Public Hearing on the Third Group of PDPA Subsidiary Legislations

The Personal Data Protection Act BE 2562 (2019) (“PDPA”) will come into full force in Thailand as of 1 June 2022. It is expected that by such date, there will be subsidiary legislations issued under the PDPA to supplement application of the PDPA itself. Public hearings on two different groups of PDPA subsidiary legislations have already been held, in February and June 2021, covering several important legal issues such as criteria and method for obtaining consent, privacy notice, data security measures, cross border transfer, data subject’s rights, scope of the application of the PDPA and its exemptions, as well as the duties of the Controller and the Processor.

As for the last group of PDPA subsidiary legislations, a public hearing was recently held online during 6 - 9 September 2021. In such regard, issuance of the following subsidiary legislations was discussed in said public hearing:

• Code of Conduct
• Data Protection Impact Assessment
• PDPA Certification
• Automated Individual Decision-Making

The concept of ‘Code of Conduct’ is introduced for the first time in the third group of PDPA subsidiary legislations. It will serve as a tool to ease difficulties for business sectors in ensuring that they have already complied with the PDPA. The group of Controllers and/or Processors, potentially those who are in the same sector, may develop and apply, on a voluntary basis and through a representative/association called ‘Code Owner’, for approval of the Code of Conduct from the Personal Data Protection Office. The Code of Conduct will have binding and enforceable effects, meaning that there will be a mechanism which enables monitoring of the members’ compliance with the Code of Conduct, as well as sanctions for any non-compliance. Once the Controller and/or Processor being a member has complied with the approved Code of Conduct, it will be benefit from a legal assumption that it has acted in compliance with the PDPA.  

In regard to PDPA Certification, a Controller and/or Processor can request for certification demonstrating its appropriate safeguard measures. Certification body who is qualified to issue certification must be a person/entity approved by the Personal Data Protection Office. Relevant subsidiary legislation will lay out the required qualifications and the process for approval of the certification body, as well as other necessary certification mechanisms.

Regarding ‘Data Protection Impact Assessment (DPIA)’, although the PDPA itself does not specifically require a Controller and/or Processor to conduct DPIA, the Controller and/or Processor is nevertheless obliged by the PDPA to provide appropriate safeguard measures. In so doing, this subsidiary legislation requires that if the activities concerned will or may result in a high risk, DPIA must be conducted before processing such personal data. What is considered as ‘resulting in a high risk’ will be described under this subsidiary legislation.

Moreover, the PDPA subsidiary legislation will further elaborate on the concept of ‘Automated Individual Decision-Making’. In essence, it will provide that the data subject has a right to obtain human intervention on the part of the Controller. There will be an exemption from this right, for instance, where it is necessary for entering into or performance of a contract between the data subject and a Controller; it is authorised under the laws; or it is based on the data subject’s explicit consent.

In light of the aforementioned, we can now see more similarities between the PDPA and the EU’s GDPR through this last group of sub-legislations. Nonetheless, it is important to note that the criteria and condition for the above matter has not been settled yet, and there might be some changes during the public hearing stage. Please await further details as to when these relevant subsidiary legislations will be officially published in the Royal Gazette.

This Newsletter is intended merely to provide a regulatory overview and is not intended to be comprehensive; it is NOT a provision of legal advice. Should you have any questions on this or on any other areas of law, please do not hesitate to contact the following:

Chanakarn Boonyasith
Partner

Pitchabsorn Whangruammit
Attorney-at-Law