DPO SERVICE



 If you do not have personnel to support the position of Data Protection Officer (DPO)

 If you need personnel with expertise in Personal Data Protection Act (PDPA)

 If you are looking for outsourcing services in the work of DPO for organizations

Inter Consultant Law and Business Co., Ltd. would like to offer a service of DPO for all types of business clients, which will completely and efficiently help you to comply with Section 41 of the PDPA B.E. 2562.

Who is a Data Protection Officer (DPO)?

 DPO is a person who is responsible for overseeing and ensuring that the organization can fully and correctly comply with PDPA and performs management duties when there is a claim for rights under the PDPA, including coordinating with the Office of the Personal Data Protection Committee, the data subject, and the departments within the organization related to the collection, processing, use, and storage of personal data when a personal data breach occurs.

 DPO may be an employee of the Data Controller or Data Processor or a contractor providing services under a contract with the Data Controller or Data Processor (in the case of being an employee of the organization, the Data Controller or Data Processor must attest to the PDPC that such duties or missions shall not conflict with or contradict to the performance of duties under the Personal Data Protection Act).

 DPO must have knowledge and understanding of Thai PDPA and foreign laws and other related laws well enough to provide advice to Data Controllers or Data Processors, including employees or contractors of Data Controllers or Data Processors, regarding compliance with PDPA, and have expertise in personal rights.

 DPO must have knowledge and experience in risk assessment and risk mitigation, both in terms of privacy and technology, in accordance with the standards recognized by law.

 DPO must have an understanding of the organization's data processing operations and activities, including the ability to interpret the laws applicable to personal data protection in each context and interpersonal skills such as the ability to communicate, negotiate, resolve conflicts and build rapport with others in the workplace.

DPO Scope of Operation


The services provided include 3 parts: internal work (including the preparation of policies and related documents), work related to personal data subjects, and work related to contacting the Office of the Personal Data Protection Committee, as follows:

Internal work

• Define the structure of personal data that the company/organization is responsible for collecting, using, processing, and storing
• Assess the risk of personal data management to examine the risk and determine the method to mitigate or eliminate the risk
• Create a personal data protection policy for groups of data subjects involved in the company/organization's operations.
• Create forms, data entry forms, agreements, contracts related to personal data protection.
• Investigate facts and conduct a risk assessment on the rights and freedoms of data subjects (DPIA) when a personal data breach or leakage occurs.
• Regularly review processes, especially processes for collecting, processing, using, and disclosing personal data that the company/organization is responsible for.
• Provide advice and recommendations on operations related to or affecting personal data to the relevant operating units.

Work related to personal data subject

• Supervise the system for receiving complaints or requests to exercise various rights from personal data subjects, such as personal data subjects requesting to view and request copies of personal data, requesting to suspend the use of personal data, requesting to delete/destroy personal data, requesting to correct personal data, or complaining that the company has used personal data without consent, etc.
• Consider complaints and respond to personal data subjects regarding actions taken according to requests or not to take action, and explain reasons or rights according to the law.
• Investigate complaints in cases where personal data is found to have been collected or used or disclosed without consent or in a manner inconsistent with legal principles
• Negotiate or mediate to find solutions in cases where problems arise according to complaints from personal data subjects

Contact the Office of the Personal Data Protection Committee

• DPO must have the qualifications and criteria as specified by the Office of the Personal Data Protection Committee
• Inform the Office of the Personal Data Protection Committee of the details of the DPO of the company/organization.
• Continuously check and update the criteria, announcements, and regulations regarding compliance with the Personal Data Protection Act B.E. 2562 in order to improve the company/organization's personal data protection policy and process.
• Coordinate with the Office of the Personal Data Protection Committee in cases where the Office requests cooperation, or notify announcements, or regulations for compliance thereto
• Notify, prepare reports and coordinate with the Office of the Personal Data Protection Committee in the event of a leak or breach of personal data which has been assessed to have a risk of impact on the rights and freedoms of personal data subjects
• Negotiate or provide facts to the Office of the Personal Data Protection Committee in cases where it is ordered to submit information or facts in accordance with the Personal Data Protection Act.