The Personal Data Protection Act (PDPA) of Thailand governs the collection, use, disclosure, and transfer of personal data in the country. The PDPA includes specific requirements and restrictions regarding the transfer of personal data outside of Thailand.
Under the PDPA, a transfer of personal data outside of Thailand is only allowed in the following situations:
- The recipient of the personal data is located in a country or territory that has been deemed by the Thai government to provide an adequate level of personal data protection.
- The transfer is necessary for the performance of a contract between the data subject (the individual to whom the data relates) and the data controller (the person or organization that determines the purposes and means of the data processing).
- The transfer is necessary for the conclusion or performance of a contract between the data controller and a third party, and the transfer is in the data subject’s interest.
- The data subject has given consent to the transfer.
- The transfer is necessary for the establishment, exercise, or defense of legal claims.
- The transfer is necessary for the protection of the data subject’s vital interests.
If none of the above conditions are met, the transfer of personal data outside of Thailand is generally prohibited. However, there are some exceptions to this prohibition, including when the transfer is made with the approval of the Thai data protection authority or when the transfer is required by law.
It is important for organizations to comply with the PDPA’s requirements for the transfer of personal data outside of Thailand to avoid potential legal and financial consequences. Organizations should also ensure that they have appropriate measures in place to protect personal data during transfers, such as encryption or contractual agreements with the recipient.
The Formiti PDPA Data Transfer Impact Assessment service scores all your data transfers out of Thailand for a Fixed Price
Contact us today [email protected]