Why it’s critical for schools to be aware of international data transfer policies under the PDPA
In a way, data has become a currency on its own and a valuable asset for any large or small company, not just schools. In fact, the trade value of data may very well surpass that of goods and services at some stage.
The global norm around personal data, which is rapidly evolving as we speak, is that it needs to be regulated and protected as per the policies set out by PDPA (Personal Data Protection Act) and GDPR (General Data Protection Regulation).
Many school administrators and owners already understand and acknowledge how important data privacy is. Many have also noted how the right to data privacy is a basic human right. Since trust is an essential element of managing data (including facilitation of its exchange) – good data privacy practices will always give schools a competitive advantage, and more credibility and make them more reputable.
Students and their parents trust the online space as a medium where they should be able to provide data in a confidential way. They should be able to trust that the systems they are sharing their personal data with, will keep it safe, secure and updated at all times.
As an international school system, how can you regulate your data when it comes to international data transfers? What are the GDPR and PDPA policies and how are they relevant to Thailand? What are cross-border transfer rules? How can international recruitment and compliance with both PDPA and GDPR be managed?
We’re going to answer these crucial questions and others related to international data transfers in this final part of the series.
GDPR’s stance on international data transfers
The hyper-digitalized world we live in today demands interaction to such a degree that if the transfer of personal information between countries were to be halted, entire societies would grind to a halt. Keeping this in view, it isn’t surprising to know that the cross-border data transfer issues we’ve been seeing have been a driving force behind international laws on data privacy, particularly those set by the GDPR framework.
In Articles 44-50, for example, the GDPR has published detailed rules around international data transfers, making such transfers possible under specific circumstances. For example, data can be freely transferred to foreign countries that have gotten a favourable adequacy decision by the EU Commission (as per Article 45).
Adequacy decisions are decisions taken by the Commission where a given country/organization is given an “acceptable” status to which data can be transferred to. The adequacy criteria require that the country has the following at the very least:
- Governance or rule of law in place
- Access to justice
- Respect for fundamental freedoms, including human rights
- And, the relevant general and sectoral legislation in regards to:
- Defence
- Public security
- National security
- Criminal law
- Public order
According to GDPR rules, transferring personal data to any country outside the EU can be done under two conditions only:
- The destination has already been the subject of a favourable adequacy decision.
- The transfer must be protected under the appropriate laws to safeguard personal data.
Now, simply fulfilling these conditions may not be ‘adequate’ – in fact, it’s very much possible that one of the designated authorities might still ban all international personal data transfers to certain countries even if you put the appropriate security measures in place.
Any additional personal data transfers are subject to the same restrictions. If you want to transfer data outside Thailand, you will not only need to comply with all the GDPR regulations but also those of the country and/or international organization where you’re sending the data.
However, what we’ve discussed above is by no means a comprehensive list of the requirements, criteria or restrictions under GDPR in regards to international data transfers for schools. Our GDPR compliance experts would be happy to assist you further.
Thai PDPA’s stance on international data transfers
The Thai PDPA policies contain certain restrictions on international data transfers. Section 28 in particular states that when the Personal Data Controller sends any personal data to an international recipient, the destination country/organization shall have the necessary personal data protection standards in place; that such an act shall only be performed in line with the rules set out for the protection of personal data under Section 16(5).
There are exceptions, however:
- Where the law prescribes otherwise
- Where the personal data owner’s consent has been acquired after he/she has been informed that there are insufficient personal data protection standards present in the destination country/organization receiving such data
- Where it becomes necessary to comply with contractual obligations where the personal data owner is a contracting party or it is deemed necessary to use that personal data in order to comply with the personal data owner’s request before entering into such a contract
- Where any harm to health, life or body of personal data owner must be prevented in cases where he/she is unable to give consent
- Where it becomes necessary to accomplish certain objectives in the name of significant public interest.
When a problem arises due to insufficient personal data protection standards in the destination country/organization, it shall be reviewed by the Committee in order to propose a solution or pursue litigation.
The subject of Thai PDPA for international data transfers can be huge and full of technical intricacies – our Thailand PDPA compliance team can certainly offer assistance in that regard.
Closing thoughts
There are many other aspects to international data transfers that schools must understand in order to safely exchange students’ personal data when the need arises. This includes international recruitment and compliance with both the latest PDPA and GDPR laws – not to mention data processing contracts and due diligence when working with an international third-party cloud service.
Our data privacy consultants are only a phone call away to help ensure that you are 100% compliant when transmitting any data outside of your school’s local jurisdiction.