Qualifications and duties of the Data Protection Officer
Keywords: Mazars, Thailand, Legal, PDPA, Data Protection Officer, DPO
7 March 2022
It is important for the Data Controller and the Data Processor to note the following key duties and qualifications of the DPO:
Duties of the DPO
The DPO’s duties under Section 42 of the PDPA are:
- to advise the Data Controller or the Data Processor on how to comply with the PDPA;
- to review whether the processing of personal data by the Data Controller or the Data Processor complies with the PDPA;
- to cooperate with the Office of the PDPC when there is any issue regarding the processing of personal data undertaken by the Data Controller or Data Processor; and
- to keep the confidentiality of personal data that becomes known or is received in the course of his duties.
Additionally, the DPO should be aware of any PDPA sub-regulations which will be enforced in future in order to determine any additional responsibilities for Data Controllers and Data Processors. The DPO should also be aware of any other data protection regulations to ensure that the Data Controllers and Data Processors comply with the PDPA.
Qualifications of the DPO
Currently, the PDPA does not list any specific qualifications for the position of DPO. However, based on the duties that the DPO must perform under the PDPA, as well as guidelines on personal data protection practices in Europe, a DPO should have the following qualifications:
- possess expertise in data protection laws and practices, including having an in-depth understanding of the PDPA;
- have a good understanding of personal data processing activities carried out by the Data Controller or Data Processor;
- have a good understanding of information technology and data security;
- have a good understanding of the company's operations;
- have the ability to increase awareness of personal data protection within the organization; and
- have good communication skills to be able to explain procedures for processing personal data and data protection within the organization.
Although there is no punishment imposed if the DPO fails to comply with his duties under the PDPA, the DPO may be charged with a criminal offence if he unlawfully discloses any personal data collected in the course of his duties.
References:
Government Gazette (in Thai) dated on 24 May 2019
Government Gazette (in English) dated on 24 May 2019