Thailand: Ensuring compliance under the PDPA - Part two
The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and aims to ensure the protection of personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.
Similar to part one and part three of this three-part series on the PDPA, this article intends to highlight key provisions of the PDPA, focusing on the obligations of data controllers and data processors, including data protection officer appointment ('DPO'), breach notification, and data transfers to foreign countries. In addition, the Secondary Draft Laws to the PDPA provide further information on data controller obligations.
Data security (Section 37)
Data controllers are required to adopt appropriate security measures for preventing unauthorised or unlawful loss, access to, use, alteration, correction, or disclosure of personal data. Specifically, such measures must be reviewed when necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety.
The Draft Notification on the Security Measures for the Processing Personal Information ('the Draft Notification on Security Measures') establishes the minimum security requirements to prevent unauthorised or unlawful loss, access, use, change, alteration, or disclosure of personal information.
Among other provisions, the Draft Notification on Security Measures requires the establishment of minimum security measures that ensure an organisation can identify its personal information assets, prevent risks that may arise, monitor and survey any potential incidents, respond to any threats, and recover from damages that have occurred to the level that is appropriate to reduce risks and harm to data subjects.
Moreover, technological security measures must take into account the ability to maintain the confidentiality, integrity, and availability of personal information within systems according to the level of risk of technological factors, context, environment, and accepted standards for entities or businesses of the same or similar type, nature, and objective.
Furthermore, organisational measures should at least include the following:
- access control of personal data and key information system components with verification and authentication on access management;
- user access management;
- user responsibilities to prevent unauthorised access; and
- provision of means to enable retrospective access to, change, alteration, or deletion of personal data.
In line with the above, data controllers must also review the security measures under Article 4 when necessary, or when technology changes, in order effectively and appropriately maintain security, taking into account the level of risk, including technological factors, context, environment, and established standards within the industry (Article 4 of the Draft Notification on Security Measures).
Furthermore, in the instance of data processor agreements, the data controller and the data processor may consider having security measures to comply to at least the minimum standards under the Draft Notification on Security Measures (Section 6 of the Draft Notification on Security Measures).
Vendor management (Section 37)
In the circumstance where personal data is to be provided to other persons or legal persons, apart from the data controller, the PDPA requires data controllers to take action to prevent unlawful usage or disclosure without authorisation.
In order to carry out activities in accordance with the data processor obligations, as assigned by the data controller and outlined in the PDPA, the PDPA states that data controllers must prepare an agreement between the parties to control the activities of the data processor. More specifically, the Draft Notification of the Determination of the Scope of Enforcement of PDPA and Appointment of Agents (‘the Draft Enforcement Notification’) states that the agreement between the two parties should include instructions on, among other things, cross-border data transfers, confidentiality, data security, and permission controls for the use of sub-processors. Furthermore, the Draft Enforcement Notification notes that the contract, between the data controller and processor, itself must be in writing or made electronically, and that data processors who fail to comply with such agreement will be considered the personal data controller of the applicable personal data (Section 1.5 of the Draft Enforcement Notification).
The PDPA requires that data processors carry out the activities related to the collection, use, or disclosure of personal data only based on the instructions of the data controller, except where such instructions are contrary to the law, or any provisions regarding data protection under the PDPA. In addition, the PDPA stipulates that data processors must adopt appropriate security measures to prevent unauthorised or illegal loss, access to, use, alteration, correction, or disclosure of personal data, and notify the data controller of any data breach that occurred. Finally, data processors must prepare and maintain records of data processing activities.
The requirement associated with records of processing may not apply to data processors who are small organisations, unless the collection, use, or disclosure of such personal data is likely to result in a risk to the rights and freedoms of data subjects, they are not a business where the collection, use, or disclosure of the personal data is occasional, or the collection, use, or disclosure involves personal data pursuant to Section 26.
Data disclosure and transfers (Sections 27 to 29)
Data controllers must not use, or disclose, personal data without consent, unless it is personal data collected where consent is not required under Sections 24 or 26 of the PDPA. In the event that data exempted from the consent requirements is disclosed, the data controller must maintain a record of such use or disclosure in line with Section 39 of the PDA.
For transfers to foreign countries, the PDPA stipulates that the destination country or international organisation that receives personal data must have adequate data protection standards in place, in accordance with the rules for the protection of personal data as prescribed by the PDPA, except in the following circumstances:
- where it is in compliance with the law;
- where the consent of the data subject has been obtained;
- for the performance of a contract;
- in compliance with a contract between the data controller, and other persons or juristic persons for the interests of the data subject;
- for preventing or suppressing a danger to the life, body, or health of the data subject or other persons, when the data subject is incapable of giving the consent at such time; or
- when carrying out the activities in relation to substantial public interest.
On the point of adequacy, where there is a problem with regard to the adequacy of personal data protection standards in the destination country or international organisation, such problem should be submitted to the Personal Data Protection Committee ('PDPC') to decide. The decision made by the PDPC may be reviewed when there is new evidence suggesting that the destination country or international organisation that receives such personal data has developed adequate data protection standards.
Intra group agreements
In relation to intra group agreements, the PDPA stipulates that data controllers or data processors in Thailand that have put in place a personal data protection policy which has been reviewed and certified by the PDPC regarding the sending or transferring of personal data to another data controller or data processor who is in a foreign country, and is a part of the same affiliated business, or is in the same group of undertakings, will be exempt from compliance with Section 28 of the PDPA on data transfers to foreign countries above.
The Draft Notification on the Determination of Rules for Data Transfers Outside of Thailand ('the Draft Notification on Data Transfers') establishes the procedures for data transfers outside of Thailand. In particular, the Draft Notification on Data Transfers explains that the policies on personal data protection outlined above should include the types of personal data to be transferred and their purpose for being transferred, where the liability of the sender or transferer in the business, or business group, falls, the complaint procedure for such transfers overseas, and compliance mechanisms for verifying compliance with data protection requirements during the transfer.
Finally, in the absence of a decision by the PDPC in accordance with Section 28 of the PDPA or a personal data protection policy, a data controller or data processor may send or transfer personal data to a foreign country in exemption to compliance with Section 28 of PDPA, if the data controller or data processor provides suitable protection measures which enable the enforcement of data subject rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the PDPC.
The Draft Notification on Data Transfers introduces requirements to be undertaken by both the sender and recipient of personal data, which must be in the form of an agreement or contract between the parties. These requirements under the Draft Notification on Data Transfers include Appendix A of the Draft Notification on Data Transfers which establishes the requirements for an agreement between a data controller situated within Thailand, and a recipient data controller situated outside of Thailand.
Appendix A of the Draft Notification on Data Transfers includes that the agreement must establish appropriate safeguards that must be undertaken by the sender or transferee of personal data in accordance with Section 29(3) of the PDPA, which include the following requirements:
- certifying that the processing of personal data, including the transmission or transfer of personal data, complies with PDPA;
- undertaking reasonable efforts to determine whether the transferee of personal data can comply with the PDPA;
- providing information about personal data protection laws to the data subject whose data is being transferred;
- answering questions of personal data subjects or government agencies regarding the processing of personal data; and
- providing information about the rights of the data subject.
Moreover, under Appendix A of the Draft Notification on Data Transfers, the transferee of personal data must undertake, among other things, the following during the transfer of data:
- determining whether appropriate security protection measures are in place in accordance with international standards;
- ensuring that third parties who have access to personal data will maintain their confidentiality;
- certifying that the transferee has considered, and believes, that there is no law preventing them from performing their duties;
- notifying the sender, or other third-party transferees of personal data, about the internal departments that are responsible for the processing of data for cooperating in good faith in the processing of personal data; and
- notifying the sender, or other third-party transferees of personal data, about the financial state of the transferee to comply with requirements under the law.
In addition to the above, Appendix A of the Draft Notification on Data Transfers also establishes that the parties undertaking transfers of personal data must set out the liabilities for each party in the case of violations of personal data, the applicable law governing the agreement highlighting that Thai laws apply to the same, a dispute resolution mechanism with the personal data owner or agencies, and terms for the termination of such agreement.
Appendix B of the Draft Notification on Data Transfers establishes the requirements for having an agreement between a data controller situated within Thailand and a recipient data processor situated outside of Thailand, whereby both Appendix A and B have similar requirements for the agreement between the parties.
The main addition under Appendix B of the Draft Notification on Data Transfers is that the data processor must process personal data only as a data processor, in accordance with the instructions of the transferring data controller.
Assessments and recordkeeping (Section 39)
Data controllers are required to maintain records of processing, which can be either in a written or electronic form and should include:
- the collected personal data;
- the purpose of the collection of the personal data in each category;
- details of the data controller;
- the retention period of the personal data;
- rights and methods for the access to personal data, including the conditions regarding the right of access and access to such personal data;
- the use or disclosure under Section 27(3);
- the rejection of request or objection according to Sections 30(3), 31(3), 32(3), and 36(1); and
- details of the appropriate security measures pursuant to Section 37(1).
The above will apply to the representative of the data controller under Section 5(2) mutatis mutandis.
All of the above, except for the rejection of request or objection according to Sections 30(3), 31(3), 32(3), and 36(1), may not apply to the data controller who is a small organisation, unless the collection, use, or disclosure of such personal data is likely to result in a risk to the rights and freedoms of data subjects, they are not a business where the collection, use, or disclosure of the personal data is occasional, or the collection, use, or disclosure involves personal data pursuant to Section 26 of the PDPA.
In addition, the Notification regarding Data Protection Impact Assessment ('DPIA') and Duties of the Data Controller to have the Data Subject Deny Decision Making using Automated Processes Only ('the Draft DPIA and Automated Processing Notification') clarifies the scope of a DPIA, namely that it applies to processing with a high risk to the rights and freedom of personal data subjects. This may include cases where:
- there is extensive automated processing of personal data, including profiling;
- such decisions have a legally binding decision or similarly significantly affect persons;
- a large amount of personal data is processed; and
- in case of systematic surveillance, surveillance includes a large number of public areas.
The Draft DPIA and Automated Processing Notification specifies the list of data processing activities that have a high risk of affecting the rights and freedoms of data subjects.
Furthermore, the Draft DPIA and Automated Processing Notification establishes that DPIA's should be made public, including the measures required and the rationale for a joint assessment, where a joint controller is present. On this, the Draft DPIA and Automated Processing Notification provides that DPIAs should identify the responsibilities of each data controller, and measures for which each party is responsible. Likewise, the Draft DPIA and Automated Processing Notification notes that, where necessary, a data controller may entrust a data processor to conduct a DPIA, though the Draft DPIA and Automated Processing Notification identifies the relevant steps data processors should take. Moreover, the Draft DPIA and Automated Processing Notification stipulates that the results of the DPIA must be published and made accessible to the public by reasonable means.
The Draft Notification on Providing Records of Processing Activities Measures Relating to Data Access Requests ('the Draft Notification on Records of Processing and Access Request') establishes the general requirement for keeping records of processing activities and information that must be included, such as:
- personal data collected by providing a description of the type of owner;
- personal data and types of personal data, as well the purpose of processing;
- the name and information about the data controller, data processor, and DPO (in the instance of a data processor, then the contact details of the data processor and their DPO, where applicable);
- the period of retention and deletion of various types of personal data;
- data subject rights and methods of accessing personal data, including the conditions for requesting access rights;
- the disclosure of information that is exempt from obtaining consent; and
- a general description of the security measures implemented for processing personal data.
Such records must be kept in writing in a physical book form or electronic form and be available in case of a request by the PCPD.
Moreover, the Draft Notification on Records of Processing and Access Request establishes the main criteria for exemption from the recordkeeping requirements outlined above. In particular, the main criteria for exemption include:
- if the business is a small or medium sized business under the definition of small to medium sized businesses under the Law on Promotion of Small to Medium Sized Businesses 2011 ('the Law on Promotions');
- if the business is a community enterprise network under the Law on Promotion;
- if the business is a social enterprise, or a group of social enterprises, under the Law on the Promotion;
- if the business is a cooperative gathering, or a group of farmers, under the Law on Cooperatives 1999;
- if the business is a foundation, association, religious, or non-profit organisation; and
- if the business is a household business, or other businesses of the same nature as the data controller, which is defined as a small business under the Law on Promotion, and does not provide traffic data maintenance services under the Computer Crime Act 2007.
DPO appointment (Sections 41 and 42)
The PDPA requires the appointment of a DPO where:
- the data controller or data processor is a public authority;
- the activities of the data controller or data processor require the regular monitoring of personal data or the system, by the reason of having a large number of personal data; or
- the core activity of the data controller or data processor is the collection, use, or disclosure of the personal data according to Section 26 of the PDPA.
In addition, the PDPA establishes that data controllers or data processors that are in the same affiliated business, or same group of undertakings, and jointly operate the business or group of undertakings, may jointly designate a DPO. In this regard, each establishment of the same affiliated business, or the same group of undertakings, must be able to easily contact the DPO. The above will only apply to a public authority that is large in size or has several establishments mutatis mutandis. On a similar note, the PDPA clarifies that the DPO can be a staff member of the data controller or data processor, or a service provider under contract with the same.
The PDPA outlines that the duties of DPOs include giving advice with respect to compliance with the PDPA, investigating performance with respect to the collection, use, or disclosure of the personal data for compliance with the PDPA, coordinating and cooperating with the PDPC in the circumstances where there are problems with respect to the collection, use, or disclosure of personal data, and keeping confidential the personal data known or acquired in the course of the performance of their duties under the PDPA.
In addition, the PDPA confirms that the DPO must be supported in performing their tasks, including by having adequate tools or equipment, as well as a facilitated access to the personal data in order to perform their duties. In addition, the DPO cannot be dismissed or terminated for the performance of their duties under the PDPA. Finally, the DPO can perform the role of DPO, as well as other duties or tasks; such additional role, however, must not be against, or contrary to, the performance of their duties under the PDPA.
The Draft Notification on the Appointment of the Data Protection Officer ('the Draft Notification on DPOs') sets out information and requirements on the role and appointment of a DPO. The Government of Thailand and state enterprises must appoint a DPO, while private sector data controllers or data processor must appoint a DPO where their activities fall under the definition of 'activities' or 'core activity' in Sections 41(2) and (3) of the PDPA (Sections 2.2 and 2.5. of the 'the Draft Notification on DPOs). Activities include processing customers data by an insurance company, commercial banks, or other businesses in the normal course of business that have a due diligence, history, or qualifications of customers prior to contracting or providing similar services, such as credit scoring, insurance premium determination, fraud prevention, or money laundering prevention. In addition, activities include the processing of personal data for advertising purposes, behavioural advertising by search engines or social media, the processing of customers' personal data by a service provider in telecommunications, behavioural surveillance service for therapeutic purposes, or processing personal data for security in places, such as shopping malls and public places.
In regard to DPO core activities, the Notification of the DPOs defines it as the care of a data subject's personal data within a 12-month period, including more than 50,000 data subjects or more than 5,000 data subjects' whose personal information fall under the definition of Section 26 of the PDPA.
Where the appointment of a DPO is not required under the PDPA or the Secondary Draft Laws, a data controller or data processor may still appoint such persons voluntarily, and notify the PDPC of such an appointment (2.8 of the Draft Notification of the DPOs). To this end, a DPO must be a natural person who has expertise and knowledge on the protection of personal information. In this regard, the PDPC may introduce certification and accreditation requirements for DPOs to be trained and tested (Section 2.9. of the Draft Notification of the DPOs).
Breach notification (Section 37)
The PDPC must be notified of any data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such personal data breach is unlikely to result in a risk to the rights and freedoms of persons. Where the personal data breach is likely to result in a high risk to the rights and freedoms of persons, the data controller is required to, in addition to the PDPC, notify the data subject of the breach and the remedial measures without delay.
Furthermore, the Draft Enforcement Notification summarises a personal data breach as the leakage or violation of security measures of personal data which results in damage, loss, and alteration, whether accidentally or unlawfully, including disclosure or access to information which is used to collect or process personal data, without permission (Section 1.5 of the Draft Enforcement Notification).
The Draft Notification on Records of Processing and Access Request also establishes a duty to notify the PCPD with the following information in the event of a data breach (Section 2.11 of the Draft Notification on Records of Processing and Access Request):
- a description of the incident of personal data breach if identifiable;
- the types and amount of data affected along with a number of data subjects;
- a log of processing activities;
- the contact details of the DPO; and
- an explanation of potential consequences from the breach and steps taken to reduce such consequences.
Upon the notification of a data breach, the PCPD may choose to investigate the incident within 30 days and order the data controller to cooperate with requests for details on the incident. In the event that a data breach occurs on the part of the data processor, the data processor will be responsible to notify the data controller of the breach without delay and provide details on the types of data and amount affected.
Generally, in the event of a data breach, the data controller must also notify and inform data subjects of such breach. The Draft Notification on Records of Processing and Access Request establishes that the data controller may be exempt from notifying the data subjects, where the data controller has taken technical data protection, as well as measures to ensure that the high risk of affecting the rights and liberties of a person are mitigated, or where it is unreasonably difficult to inform the data subject.
Data protection representative (Sections 37 and 38)
Data controllers located outside of Thailand, but falling within the scope of the PDPA must designate, in writing, a representative who must be in Thailand and be authorised to act on their behalf without any limitation of liability with respect to the collection, use, or disclosure of the personal data according to the purposes of the data controller.
However, the PDPA does provide exceptions to the above, such as where the data controller is a public authority or engages in the profession or business of collecting, using, or disclosing personal data that does not have the nature of Section 26, and does not involve a large amount of personal data. In addition, were the data controller has a data processor per Section 5(2), the provisions of Section 37(1) and (5) apply to such data processor mutatis mutandis.
Furthermore, the Draft Enforcement Notification notes that data controllers or data processors located outside of Thailand, which process, collect, use or disclose the personal data of data subjects, must appoint their representatives in Thailand, and notify the PDPC, in writing or electronically, within 14 days. Although, with regard to the appointment of a representative by data processors, the Draft Enforcement Notification notes data processors must appoint a representative within 30 days and notify the PDPC within 14 days of appointment, electronically or in writing (Section 1.4. of the Draft Enforcement Notification).
Code of practice
The PDPC may examine and give opinions on processing practices only when the competent organisation meets the criteria and demonstrates, among other things, the objectives, scope, and achievements for the proposed practices (Section 1.1 of the Draft Laws for the Third Group).
The PDPC will review and comment on draft codes of practice, and the personal data protection practice will be issued within 60 days of receipt of the draft code of practice. In its review, the PDPC will consider whether practices address specific business needs, the nature of the processing, and whether it is efficient or not. Should the PDPC consider the code of practice complete, the result will be notified to the code of practice owner within seven days, and the owner will publish the code of practice so that it is accessible to the public. Where the PDPC revises the code of practice, or considers it necessary to revise it, the owner will, within 60 days of receipt, complete the amendment, and return it to the PDPC (Section 1.1 of the Draft Laws for the Third Group).
Regarding future monitoring by the PDPC, where a violation in the code of practice of owners are found, measures must be taken to stop abuse and avoid future recurrence (Section 1.1 of the Draft Laws for the Third Group).