Thai Personal Data Protection Committee Actively Enforces the Personal Data Protection Laws
It has been nearly five years since the issuance of the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”), and a year and a half since it became fully enforceable in Thailand. Currently, the Personal Data Protection Committee (the “PDPC”) – the ruling authority under Personal Data Protection Laws in Thailand - is actively pursuing enforcement of the PDPA, which demonstrates a clear commitment to the protection of personal data. In recent years, four sub-regulations have been issued, and there are four more that have been published for public hearing in October 2023.
Alongside the issuance of the sub-regulations, the PDPC is also publishing its rules and decisions on complaints filed with the PDPC, which affirms the more active enforcement of Personal Data Protection Laws in Thailand. In this newsletter, our Personal Data Protection Practice Group will provide an update on the recent activities of the PDPC, with insights into the implications of such for business operations in Thailand.
Sub-regulations have been regularly and consistently released to specify the rules and regulations under the PDPA; some of which are already in full effect. For your convenience, please find a brief summary of the noteworthy sub-regulations we have covered in our newsletter:
- New Decree on the criteria, type and organisations that are exempt from certain obligations under the Personal Data Protection Act B.E. 2562 (2019); B.E. 2566 (2023)
N&A Newsletter : https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update-thailands-new-decree-on-the-criteria-type-and-organisations-that-are-exempt-from-certain-obligations-under-the-personal-data-protection
- Sub-regulation on the designation of the Data Protection Officer under Section 41 (2) of the PDPA
N&A Newsletter : https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update-thailands-new-sub-regulation-on-the-designation-of-the-data-protection-officer-under-section-41-2-of-personal-data-protection-act-be-2562-2019-be-2566-2023
- Sub-regulation on the Data Controller and the Data Processor who is a public authority which are required to designate the Data Protection Officer
N&A Newsletter : https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update-thailands-new-notification-regarding-the-data-controller-and-the-data-processor
- Sub-regulation on the Criteria and Method for Reporting Personal Data Breaches
N&A Newsletter : https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update
In October 2023, the PDPC published the two following draft sub-regulations for public hearing:
1. Draft - PDPC Notification on security measures for the personal data of data controllers who are exempted under the PDPA.
This draft sub-regulation is issued in accordance with Section 14 of the recent Decree published in August 2023, under which some activities or organisations are exempt from certain obligations under the PDPA, e.g. anti-corruption, tax-related investigations and international cooperation on criminal justice. However, the security measures issued by the PDPC must still be complied with in order to secure the fundamental rights and interests of the data subject.
In this draft sub-regulation, the PDPC rules that data controllers must implement reasonable security measures to prevent unauthorised or unlawful loss, access, use, change, alteration or disclose of personal data. Such security measures must accomplish the following (draft sub regulation article 4):
• Cover the collection, use and disclosure of personal data regardless of the format (e.g. hard copy or electronically, etc.), and include any information system (e.g. hardware and software, etc.) involved in the processing of personal data.
• Consist of organisational measures, technical measures and necessary physical measures based on the type, purpose of use and possible data breach.
• Provide necessary and reasonable risk assessment and monitoring of information assets, as well as take the prevention plan into consideration.
• Manage, maintain and take into consideration the confidentiality, integrity and availability of personal data.
• Contain necessary measures on the access, use, change, alteration or disclosure of personal data, such as access control, identification, authorisation and responsibility levels, as well as access management and log data of usage.
• Provide training to raise awareness of privacy and security, including policy, procedure and other measures to all staffs employees and users.
• Take into consideration and utilise pseudonymisation (data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms), encryption or any measures to mitigate risks to personal data.
Furthermore, data controllers must review security measures in response to technological changes in order to improve the security measures. In the event of the occurrence of a data breach incident, data controllers must also review security measures unless there is no risk to the rights and freedom of a person (draft sub regulation article 5).
Under Article 6 of the draft sub-regulation, data controllers must ensure that their data processor or any person involved in the collection, use or disclosure of personal data must comply with the security measures in order to prevent unlawful loss, access, use, change, alteration or disclosure of personal data, and promptly notify a data controller on any data breach incident.
Under Article 7 of the draft sub-regulation, data controllers must comply with other security measures under different laws or regulations if applicable. However, these security measures must still comply with the provisions of this sub-regulation.
2. Draft - PDPC Notification on suitable measures to safeguard the data subject’s rights and freedoms, for the historical documents or the archives for public interest.
This draft sub-regulation is issued under Section 24 (1) of the PDPA, and provides an exemption for data controllers to collect personal data without consent from a data subject.
‘Section 24: The Data Controller shall not collect Personal Data without the consent of the data subject, unless :
(1)it is for the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject's rights and freedoms are put in place and in accordance with the notification as prescribed by the Committee;…’
For easy reference, the wording ‘the purpose relating to the preparation of the historical documents or the archives for public interest’ is defined under Article 3 of the draft sub-regulation as: ‘operations to preserve of the records, story, document, evidence, or information for the current purpose or any possible purpose, all for public interest’.
Regarding the collection of personal data without consent, under Article 4 of the draft sub-regulation, data controllers must implement reasonable security measures to safeguard the data subject’s rights and freedoms, which must include the following:
• Organisational measures and technical measures so that such collection is solely for the purpose of the preparation of historical documents or archives for public interest. • Data controllers must provide necessary security measures in accordance with minimum standards under Section 37 (1) of the PDPA. • Pseudonymising, encrypting or employing any measures to mitigate risks to personal data, if possible, for the purpose of the preparation of historical documents or archives for public interest.
Reference (Thai): 2023-10-17-08:34:47_(ร่าง) ประกาศฯ เอกสารประวัติศาสตร์_มาตรา 24(1)_รับฟังความเห็น.pdf (law.go.th)
Please note that the PDPC also published additional two draft notifications on personal data cross-border transfer on 27 October 2023 for public hearing. Our PDPA team is currently preparing a newsletter and will publish shortly.
PDPC’s rules and decisions on personal data protection matters:
Under Chapter 5 of the PDPA (Sections 71 - 76), the data subject is entitled to file a complaint against the data controller or data processor to the PDPC if it does not comply with the PDPA or sub-regulation. The PDPC also has the authority to review, investigate, settle a dispute and order the data controller or data processor to comply with the laws or to rectify their actions.
The PDPC also publishes decisions regarding complaints (on an anonymous basis), which offer valuable insights into the interpretation and enforcement of PDPA regulations:
PDPC’s order regarding a complaint against an insurance company:
A data subject complained about an insurance company’s unsolicited telesales without consent. Despite several withdrawals of consent, the insurance company still contacted a data subject.
The insurance company argued that it had received personal data under a marketing information sales agreement before the effective date of the PDPA. In such regard, the PDPC decided that the insurance company is able to use personal data but is still required to comply with Section 25, which rules that the data subject must be notified and consent must be obtained from the data subject within 30 days for the collection of personal data from any other source. Furthermore, even though a data controller is entitled to continuously use personal data received before the effective date of the PDPA, the data controller must have an easy consent withdrawal method under Section 33 of the PDPA.
In such regard, the data controller did not provide an easy consent withdrawal method, which is considered as non-compliance with the law. The PDPC thus ordered the insurance company to rectify any non-compliances and ordered the insurance company to report back to the PDPC within 30 days in such regard.
PDPC’s order regarding a complaint against a banking company:
A data subject complained about a mobile banking application which requested consent that is not given freely under Section 19 of the PDPA (consent must be given freely, and obtaining consent must not be a condition to enter into the agreement unless it is strictly necessary). However, a data subject further informed the PDPC that the banking company has edited the consent form to comply with the law.
The PDPC reviewed the matter and agreed that the banking company has complied with the law and therefore withdrew the complaint accordingly.
PDPC’s order regarding a complaint against a logistics company:
A data subject who is an ex-employee of a logistics company was entitled to a discounted transportation benefit after resignation. The logistics company e-mailed the data subject to request personal data in order to issue the discounted transportation card, to which the data subject gave consent. Later, the logistics company used the provided personal data to discontinue the transportation card.
The PDPC ordered that the consent given only covered the issuance of a discounted transportation card. Using personal data for discontinuation is contrary to Section 27 of the PDPA (the data controller shall not use or disclose personal data without the consent of the data subject). Additionally, a consent request form must clearly state all the purposes of the collection, use and disclosure of personal data; it must be clearly distinct from other matters and must not be misleading.
In such regard, the PDPC viewed that the logistics company’s actions are not in compliance with the law, and therefore ordered the logistics company to amend its consent request form so that it is provided without any condition, and report back to the PDPC within 30 days.
In conclusion, these proactive approaches taken by the PDPC in enforcing the PDPA demonstrate a strong commitment to the protection of personal data. Business operators or entities involved in the collection, use or disclosure of personal data should take this into account and ensure compliance with the law.
This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this matter, please do not hesitate to contact our Personal Data Protection team at firstname.lastname@example.org, and our team would be pleased to assist.