It has been nearly five years since the issuance of the Personal Data Protection Act B.E. 2562 (2019) (the "PDPA"), and a year and a half since it became fully enforceable in Thailand. Currently, the Personal Data Protection Committee (the "PDPC") – the ruling authority under Personal Data Protection Laws in Thailand - is actively pursuing enforcement of the PDPA, which demonstrates a clear commitment to the protection of personal data. In recent years, four sub-regulations have been issued, and there are four more that have been published for public hearing in October 2023.
Alongside the issuance of the sub-regulations, the PDPC is also publishing its rules and decisions on complaints filed with the PDPC, which affirms the more active enforcement of Personal Data Protection Laws in Thailand. In this newsletter, our Personal Data Protection Practice Group will provide an update on the recent activities of the PDPC, with insights into the implications of such for business operations in Thailand.
Published sub-regulations
Sub-regulations have been regularly and consistently released to specify the rules and regulations under the PDPA; some of which are already in full effect. For your convenience, please find a brief summary of the noteworthy sub-regulations we have covered in our newsletter:
- New Decree on the criteria, type and organisations
that are exempt from certain obligations under the Personal
Data Protection Act B.E. 2562 (2019); B.E. 2566
(2023)
N&A Newsletter : https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update-thailands-new-decree-on-the-criteria-type-and-organisations-that-are-exempt-from-certain-obligations-under-the-personal-data-protection
- Sub-regulation on the designation of the Data
Protection Officer under Section 41 (2) of the PDPA
N&A Newsletter : https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update-thailands-new-sub-regulation-on-the-designation-of-the-data-protection-officer-under-section-41-2-of-personal-data-protection-act-be-2562-2019-be-2566-2023
- Sub-regulation on the Data Controller and the Data
Processor who is a public authority which are required to designate
the Data Protection Officer
N&A Newsletter : https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update-thailands-new-notification-regarding-the-data-controller-and-the-data-processor
- Sub-regulation on the Criteria and Method for
Reporting Personal Data Breaches
N&A Newsletter : https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update
Draft Sub-regulations
In October 2023, the PDPC published the two following draft sub-regulations for public hearing:
1. Draft - PDPC Notification on security measures for
the personal data of data controllers who are exempted under the
PDPA.
This draft sub-regulation is issued in accordance with Section 14
of the recent Decree published in August 2023, under which some
activities or organisations are exempt from certain obligations
under the PDPA, e.g. anti-corruption, tax-related investigations
and international cooperation on criminal justice. However, the
security measures issued by the PDPC must still be complied with in
order to secure the fundamental rights and interests of the data
subject.
In this draft sub-regulation, the PDPC rules that data controllers
must implement reasonable security measures to prevent unauthorised
or unlawful loss, access, use, change, alteration or disclose of
personal data. Such security measures must accomplish the following
(draft sub regulation article 4):
" Cover the collection, use and disclosure of personal data
regardless of the format (e.g. hard copy or electronically, etc.),
and include any information system (e.g. hardware and software,
etc.) involved in the processing of personal data.
" Consist of organisational measures, technical measures and
necessary physical measures based on the type, purpose of use and
possible data breach.
" Provide necessary and reasonable risk assessment and
monitoring of information assets, as well as take the prevention
plan into consideration.
" Manage, maintain and take into consideration the
confidentiality, integrity and availability of personal data.
" Contain necessary measures on the access, use, change,
alteration or disclosure of personal data, such as access control,
identification, authorisation and responsibility levels, as well as
access management and log data of usage.
" Provide training to raise awareness of privacy and security,
including policy, procedure and other measures to all staffs
employees and users.
" Take into consideration and utilise pseudonymisation
(data management and de-identification procedure by which
personally identifiable information fields within a data record are
replaced by one or more artificial identifiers, or
pseudonyms), encryption or any measures to mitigate risks to
personal data.
Furthermore, data controllers must review security measures in
response to technological changes in order to improve the security
measures. In the event of the occurrence of a data breach incident,
data controllers must also review security measures unless there is
no risk to the rights and freedom of a person (draft sub
regulation article 5).
Under Article 6 of the draft sub-regulation, data controllers must
ensure that their data processor or any person involved in the
collection, use or disclosure of personal data must comply with the
security measures in order to prevent unlawful loss, access, use,
change, alteration or disclosure of personal data, and promptly
notify a data controller on any data breach incident.
Under Article 7 of the draft sub-regulation, data controllers must
comply with other security measures under different laws or
regulations if applicable. However, these security measures must
still comply with the provisions of this sub-regulation.
Reference (Thai) : 2023-10-17-08:26:44_(ร่าง) ประกาศฯ มาตรฐานการรักษาความมั่นคงปลอดภัยของข้อมูลส่วนบุคคลตาม พ.ร.ฎ._รับฟังความเห็น.pdf (law.go.th)
2. Draft - PDPC Notification on suitable measures to
safeguard the data subject's rights and freedoms, for the
historical documents or the archives for public
interest.
This draft sub-regulation is issued under Section 24 (1) of the
PDPA, and provides an exemption for data controllers to collect
personal data without consent from a data subject.
'Section 24: The Data Controller shall not collect Personal
Data without the consent of the data subject, unless :
(1)it is for the achievement of the purpose relating to the
preparation of the historical documents or the archives for public
interest, or for the purpose relating to research or statistics, in
which the suitable measures to safeguard the data subject's
rights and freedoms are put in place and in accordance with the
notification as prescribed by the Committee;...'
For easy reference, the wording 'the purpose
relating to the preparation of the historical documents or the
archives for public interest' is defined under Article
3 of the draft sub-regulation as: 'operations to preserve of
the records, story, document, evidence, or information for the
current purpose or any possible purpose, all for public
interest'.
Regarding the collection of personal data without consent, under
Article 4 of the draft sub-regulation, data controllers must
implement reasonable security measures to safeguard the data
subject's rights and freedoms, which must include the
following:
" Organisational measures and technical measures so that such
collection is solely for the purpose of the preparation of
historical documents or archives for public interest. " Data
controllers must provide necessary security measures in accordance
with minimum standards under Section 37 (1) of the PDPA. "
Pseudonymising, encrypting or employing any measures to mitigate
risks to personal data, if possible, for the purpose of the
preparation of historical documents or archives for public
interest.
Reference (Thai): 2023-10-17-08:34:47_(ร่าง)
ประกาศฯ
เอกสารประวัติศาสตร์_มาตรา
24(1)_รับฟังความเห็น.pdf
(law.go.th)
Please note that the PDPC also published additional two draft notifications on personal data cross-border transfer on 27 October 2023 for public hearing. Our PDPA team is currently preparing a newsletter and will publish shortly.
PDPC's rules and decisions on personal data protection matters:
Under Chapter 5 of the PDPA (Sections 71 - 76), the data subject is entitled to file a complaint against the data controller or data processor to the PDPC if it does not comply with the PDPA or sub-regulation. The PDPC also has the authority to review, investigate, settle a dispute and order the data controller or data processor to comply with the laws or to rectify their actions.
The PDPC also publishes decisions regarding complaints (on an anonymous basis), which offer valuable insights into the interpretation and enforcement of PDPA regulations:
PDPC's order regarding a complaint against an insurance company:
A data subject complained about an insurance company's unsolicited telesales without consent. Despite several withdrawals of consent, the insurance company still contacted a data subject.
The insurance company argued that it had received personal data under a marketing information sales agreement before the effective date of the PDPA. In such regard, the PDPC decided that the insurance company is able to use personal data but is still required to comply with Section 25, which rules that the data subject must be notified and consent must be obtained from the data subject within 30 days for the collection of personal data from any other source. Furthermore, even though a data controller is entitled to continuously use personal data received before the effective date of the PDPA, the data controller must have an easy consent withdrawal method under Section 33 of the PDPA.
In such regard, the data controller did not provide an easy consent withdrawal method, which is considered as non-compliance with the law. The PDPC thus ordered the insurance company to rectify any non-compliances and ordered the insurance company to report back to the PDPC within 30 days in such regard.
Reference: PDPC Thailand - คำสั่งของคณะกรรมการผู้เชี่ยวชาญ... | Facebook
PDPC's order regarding a complaint against a banking company:
A data subject complained about a mobile banking application which requested consent that is not given freely under Section 19 of the PDPA (consent must be given freely, and obtaining consent must not be a condition to enter into the agreement unless it is strictly necessary). However, a data subject further informed the PDPC that the banking company has edited the consent form to comply with the law.
The PDPC reviewed the matter and agreed that the banking company has complied with the law and therefore withdrew the complaint accordingly.
Reference: PDPC Thailand - คำสั่งของคณะกรรมการผู้เชี่ยวชาญ... | Facebook
PDPC's order regarding a complaint against a logistics company:
A data subject who is an ex-employee of a logistics company was entitled to a discounted transportation benefit after resignation. The logistics company e-mailed the data subject to request personal data in order to issue the discounted transportation card, to which the data subject gave consent. Later, the logistics company used the provided personal data to discontinue the transportation card.
The PDPC ordered that the consent given only covered the issuance of a discounted transportation card. Using personal data for discontinuation is contrary to Section 27 of the PDPA (the data controller shall not use or disclose personal data without the consent of the data subject). Additionally, a consent request form must clearly state all the purposes of the collection, use and disclosure of personal data; it must be clearly distinct from other matters and must not be misleading.
In such regard, the PDPC viewed that the logistics company's actions are not in compliance with the law, and therefore ordered the logistics company to amend its consent request form so that it is provided without any condition, and report back to the PDPC within 30 days.
Reference: PDPC Thailand - คำสั่งของคณะกรรมการผู้เชี่ยวชาญ... | Facebook
In conclusion, these proactive approaches taken by the PDPC in enforcing the PDPA demonstrate a strong commitment to the protection of personal data. Business operators or entities involved in the collection, use or disclosure of personal data should take this into account and ensure compliance with the law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
