NO&T Asia Legal Review
From 1 June 2022, the Personal Data Protection Act of 2019 of Thailand (the “PDPA”) has become fully effective after its effectiveness was extended twice in 2020 and 2021. Any person including a business operator who collects, uses or discloses (“Data Controller”) the personal data of natural persons who are in Thailand (“Data Subject”) shall duly comply with the requirements and obligations set forth under the PDPA. In this article, to facilitate the existing or potential Data Controller, we aim to provide a checklist of key requirements and obligations of the Data Controller under the PDPA.
The PDPA provides several requirements and obligations particularly with which the Data Controller is required to comply. This article narrows down substantial requirements and obligations which the Data Controller should be aware of as below.
The Data Controller cannot collect, use or disclose personal data unless the Data Subject gives consent except as permitted under the PDPA. Principally, the request of consent shall be made explicitly in writing or via electronic system. According to the draft regulation under the PDPA, for the request of consent via electronic means, it is expected that the Data Controller shall provide an evidence or record in electronic form (e.g. audio or video record) to verify that the Data Subject has given consent. Also, providing consent via electronic means shall be done by way of electronic signature under the electronic transactions law of Thailand (e.g. providing consent using password, digital signature, biometrics such as fingerprint, face or voice recognition or similar).
Also, the Data Controller shall inform the purpose of collection, use or disclosure to the Data Subject. The statement for the request of consent shall be easily understandable and in accessible format. The Data Controller shall procure that the Data Subject freely provides such consent. And, the request for consent shall not be a condition for entering into an agreement or providing services.
Nevertheless, the Data Subject may withdraw his/her consent at any time. If the withdrawal of consent will affect the Data Subject in any manner, the Data Controller shall notify the Data Subject of such effect. Although the consent is withdrawn, it will not affect the collection, use or disclosure for which the consent has been given.
Apart from obtaining consent, prior to or at the time of collection of personal data, the Data Controller shall notify the Data Subject of the following matters under the PDPA:
Although the Data Controller can collect personal data without obtaining consent from the Data Subject for certain purposes as specified under the PDPA, the Data Controller still needs to notify the Data Subject the abovementioned matters. In practice, the notification can be in the form of privacy notice which contains the abovementioned matters. When obtaining consent, the Data Controller can provide the Data Subject a privacy notice and a consent form at the same time.
For the personal data collected prior to the enforcement of the PDPA, the Data Controller can continue to collect and use the personal data for the original purposes. The Data Controller needs to prepare a method to cancel consent and publicize such to the Data Subject for the Data Subject to cancel consent given prior to the enforcement of the PDPA.
In principle, the Data Controller shall prepare a record of the information as required by the PDPA※1 which can be in a written or electronic form, in order to enable the Data Subject and the Office of Personal Data Committee to verify.
However, in case of a Data Controller, which is a small business (the “Small Business Data Controller”), it will only be required to prepare a record of the rejection of request or objection to the exercise of right of the Data Subject; except where (i) the collection, use, or disclosure of such personal data is likely to result in a risk to the rights and freedoms of Data Subject, or (ii) it is not a business where the collection, use, or disclosure of the personal data is occasional, or (iii) it involves in the collection, use, or disclosure of the sensitive data, the Small Business Data Controller will still be required to prepare a record in accordance with the preceding paragraph.
According to the Notification of the Personal Data Protection Committee Re: Exemption for maintaining the records of the Data Controller who is a small organization of 2022 dated 10 June 2022 issued under the PDPA, the Small Business Data Controller under the preceding paragraph includes, for example, a small enterprise or a medium enterprise according to the laws concerning small and medium enterprise promotion, or a foundation, association, religious organization, or non-profit organization.
The Data Controller may designate another person or juristic person to collect, use or disclose personal data on behalf of or under instructions of the Data Controller. In such case, such another person or juristic person shall be the data processor (the “Data Processor”). The Data Controller is required to execute an agreement with the Data Processor to ensure that the Data Processor will collect, use or disclose under the Data Controller’s instruction only and perform other duties as required by the PDPA (the “Data Processing Agreement”).
The Data Processing Agreement shall specify provisions at least in relation to (i) the collection, use or disclosure of personal data being in accordance with the Data Controller’s instruction only, (ii) the provision of appropriate security measures and (iii) the provision of record of data processing activities.
The Data Controller is required to appoint a DPO if, among others, the activities of the Data Controller in the collection, use or disclosure of the Personal Data requires a regular monitoring of the personal data or the system, by the reason of having a large number of personal data or the core activity of the Data Controller is the collection, use or disclosure of the sensitive data.
According to the potential draft sub-regulation in relation to the DPO, one of the clarification of having large amount of personal data is ‘having the personal data under its supervision within the period of 12 months of more than 50,000 data subjects, or 5,000 data subjects in case of sensitive data’.
The responsibilities of the DPO are, among others, providing advice to the Data Controller and its employees in relation to compliance with the PDPA, and coordinating with the competent officer in case of any problems arising from the collection, use or disclosure of the personal data by the Data Controller and its employees.
The Data Controller also has the duty to notify the details of the DPO and his contact details to the Data Subject through privacy policy as well as to the competent officer.
Where the Data Controller is outside Thailand, the PDPA shall apply to the collection, use or disclosure by such Data Controller of the personal data of the Data Subjects who are in Thailand if the activities of such Data Controller are as follows:
In principle, the Data Controller who is outside Thailand and conducts the activities as described above will be required to appoint a representative in writing and such representative shall be in Thailand acting on behalf of the Data Controller without any limitation of liability with respect to collection, use or disclosure of the personal data according to purposes of the Data Controller.
However, such Data Controller outside Thailand might be exempted from appointing the representative in case where such Data Controller engages in the profession or business of collecting using, or disclosing the personal data that is not the sensitive data and does not have large amount of the personal data as described in paragraph 2.6 above.
As of now, the PDPA is already enforceable. Although the sub-regulations are in a draft form and not yet finalized, any person or company who is considered a Data Controller still needs to ensure that it has complied with the requirements and obligations as specified above under the PDPA and should monitor the status of the sub-regulations. Failure to comply with the PDPA may result in civil liability, criminal and/or administrative penalty.
*1
The Data Controller shall maintain, at least the following records in order to enable the data subject and the Office of Personal Data Protection Committee to check upon, which can be whether in a written or electronic form:
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
(March 2025)
Yoshinobu Koyama, Masato Kumeuchi, Masanori Tosu (Co-author)
Patricia O. Ko
(February 2025)
Keiji Tonomura, Minh Thi Cao Koike, Akira Komatsu, Yuki Matsumiya (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
Rashmi Grover
Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yoichi Maekawa
Kara Quek, Kennosuke Muro (Co-author)
Rashmi Grover
Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yoichi Maekawa
Kara Quek, Kennosuke Muro (Co-author)
Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Yothin Intaraprasong, Chattong Sunthorn-opas, Thunsinee Sungmongkol (Co-author)
Shunsuke Minowa, Poonyisa Sornchangwat, Niparat Pothong (Co-author)
(January 2025)
Shunsuke Minowa, Yothin Intaraprasong, Ponpun Krataykhwan, Nopparak Yangiam, Salin Kongpakpaisarn, Poonyisa Sornchangwat (Co-author)
