The Personal Data Protection Act B.E. 2562 (2019) (“PDPA“), which became effective on 1 June 2022, specifies the rules and restrictions that Data Controller and Data Processor must adhere to. One important rule and regulation regarding the Data Protection Officer (“DPO“) is specified in Section 41 of PDPA that “The Data Controller and the Data Processor shall designate a data protection officer…” Therefore, many organizations might wonder, what is a DPO? What is its responsibility? And what qualifications are required to become one?

A DPO is a person who is responsible for the data protection of all personal data collected, used and disclosed by a legal entity, whether it is internal personal data or third-party personal data collected by the legal entity. Section 42 of the PDPA specifies the duties of the DPO as follows:

1. Providing advice to the Data Controller and Data Processor, as well as all employees and service providers of those parties involved in the data processing, in order to ensure PDPA compliance, such as providing them with PDPA information and training sessions, particularly to those who directly operate with data processing, in order to ensure adherence to the legal entity’s privacy policy and follow the rules and regulations pertaining to the personal data protection.
2. Monitoring the operation and the performance of the parties mentioned in item 1 regarding personal data collection, use and disclosure to be in accordance with the PDPA.
3. Coordinating with the regulator, the Personal Data Protection Committee (“PDPC”) on any issues that arise in relation to item 2 such as a data breach.
4. Maintaining the confidentiality of personal data known and acquired while performing the duties.

There are no officially announced sub-regulations governing DPO qualification; the PDPA only specifies the duties of the DPO as mentioned above. As a result, the following is only a guideline by Thailand Data Protection Guidelines regarding this such matter, which Data Controller and Data Processor should consider.

1. Having background knowledge of the PDPA and other applicable laws
2. Understanding of technologies, IT, and data security measures. The DPO may need to fully understand this matter because the IT system and technological capabilities may be involved in personal data collection, use, disclosure and processing in order to perform its obligations in terms of technology under the PDPA.
3. DPO should not be a person who directly benefits from collecting personal data, and DPO shall not be able to audit its own actions involving the collection, use or disclosure of personal data. As a result, the duties of the DPO and those who process personal data should not overlap.
4. Good communication and collaboration skills with internals, externals and regulators because the DPO must collaborate with all departments within the organization and the PDPC pertaining to PDPA matters. Furthermore, the DPO should be the person who has direct access to the executives because many aspects of PDPA compliance may need to be taken urgently.
5. DPO is not required to be an employee of the legal entity for which he or she works.

After the designation of a DPO by legal entities, the Data Controller and the Data Processor are also required by Section 41 paragraph 5 of the PDPA to inform the PDPC and Data Subject of the information, i.e. DPO’s information, contact address and contact channels. Plus, Any Data Controllers and Data Processors who are in the same affiliated business or group of undertakings and designate the same jointly DPO must also provide a list of all Data Controllers and/or Data Processors with whom such DPO works for. For the contact channel for informing the said information, it can be sent to PDPC via an email and telephone number as specified in the Announcement of the Office of the Personal Data Protection Committee Concerning Electronic Channels for Contacting the Office of Personal Data Protection Committee B.E. 2562 (2019) For an obligation to inform the Data Subject of the DPO’s information as mentioned above, this can be included in the privacy notice or privacy policy published by the Data Controller and Data Processor, as the same matter is also required by Section 23 (5) of the PDPA. Despite the fact that no sub-regulation regarding DPO qualifications has been announced, all Data Controllers, Data Processors, DPOs and other relevant parties should keep an eye on these upcoming regulations in order to comply with the PDPA and designate an appropriate DPO for your legal entity because DPO shall play an important role and directly affect your legal entity’s compliance with PDPA.

Author: Panisa Suwanmatajarn, Managing Partner.