The purpose of the Guidelines is to ensure that Thai banks understand and are aware of personal data protection, as well as to be used as a standard for Thai banks for further implementation. Each bank can develop the Guidelines as appropriate for its internal operations and align with each financial service. The Guidelines have been made to align with the financial regulations in which the personal data is regulated or restricted as prescribed by the Bank of Thailand.

Principle relating to personal data protection

Prior to the processing of personal data, the bank should comprehend the substantial principles and restrictions on data processing. Principally, personal data should be lawfully processed where the bank is able to identify the legal basis for the personal data processing. Banks should avoid collecting, using, and disclosing personal data if it cannot rely on any legal basis and should carefully use sensitive personal data as it could pose higher legal risks, including fines and imprisonment.

The personal data should be processed fairly and transparently, and only when necessary for the provision of the purpose informed to the customers (e.g., when banks collect personal data for account opening, the bank should collect only personal data as necessary for the provision of financial services and avoid collecting unnecessary sensitive personal data).

Data lifecycle

In each financial activity, banks should be able to identify the legal basis for the purposes of collection, use, and disclosure of personal data. The legitimate interest basis is one legal basis which could be open to interpretation and would need responsibility from the banks to use a high degree of discretion when processing personal data. To rely on the legitimate interest basis, the bank should consider three components under the legitimate interest assessment, including to: (i) identify a legitimate interest; (ii) show that the processing is necessary to achieve it; and (iii) balance it against the individual's interests, rights, and freedoms.

In general, a bank, as a financial institution, is required by financial regulations to process personal data. For example, to comply with Know Your Customer ('KYC') and Customer Due Diligence ('CDD'), or Foreign Account Tax Compliance Act ('FATCA') requirements, where banks can rely on legal obligation basis from processing personal data under such purposes, and are able to reject the request to object the data processing.

Consent should be obtained only in certain scenarios in accordance with the PDPA and financial regulations. Even though some marketing activities could rely on legitimate interest basis under the PDPA, banks still need to obtain consent for the disclosure of customer's personal data to third parties for marketing purposes pursuant to market conduct rules as prescribed by the Bank of Thailand. Nonetheless, this depends on the purpose of disclosure. If the disclosure to a third party is for non-marketing purposes, the bank may only include such details in its terms and conditions, where consent would not be needed. During the current trend of digital financial products or services, banks must be careful when collecting biometric data (e.g., face recognition or fingerprint) for authentication purposes, where explicit consent might be required.

In certain circumstances, the bank may inevitably collect a minor's personal data for the provision of financial services. Not all cases need to obtain a minor's consent or their parental consent if the legal basis can be applied by the bank. A minor can provide consent by themselves, provided that parental consent may be exempted if the minor's consent to the processing of personal data is suitable to the minor's capability and is essential to the minor's reasonable needs. In the event that the data subject is incompetent/quasi-incompetent, consent must be obtained from the custodian who has the power to act on behalf of the incompetent/quasi-incompetent person.

Data controller and data processor obligations

Depending on each financial service, banks could either be deemed as a data controller or a data processor. A bank should be able to classify its status since the PDPA provides different obligations and liabilities to a data controller and a data processor, for example, obligations to provide a privacy policy, to implement appropriate security measures for protection of personal data, to report a personal data breach incident, to appoint a data protection officer, to have a record of processing activities, and to implement a data deletion system. Thus, banks may apply a checklist to consider whether the bank has the power to decide on the data processing or process personal data on behalf of other persons.

Regarding data subject rights, banks should put in place a contact centre to handle requests to exercise data subject's rights as prescribed under the PDPA. In the interests of both data subjects and the bank itself, the bank should appoint internal staff or a data protection officer to consider whether such requested right can be exercised, and should have a suitable channel for the data subjects to file a request to exercise their rights.

When the personal data is no longer necessary for further collection, use, or disclosure, the bank should consider deleting, destroying, or anonymising such data to become anonymous data. Data anonymisation techniques play a key role to ensure the technical standards and security of personal data, such as pseudonymisation, replacement, data suppression, data shuffling, or masking.

Apart from the requirements under the PDPA, a Data Protection Impact Assessment is one of the procedures for high-risk data processing in the interest of its organisation and for building customer confidence and trust. In addition, to enhance the success of data management and risk management related to personal data, three lines of defence, including: (i) operational function; (ii) risk management function; and (iii) internal audit function, should be taken into account.  

Failure to comply with the PDPA could result in civil liabilities with punitive damages (and class action), administrative fines, and criminal penalties.

Dhiraphol Suwanprateep Partner
[email protected]
Baker & McKenzie Limited Attorneys at Law, Bangkok