Newsletter No. 224

Although Lorenz & Partners always pays great attention on updating information provided in newsletters and brochures we cannot take responsibility for the completeness, correctness or quality of the information provided. None of the information contained in this newsletter is meant to replace a personal consultation with a qualified lawyer. Liability claims regarding damage caused by the use or disuse of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected, if not generated deliberately or grossly negligent.

1. Introduction

The importance of handling personal data steadily increases for businesses. Following Europe and the USA, which both have a strict data protection law in place, Thailand has now also taken steps to assure that personal data is not freely used and commercialized. Data controllers who collect, use and disclose personal data as part of their business model shall keep in mind that after the effective date of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), certain information cannot be freely processed and used as in the past.

The company must comply with the legal requirements under the PDPA. Legal compliance will increase cost, so companies must wisely choose to collect only necessary data.

However, there are some exceptions to the processing of personal data by certain government agencies under Section 4, such as cybersecurity and judicial trials and adjudications

2. Thai Laws related to Personal

• Data Protection  Personal Data Protection Act B.E. 2562 (2019)

The PDPA was enacted on 27 May 2019 and  became fully enforced on 1 June 2022. The PDPA provides protection for personal data which can identify an individual, regardless of the format of the data (e.g. online database, printed data on paper, electronic data). This law constitutes legal obligations among the data subject, the data controller, and the data processor.

Data Subject: The data subject is a natural person who is the owner of the personal data.

Data Controller: The data controller is the key person who has “the power and duties to make decisions regarding the collection, use, or disclosure of the personal data” of the data subject (such as an employee, a client, or a customer).

Data Processor: The data processor is the person who operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a data controller (and who is not a data controller).

If personal data is damaged or lost due to insufficient privacy protection and preventive measures, the data controller shall be liable. The PDPA makes it easier for the data subject to claim damages against the responsible person, who can be easily identified. The PDPA’s content is mostly adapted from the EU’s General Data Protection Regulation. However, there are some parts that have been developed to correspond with special local practices in Thailand.

• Computer Crime Act B.E. 2560 (2017)

Besides the PDPA, the Computer Crime Act provides protection for information that is computer data or stored in computer systems against outside threats (e.g. hacker, unauthorized access etc.).

Often times, cybercrime offenders (hackers) are difficult to identify. Therefore, most of the time they cannot be arrested, which means damage incurred by the data subject cannot be recovered. This was one of the major factors that drove the implementation of the PDPA.

 

The diagram below shows the laws that govern each specific relationship.

In this newsletter, we will only focus on protection of personal data under the PDPA.

3. Personal Data

Under the PDPA, there are two types of personal data:

• General personal data (Section 6 PDPA) is any data pertaining to a person, which enables the identification of such person, whether directly or indirectly. For example: name, address, phone number, customer ID, age, gender, height, username, password, IP address. The PDPA does not cover data of juristic persons and data of deceased persons.
• Sensitive personal data (Section 26 PDPA) is personal data regarding race, ethnic origin, political opinion, beliefs, religion, philosophical opinions, sexual orientation, criminal record, health, disability, labour union information, genetic features, biography, or other information which may affect the data subject in the same or a similar way.

4. Enforcement Scope of the PDPA

The PDPA applies to any data controller and data processor.

• who is in Thailand, regardless of whether the data is processed inside or outside of Thailand; and
• who is outside of Thailand, but the data subject is in Thailand for certain activities (e.g. offering goods or services, monitoring the behavior of the data subject in Thailand). In this case, the data controller must appoint a representative in writing to operate in Thailand.

In essence, the PDPA aims to protect the individual’s personal data against illicit and/or unauthorized (i) data collection and (ii) data usage and disclosure.

The authority who oversees the enforcement of the PDPA is the Personal Data Protection Committee (PDPC), supported by the Office of the Personal Data Protection Committee, under the Ministry of Digital Economy and Society (MDES). The duties of the PDPC will be discussed in item 10 below.

5. Data Collection

5.1 General protection

“The collection of personal data shall be limited to the extent necessary in relation to the lawful purpose of the data controller.” (Section 22 PDPA)

Within this Section, the PDPA requires compliance with the principle of “data minimisation” from data controllers.

Moreover, in principle, the data controller shall collect such data from the data subject directly (Section 25 PDPA).

5.2 Notification to the data subject

In order to collect personal data, the data controller shall notify the data subject, on or before the time of data collection, of the following details according to Section 23 PDPA (unless the data subject already knows such information):
 collection purpose
 reason why data collection is necessary
 data to be collected and period
 person/entity to whom the data will be disclosed to
 contact details of the data controller
 rights of the data subject

5.3 Consent required for data collection

Personal data cannot be collected without consent, unless such collection falls under the exemptions under the PDPA as discussed in item 5.4 below.

5.4 Exemptions for data collection without consent

There is a possibility that a data controller may collect personal data without having to ask for consent from the data subject, if such activity falls under the exemptions under the PDPA. The exemptions for personal data and sensitive data collection are slightly different, as shown below:

Personal data (Section 24 PDPA):

1. Historical documents or archives: necessary for making historical documents or archives for the public, research/statistics, with appropriate data protection measures;
2. Vital interests: to prevent harm to a person’s life, body, or health;
3. Performance of a contract: for the performance of a contract as intended by the data subject;
4. Necessary for public interest: to carry out tasks for the public interest, or exercise official authority vested to the data controller;
5. Legitimate interests: for the legitimate interests of the data controller or other third parties, unless the fundamental rights of the data subject outweigh such legitimate interest.
6. Legal compliance: for compliance with legal obligations.

Sensitive personal data (Section 26 PDPA):

1. Vital interests: same as above, but more severe, e.g. individual becomes unconscious (cannot give consent at that moment);
2. Non-profit organization: for legitimate activities of a non-profit organization, for political, philosophical, religious, or trade union purpose, for its members, former members, or persons who regularly contact the organization (without disclosing to third parties);
3. Public domain: disclosed to the public with the consent of the data subject;
4. Legal claims: necessary for establishing, exercising, or defending legal claims;
5. Necessary for legal compliance for the below purposes:
   • Medical purposes;
   • Public health;
   • Labour protection and social security;
   • Scientific, historical, or statistical research;
   • Substantial public interest.

6. Data Usage and Disclosure

Apart from the data collection as mentioned above, the data controller must also obtain consent for any data usage and disclosure. However, if the data collection purpose falls under the exemption (as mentioned above), the consent is not required for usage and disclosure of the same data (Section 27 PDPA), nevertheless, the data subjects still need to be notified of the data collection as outlined in point 5.2 above.

The use and disclosure of personal data by the data controller shall not be outside the scope of purposes previously notified by the data controller to the data subject (e.g. notified in the privacy notice). Therefore, the privacy notice has to be carefully drafted to cover the foreseeable scope of personal data activities.

7.Transfer of Personal Data to Foreign Countries

In case personal data is transferred outside of Thailand, it shall meet one of the following requirements:

7.1 Adequate data protection standard

• The destination country or the international organization is recognized by the PDPC to have adequate data protection standards (currently, the list of approved countries has not yet been announced).

7.2 Binding corporate rules (BCR)

• The transfer of personal data between affiliated businesses outside of Thailand can be done if BCR exist between the businesses and such BCR are approved by the PDPC.        However, during the BCR approval process, the transfer of data can be done if there are appropriate safeguards in place that meet the required standards.

7.3 Other

• Compliance with the law;
• The consent of the data subject has been obtained, provided that the data subject has been informed of the inadequate personal data protection standards;
• Necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
• Compliance with a contract between the data controller and other persons or juristic persons for the interests of the data subject;
• If it is to prevent or suppress a danger to the life, body, or health of the data subject or other persons when the data subject is incapable of giving the consent at such time;
• If it is necessary for carrying out the activities in relation to substantial public interest.

8. Legal Requirements for Consent

Legal requirements for consent under the PDPA are as follows (Section 19 PDPA):

• Form: Consent must be expressly given, in writing or through an electronic system, unless consent cannot be given by such methods.
• Format: The request for consent must be easy to understand, explicitly separated from other messages, and the purpose of data collection must be stated.
• Freedom: The data subject’s freedom must be taken into account when asking for consent (freely given).

If the request for consent does not fulfil the aforesaid requirements, such given consent will not bind the data subject. Therefore, the data controller cannot legally collect, use, or disclose personal data.

9. Right of the Data Subject

Under the PDPA, the data subject has the following legal rights:

• Right to access (Section 30 PDPA):   The data subject can request a copy of the personal data under the responsibility of the data controller, and request the data controller to reveal how they obtained the personal data for which the data subject did not give its consent.
• Right to data portability (Section 31 PDPA): The data subject can request for his/her personal data to be transmitted to another controller without hindrance.
• Right to object (Section 32 PDPA): The data subject can object to the collection, usage, or disclosure of personal data.
• Right to be forgotten (Section 33 PDPA): The data subject can request for his/her personal data to be erased, destroyed or anonymized in specific cases.
• Right to suspend usage (Section 34 PDPA): The data subject can request the data controller to suspend the usage of his/her personal data.

10. Other Specific Duties

10.1  Data Controller

 The duties of the data controller under Section 37 PDPA are as follows:

• Implementing appropriate measures and reviewing existing security measures to protect and secure personal data;
• Creating a system to erase and destroy unused/unnecessary data;
• Notifying any violation of personal data to the Office of the Personal Data Protection Committee within 3 days after having become aware of the breach thereof; and
• Appointing a representative in writing (for the data controller outside of Thailand only).

Additionally, the data controller has to keep a record of processing activities (ROPA), unless such data controller is an exempted entity (e.g. SMEs, co-op) that is not required to provide a full version of the ROPA.

Furthermore, if the personal data is passed on to the data processor, a data processing agreement (DPA) should be entered into that clearly stipulates the rights and obligations between the parties.

10.2  Data Processor

 The duties of the data processor under Section 40 PDPA are as follows:

• Processing the data under the instruction of the data controller;
• Imposing appropriate measures to protect and secure personal data; and
• Making and keeping records of processing activities.

10.3  Data Protection Officer (DPO)

For the private sector, the data controller and/or the data processor must appoint a DPO in case their core activities regular monitoring of large-scale personal data, as outlined under the PDPC’s notification, or their core activities involve processing of sensitive data.

The duties of the DPO under Section 42 PDPA are as follows:

• Giving advice in relation to compliance with the PDPA;
• Checking and monitoring related entities concerning data processing under the PDPA;
• Cooperating with the Office of the Personal Data Protection Committee; and
• Keeping confidentiality of the personal data known from the duties under the PDPA.

10.  The Personal Data Protection Committee (Committee)

The duties of the Committee (Section 16 PDPA) are mainly to enact specific regulations under the PDPA, provide official interpretations, render rulings regarding issues resulting from the enforcement of the PDPA.

Additionally, the expert committee is responsible for receiving and considering complaints from the data subjects, as well as settling disputes and issuing orders in relation to the PDPA.

11. Liability/Penalty

There are three types of liability/penalty under the PDPA:

11.1 Civil liability

The data controller and data processor are liable for damages from violations (intentional/negligent) of the PDPA, which include the expenses for preventive measures against the occurred or future damages. Additionally, the court can order the wrongdoer (data controller and/or data processor) to pay punitive damages, which may not exceed twice of the actual damages.

The prescription period of the claim for damages is 3 years after knowing about the damages and responsible person, or 10 years after the violation of the personal data.

11.2 Criminal penalty There are criminal liabilities for:

There are criminal liabilities for:

• data controllers who use or disclose personal data or send sensitive data abroad in violation of the law, which may lead to damages or humiliation, or to illegally acquire benefits;
• persons who acquire knowledge of the personal data due to the duties under the PDPA and disclose it to another person;
• directors of the company who give orders or take actions, including omitting orders or actions, that cause the company to commit an offense under this Act.

The criminal penalties are imprisonment for 6 months – 1 year, or fines of up to THB 1,000,000, or both, depending on the violation.

11.3 Administrative penalties

The authority may also impose an administrative penalty for the violation of the PDPA with the maximum administrative fine between THB 500,000 – 5,000,000.

12. Data Protection Best Practices

In addition to the legal duties under the PDPA, the company may decide to strengthen its existing data protection measures, as well as adopting new policies and procedures. For example:

• Identify the types of data, purpose of data activities, and data flows in the company;
• Draft and announce data privacy notice for all data which is collected, used, or disclosed by the company;
• Create a data protection and security framework and policy;
• Review all consent forms and contracts;
• Create data breach monitoring and response program; and
• Appoint a DPO to manage organizational data protection and oversee compliance for the data controller who conducts personal data activities on massive amounts of data or sensitive data.

Additionally, the company may consider establishing related policies (e.g. IT, social media/social network policy) on top of the data privacy notice. In case the company already has a privacy notice, consent forms, or other documents related to personal data protection under the GDPR, the company may use such documents as the foundation to develop the required documents and security measures under the PDPA.