Qualifications and duties of the Data Protection Officer

Since the enactment of the Personal Data Protection Act ("the PDPA”) in 2019, Thai businesses have become more aware of data protection issues. Currently, most Data Controllers are aware of their duties, including appointing a Data Protection Officer (“DPO”), as prescribed under Section 41 of the PDPA.

Keywords: Mazars, Thailand, Legal, PDPA, Data Protection Officer, DPO

7 March 2022

It is important for the Data Controller and the Data Processor to note the following key duties and qualifications of the DPO:

Duties of the DPO

The DPO’s duties under Section 42 of the PDPA are:

  1. to advise the Data Controller or the Data Processor on how to comply with the PDPA;
  2. to review whether the processing of personal data by the Data Controller or the Data Processor complies with the PDPA;
  3. to cooperate with the Office of the PDPC when there is any issue regarding the processing of personal data undertaken by the Data Controller or Data Processor; and
  4. to keep the confidentiality of personal data that becomes known or is received in the course of his duties.

Additionally, the DPO should be aware of any PDPA sub-regulations which will be enforced in future in order to determine any additional responsibilities for Data Controllers and Data Processors. The DPO should also be aware of any other data protection regulations to ensure that the Data Controllers and Data Processors comply with the PDPA.

Qualifications of the DPO

Currently, the PDPA does not list any specific qualifications for the position of DPO. However, based on the duties that the DPO must perform under the PDPA, as well as guidelines on personal data protection practices in Europe, a DPO should have the following qualifications:

  • possess expertise in data protection laws and practices, including having an in-depth understanding of the PDPA;
  • have a good understanding of personal data processing activities carried out by the Data Controller or Data Processor;
  • have a good understanding of information technology and data security;
  • have a good understanding of the company's operations;
  • have the ability to increase awareness of personal data protection within the organization; and
  • have good communication skills to be able to explain procedures for processing personal data and data protection within the organization.

Although there is no punishment imposed if the DPO fails to comply with his duties under the PDPA, the DPO may be charged with a criminal offence if he unlawfully discloses any personal data collected in the course of his duties.

References:

Government Gazette (in Thai) dated on 24 May 2019

Government Gazette (in English) dated on 24 May 2019

European data protection supervisor

Information Commissioner’s Office

Want to know more?