Newly Issued Guidelines by the PDPC under Thailand’s Personal Data Protection Act
Ever since the full enforcement of the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”) on 1 June 2022, the Personal Data Protection Committee (the “PDPC”) has been continuously issuing new sub-legislations and guidelines. Further to our update in the newsletter for August and September 2022, the PDPC announced two new guidelines on 7 September 2022 with the aim of giving Data Controllers and related parties a better and clearer understanding of the PDPA. This will be beneficial to and enhance the effectiveness of Personal Data protection. The said two new guidelines, which have been eagerly anticipated, are as follows:
- Guideline on Requesting Consent from the Data Subject under the Personal Data Protection Act B.E. 2562 (2019) (“Consent Guideline”); and
- Guideline on Procedures for Notifying the Purpose and Details relating to the Collection of Personal Data from Data Subjects under the Personal Data Protection Act. 2562 (2019) (“Notification Guideline”)
Pursuant to these two new guidelines, in the case where there is a specific law or a regulatory or supervisory agency with rules prescribing the notification of purposes and details relating to the collection of Personal Data, or that designates a specific form or statement for the request for consent, which is not contrary to or not inconsistent with the PDPA; the Data Controller must comply with such rules and use such form or statement. For instance, a specific consent form may be arranged by a regulatory or supervisory agency in certain sectors, e.g. the Bank of Thailand, the Office of the Securities and Exchange Commission or the Office of Insurance Commission. However, the said rules must not have a standard lower than that set out in the above two guidelines. On the other hand, in the case of not having a specific law or a regulatory or supervisory agency which rules on the notification, or that designates a specific form or statement for the request for consent; the Data Controller should proceed according to the two new guidelines imposed by the PDPC. Thus, it is important to understand the essence of both the Consent Guideline and the Notification Guideline, which we will briefly explain below.
The Consent Guideline explains details throughout the processes; from when the Data Controller requests consent from the data subjects in order to collect, use or disclose the Personal Data, until the withdrawal of consent. The Data Controller may use a voluntary standard form or create its own consent request forms and statements. In addition, the Consent Guideline further elaborates and provides examples of the criteria, based on the requirements under Section 19 and Section 24 of the PDPA, of which the Data Controller should be aware when creating its own consent request forms and statements, as follows:
- The consent from the data subject is the ultimate lawful basis the Data Controller can use in order to collect, use or disclose the Personal Data if the other exceptions under Section 24 (in case of general Personal Data) or Section 26 (in case of sensitive Personal Data), as the case may be, are not met.
- The consent must be requested prior to or at the time of the collection, use or disclosure of the Personal Data.
- The consent must be voluntarily and freely given by the data subject; giving consent must not have a nature of a compulsory or binding condition under which the data subject must give consent prior to entering into a contract, including provision of any service to collect, use, or disclose the Personal Data that is unnecessary or irrelevant for entering into such contract or provision of such service.
- The request for consent must state the specific purpose and details of giving consent, not a generally broad purpose. It is forbidden to specify the purpose in collecting, using or disclosing several types or multiple subjects of Personal Data and combining them into a single request for consent.
- The request for consent must have a form or statement that is easily accessible and understandable, and use language that is easy to read, non-deceptive and does not mislead the data subject.
- The request for consent must be clearly separated from other statements, such as the contract, and cannot become any part of the agreement, juristic act, contract or condition in the purchase of goods, provision of services, or performing any transaction.
In addition, the Consent Guideline further explains that the consent must be explicitly requested, which may be done in writing or through an electronic system unless, by nature, the consent cannot be requested by such means. The grant of consent should also be done with a clear affirmative act (such as by submitting a written notice of consent prepared by the data subject him/herself, signing to grant consent in a consent form prepared by the Data Controller, clicking the checkbox to indicate “consent” by the data subject him/herself, pressing a button on a mobile phone twice in a row to declare confirmatory intent or swiping a screen to indicate the intent to give consent by the data subject when there is an obvious notification that such acts indicate an agreement or consent to the collection, use or disclosure of Personal Data); however, in some cases, a verbal grant of consent or consent given by telephone may be clear enough to constitute lawful consent. The Consent Guideline further provides details of the withdrawal of consent from the data subject as well as the request for consent of a minor, an incompetent or quasi-incompetent person.
As for the Notification Guideline, it elaborates on the principles to be determined when notifying the purposes and details relating to the collection, use and disclosure of Personal Data to the data subject. Such principles include the following:
- Fairness: The Data Controller must ensure that the purposes and details notified to the data subject prior to or at the time of the collection of Personal Data identify the impact arising from the usage and disclosure of the Personal Data, as well as must be certain that the language and text used in notifying the purposes and details are clear and easily understandable.
- Purpose Limitation: The purposes and details relating to the collection, use and disclosure of Personal Data must be limited and clear, and the Data Controller must not use the Personal Data beyond the scope of purposes that has been notified to the data subject.
- Consent: The consent from the data subject is the lawful basis by which the Data Controller must adhere to in order to collect, use or disclose the Personal Data; if it does not fall under the exceptions stipulated under Section 24 or Section 26, as the case may be, requesting consent from the data subject is necessary.
- Claiming of Legitimate Interest: If the Data Controller claims that the collection of Personal Data is necessary for the legitimate interest of the Data Controller or another natural or juristic person other than the Data Controller as the lawful basis for collecting, using and disclosing the Personal Data, in taking such actions, special caution for safeguarding the interests and preventing the direct impact on the data subject should be exercised.
The Notification Guideline also clarifies and provides examples for the two types of collection of Personal Data, i.e. direct collection from the data subject and collection from any other source. For the latter type, the Notification Guideline emphasises that in order to prevent risk and impact from the use and disclosure of Personal Data without the data subject’s consent and awareness, before the Data Controller collects, uses or discloses the Persona Data from other sources, the Data Controller should implement the Data Protection Impact Assessment (the “DPIA”) in order to identify and assess risks which may arise from the use or disclosure of the Personal Data, especially when modern technologies are used that result in processing or disclosing a large amount of Personal Data such as artificial intelligence (AI). The Notification Guideline also provides exceptions from the requirement to give notification of the new purposes, particularly when the Data Controller can prove that such notification is impossible or will obstruct the use or disclosure of the Personal Data, on which the Data Controller has to consider the amount and volume of Personal Data, age of the data subjects and measures to prevent damages from use or disclosure of Personal Data in conjunction.
Moreover, the Notification Guideline lays out the methods which can be utilised to notify the purposes and details relating to the collection of Personal Data, such as by written notice, verbal notice, text notice by SMS, e-mail, MMS format, telephone or any other electronic means, e.g. by specifying details in a URL or QR code; or by using layered approach or dashboard having underline texts for connecting links to the purposes and details relating to the collection of Personal Data in further detail.
Currently, there is no official English translation of the two guidelines provided by the authority. However, as both guidelines will give Data Controllers a better understanding of their obligations pertaining to notifications and consent under the PDPA, therefore, our lawyer has translated said two new guidelines from Thai into English; we can provide you with the English translation of the Consent Guideline and the Notification Guideline for your reference, upon request.
Judging by the rapid rate at which the PDPC has issued sub-legislations and guidelines over the past few months, it can be expected that more and more supplementary laws and other guidelines under the PDPA will continue to be issued by the authority from now on.
This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this or on other areas of law, please do not hesitate to contact: