Cross-Border Transfer of Personal Data: A Study of the Tourism Authority of Thailand’s Offices Located in the European Union
Keywords:
Tourism Authority of Thailand, Cross-Border Transfer of Personal DataAbstract
The Tourism Authority of Thailand (TAT) is a state enterprise under the Ministry of Tourism and Sports, established with the objective of promoting tourism in Thailand. TAT has set up offices within the European Union, and each office engages in activities related to the processing of personal data of data subjects in the EU countries. As a result, these offices are subject to the General Data Protection Regulation (GDPR). This research aims to study the nature of activities relating to personal data processing carried out by TAT offices in Paris (France), Frankfurt (Germany), Rome, (Italy) and Stockholm (Sweden). This research shows that some activities of these offices involve cross-border transfers of personal data to Thailand. Since the GDPR imposes stringent conditions on transfer of personal data to third countries, this research aims to suggest guideline for TAT to determine what constitutes cross-border data transfers to third countries and to propose the appropriate and legally practices for cross-border transferring of personal data to Thailand. This is intended to mitigate the risk of TAT being held liable under the GDPR.
References
ราชกิจจานุเบกษา. (2522). พระราชบัญญัติการท่องเที่ยวแห่งประเทศไทย พ.ศ. 2522. เล่ม 96 ตอนที่ 140 ก หน้า 1–11. http://www.ratchakitcha.soc.go.th/DATA/PDF/2522/A/140/1.PDF
ราชกิจจานุเบกษา. (2562). พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562. เล่ม 136 ตอนที่ 69 ก (27 พฤษภาคม 2562). http://www.ratchakitcha.soc.go.th/DATA/PDF/2562/A/069/T_0052.PDF
Article 29 Data Protection Working Party. (2018, April 11). Recommendation on the standard application form for approval of processor Binding Corporate Rules for the transfer of personal data (17/EN WP265). European Commission.nhttps://ec.europa.eu/newsroom/article29/items/611236
European Parliament and Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union, L 119, 1–88. https://eur-lex.europa.eu/eli/reg/2016/679/oj
European Data Protection Board. (2018, May 25). Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22018-derogations-article-49-under-regulation_en
European Data Protection Board. (2021, June 18). Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0). https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
European Data Protection Board. (2022, February 22). Guidelines 04/2021 on codes of conduct as tools for transfers – Version 2.0 (adopted after public consultation). https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042021-codes-conduct-tools-transfers-version_en
European Data Protection Board. (2023, February 14). Guidelines 07/2022 on certification as a tool for transfers – Version 2.0. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072022-certification-tool-transfers-version-20_en
European Data Protection Board. (2023, February 14). Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR – Version 2.0. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052021-interplay-between-application-article-3-and_en
European Data Protection Board. (2023, June 20). Recommendations 1/2022 on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR). https://edpb.europa.eu/our-work-tools/ourdocuments/recommendations/recommendations-12022-application-approval-and-elements_en
European Data Protection Board & European Data Protection Supervisor. (2021). EDPB- EDPS Joint Opinion 1/2021 on the European Commission’s implementing decision on standard contractual clauses between controllers and processors for the matters referred to in Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725. https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/edpb-edps-joint-opinion-12021-european-commissions_en
Federal Republic of Germany. (2017). Bundesdatenschutzgesetz (Federal Data Protection Act – BDSG), as amended by the Act of 30 June 2017. Federal Law Gazette I, p. 2097. https://www.gesetze-im-internet.de/englisch_bdsg/
French Republic. (2018). Act No. 2018-493 of 20 June 2018 on the protection of personal data. Official Journal of the French Republic. https://www.legifrance.gouv.fr
Italian Republic. (2003). Legislative Decree No. 196 of 30 June 2003: Personal Data Protection Code, as amended. Gazzetta Ufficiale della Repubblica Italiana. https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1311248
Kingdom of Sweden. (2018). Lag (2018:218) med kompletterande bestämmelser tillEU:sdataskyddsförordning (Dataskyddslagen). Svensk författningssamling. https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/dataskyddslag-2018218_sfs-2018-218
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Faculty of Humanities and Social Sciences Bansomdejchaopraya Rajabhat University
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
