with data from credit bureau companies and their members pursuant to Thailand’s laws concerning credit information business;

    定期或例行的處理活動，涉及驗證客戶或服務接受者的狀態、 歷史或特徵，以在簽訂合約或提供相同性質的服務之前評估各 種相關風險，例如信用評分、保險費評估和欺詐預防，但不包 括根據泰國有關信用資訊業務的法律使用信用局公司及其成員 的資料進行的操作 ;

• Processing of personal data for purposes of behavioral advertising;

      出於行為廣告目 目的處理個人資料;

• Processing of customers’ or service users’ personal data by computer network system service providers or telecommunications operators;

      電腦網絡系統服務提供商或電信運營商處理客戶或服務使用者 的個人資料;

• Processing of personal data for surveillance and security purposes.

      出於監視和安全目的處理 個人資料。

To determine whether the core activities of a data controller or data processor constitute the large-scale processing of personal data, the following qualifications must be taken into consideration:

為了確定資料控制者或資料處理者的核心活動是否構成大規模個人資料處理，必須考慮以下條件：

• The number or proportion of data subjects whose personal data is processed, compared to the total number of potential data subjects;

      處理個人資料的數據主體的數量或比例，與潛在數據主體的總 數相比;

• The volume, type, or nature of personal data processed;

      處理的個人資料的數量、 類型或性質;

• The duration or permanence of the processing of personal data for the purpose of carrying out the core activities of the data controller or data processor;

      為了執行資料控制者或資料處理者的核心活動而處理個人資料 的持續時間或持久性;

• The territorial scope or geographical area in connection with the processing activities.

      與處理活動有關的領土範圍或 地理區域。

The processing of large-scale personal data includes:

大規模個人資料的處理包括:

• Activities for the purpose of behavioral advertising, performed through search engines or relating to social media with a wide range of users;

      通過搜索引擎或與擁有廣泛用戶的社交媒體相關的行為廣告目 的的活動;

• Processing of customers’ or service recipients’ personal data by life insurance companies, non-life insurance companies, or financial institutions pursuant to the respective law, but not including the handling of data by credit bureau companies and their members pursuant to the laws concerning credit information business operations;

     人壽保險公司、非人壽保險公司或金融機構根據各自的法律處 理客戶或服務接受者的個人資料，但不包括信用局公司及其成 員根據有關信用的法律處理數據資料業務運營;

• Processing of customers’ or service recipients’ personal data by a licensee holding a type 3 license under the Telecommunication Business Act B.E. 2544 (2001).

持有佛曆2544年(西元2001年)《電信商業法》第3類許可證的被許可人處理客戶或服務接受者的個人資料。

IBC International Consultancy is a Law, Finance, and Accounting firm located in Bangkok, Thailand. With Experienced lawyers, accountants, and financial advisers, we provided services including investment, tax, and legal consultants in Thailand. Should you have any questions, please do not hesitate to contact us via Line: @ibcfirm for further information.

IBC泰國法律金融會計事務所 (International Business Consultancy) 為一間位於曼谷的泰國法律金融會計事務所，由經驗豐富的律師、會計師、及財務顧問組成，可提供泰國投資、泰國稅收及泰國法律諮詢等服務。如果有什麼問題，可以隨時通過Line: @ibcfirm與我們聯繫。