icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
People

With one of the largest legal teams in Japan, we bring a wealth of practical knowledge focused on the singular purpose of providing high quality legal services.

Publications

Our lawyers have authored or co-authored a number of newsletters, articles, books and other materials covering a wide range of legal areas to address the latest legal developments and increasingly diverse and complex issues.

Seminars

We regularly hold seminars and offer lectures through various formats, such as online streaming.

SCROLL
TOP
Publications
Newsletters

Checklist of Requirements for Data Controller under the Personal Data Protection Law (Thailand)

NO&T Asia Legal Review

Author
Poonyisa Sornchangwat, Kwanchanok Jantakram (Co-author)
Publisher
Nagashima Ohno & Tsunematsu
Journal /
Book
NO&T Asia Legal Review No.48 (June, 2022)
Reference
Practice Areas
*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

1. Background

From 1 June 2022, the Personal Data Protection Act of 2019 of Thailand (the “PDPA”) has become fully effective after its effectiveness was extended twice in 2020 and 2021. Any person including a business operator who collects, uses or discloses (“Data Controller”) the personal data of natural persons who are in Thailand (“Data Subject”) shall duly comply with the requirements and obligations set forth under the PDPA. In this article, to facilitate the existing or potential Data Controller, we aim to provide a checklist of key requirements and obligations of the Data Controller under the PDPA.

2. Key requirements and obligations of the Data Controller under the PDPA

The PDPA provides several requirements and obligations particularly with which the Data Controller is required to comply. This article narrows down substantial requirements and obligations which the Data Controller should be aware of as below.

2.1 Obtaining of consent

The Data Controller cannot collect, use or disclose personal data unless the Data Subject gives consent except as permitted under the PDPA. Principally, the request of consent shall be made explicitly in writing or via electronic system. According to the draft regulation under the PDPA, for the request of consent via electronic means, it is expected that the Data Controller shall provide an evidence or record in electronic form (e.g. audio or video record) to verify that the Data Subject has given consent. Also, providing consent via electronic means shall be done by way of electronic signature under the electronic transactions law of Thailand (e.g. providing consent using password, digital signature, biometrics such as fingerprint, face or voice recognition or similar).

Also, the Data Controller shall inform the purpose of collection, use or disclosure to the Data Subject. The statement for the request of consent shall be easily understandable and in accessible format. The Data Controller shall procure that the Data Subject freely provides such consent. And, the request for consent shall not be a condition for entering into an agreement or providing services.

Nevertheless, the Data Subject may withdraw his/her consent at any time. If the withdrawal of consent will affect the Data Subject in any manner, the Data Controller shall notify the Data Subject of such effect. Although the consent is withdrawn, it will not affect the collection, use or disclosure for which the consent has been given.

2.2 Privacy notice

Apart from obtaining consent, prior to or at the time of collection of personal data, the Data Controller shall notify the Data Subject of the following matters under the PDPA:

  • Purpose of collection including the purposes of collection with no need to obtain consent;
  • Information regarding provision by Data Subject of personal data to comply with a law or an agreement or to entering into an agreement including the effect for not providing such data;
  • Personal data to be collected and retention period;
  • Types of persons or organizations to which personal data may be disclosed;
  • Information, place and means of contact of the Data Controller and its representative or the data protection officer (if any); and
  • Rights of Data Subject.

Although the Data Controller can collect personal data without obtaining consent from the Data Subject for certain purposes as specified under the PDPA, the Data Controller still needs to notify the Data Subject the abovementioned matters. In practice, the notification can be in the form of privacy notice which contains the abovementioned matters. When obtaining consent, the Data Controller can provide the Data Subject a privacy notice and a consent form at the same time.

2.3 Procedure to withdraw consent for personal data collected before the enforcement of PDPA

For the personal data collected prior to the enforcement of the PDPA, the Data Controller can continue to collect and use the personal data for the original purposes. The Data Controller needs to prepare a method to cancel consent and publicize such to the Data Subject for the Data Subject to cancel consent given prior to the enforcement of the PDPA.

2.4 Personal data record

In principle, the Data Controller shall prepare a record of the information as required by the PDPA※1 which can be in a written or electronic form, in order to enable the Data Subject and the Office of Personal Data Committee to verify.

However, in case of a Data Controller, which is a small business (the “Small Business Data Controller”), it will only be required to prepare a record of the rejection of request or objection to the exercise of right of the Data Subject; except where (i) the collection, use, or disclosure of such personal data is likely to result in a risk to the rights and freedoms of Data Subject, or (ii) it is not a business where the collection, use, or disclosure of the personal data is occasional, or (iii) it involves in the collection, use, or disclosure of the sensitive data, the Small Business Data Controller will still be required to prepare a record in accordance with the preceding paragraph.

According to the Notification of the Personal Data Protection Committee Re: Exemption for maintaining the records of the Data Controller who is a small organization of 2022 dated 10 June 2022 issued under the PDPA, the Small Business Data Controller under the preceding paragraph includes, for example, a small enterprise or a medium enterprise according to the laws concerning small and medium enterprise promotion, or a foundation, association, religious organization, or non-profit organization.

2.5 Data processing agreement

The Data Controller may designate another person or juristic person to collect, use or disclose personal data on behalf of or under instructions of the Data Controller. In such case, such another person or juristic person shall be the data processor (the “Data Processor”). The Data Controller is required to execute an agreement with the Data Processor to ensure that the Data Processor will collect, use or disclose under the Data Controller’s instruction only and perform other duties as required by the PDPA (the “Data Processing Agreement”).

The Data Processing Agreement shall specify provisions at least in relation to (i) the collection, use or disclosure of personal data being in accordance with the Data Controller’s instruction only, (ii) the provision of appropriate security measures and (iii) the provision of record of data processing activities.

2.6 Appointment of the data protection officer (“DPO”)

The Data Controller is required to appoint a DPO if, among others, the activities of the Data Controller in the collection, use or disclosure of the Personal Data requires a regular monitoring of the personal data or the system, by the reason of having a large number of personal data or the core activity of the Data Controller is the collection, use or disclosure of the sensitive data.

According to the potential draft sub-regulation in relation to the DPO, one of the clarification of having large amount of personal data is ‘having the personal data under its supervision within the period of 12 months of more than 50,000 data subjects, or 5,000 data subjects in case of sensitive data’.

The responsibilities of the DPO are, among others, providing advice to the Data Controller and its employees in relation to compliance with the PDPA, and coordinating with the competent officer in case of any problems arising from the collection, use or disclosure of the personal data by the Data Controller and its employees.

The Data Controller also has the duty to notify the details of the DPO and his contact details to the Data Subject through privacy policy as well as to the competent officer.

2.7 Appointment of a representative in Thailand (in case the Data Controller is outside Thailand)

Where the Data Controller is outside Thailand, the PDPA shall apply to the collection, use or disclosure by such Data Controller of the personal data of the Data Subjects who are in Thailand if the activities of such Data Controller are as follows:

(1) offering of goods or services to the Data Subjects who are in Thailand, irrespective of whether the payment is made by the Data Subject; or

(2) monitoring of the Data Subject's behavior which takes place in Thailand.

In principle, the Data Controller who is outside Thailand and conducts the activities as described above will be required to appoint a representative in writing and such representative shall be in Thailand acting on behalf of the Data Controller without any limitation of liability with respect to collection, use or disclosure of the personal data according to purposes of the Data Controller.

However, such Data Controller outside Thailand might be exempted from appointing the representative in case where such Data Controller engages in the profession or business of collecting using, or disclosing the personal data that is not the sensitive data and does not have large amount of the personal data as described in paragraph 2.6 above.

3. Conclusion

As of now, the PDPA is already enforceable. Although the sub-regulations are in a draft form and not yet finalized, any person or company who is considered a Data Controller still needs to ensure that it has complied with the requirements and obligations as specified above under the PDPA and should monitor the status of the sub-regulations. Failure to comply with the PDPA may result in civil liability, criminal and/or administrative penalty.

Endnotes

*1
The Data Controller shall maintain, at least the following records in order to enable the data subject and the Office of Personal Data Protection Committee to check upon, which can be whether in a written or electronic form:

  • (1) the collected personal data;
  • (2) the purpose of the collection of the personal data in each category;
  • (3) details of the Data Controller;
  • (4) the retention period of the personal data;
  • (5) rights and methods for access to the personal data, including the conditions regarding the Data Subject having the right to access the personal data and the conditions to access such personal data;
  • (6) the use or disclosure of the personal data;
  • (7) the rejection of request or objection to the exercise of right of the Data Subject; and
  • (8) explanation of the appropriate security measures.

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)

Lawyers

Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

Thailand Related Publications

× Close
Select Practice Areas
× Close