Thailand: Operationalising PDPA - Lawful basis, sensitive personal data, and data processing safeguards - Part four
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.
Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. As part four of the Insight series on the operationalisation of the PDPA, Nopparat Lalitkomon and Thammapas Chanpanich, from Tilleke & Gibbins, give an overview over lawful bases for processing, sensitive personal data, and data-processing safeguards under the PDPA.
Thailand's PDPA is the country's first unified data privacy legislation for personal data protection. Coming at a time when people around the world are increasingly aware of the risks and negative consequences of their personal data being compromised, the PDPA seeks to align with international standards, such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Prior to the enactment of the PDPA, privacy rights were recognised in the Constitution of the Kingdom of Thailand. Beyond this, the handling of personal data was governed by specific regulations for a handful of sectors, such as telecommunications, financial institutions, securities, and life sciences.
The PDPA was announced in the Royal Gazette of the Kingdom of Thailand on 27 May 2019, with an exemption for the enforcement of its requirements in relation to the collection, use, disclosure, and transfer ('process' or 'processing') of personal data, as well as its provisions on data subjects rights. After some delays caused by the impact of the COVID-19 pandemic over the past two years, the PDPA finally came fully into force on 1 June 2022.
Unlike most legislation in Thailand, the PDPA has an extraterritorial aspect whereby data controllers and data processors outside Thailand may be subject to the PDPA if the processing activities they undertake fall under the criteria prescribed in the PDPA.
The PDPA defines personal data as any data pertaining to a living natural person that enables the identification of that person, whether directly or indirectly, such as phone number, address, email address, or anything else that might enable the data subject's identification. The PDPA applies to personal data in any form, whether digital or otherwise.
The PDPA introduces two main roles relating to the handling of others' personal data: the data controller and the data processor. A data controller is a person or entity with power to make decisions regarding the collection, use, and disclosure of personal data. A data processor is a person or entity that collects, uses, or discloses personal data on behalf of, or under the instructions of, the data controller. The data controller carries significant liability and obligations, while the data processor's obligations and liabilities are very limited in comparison. The data processor only needs to process personal data in accordance with instructions from the data controller, while the data controller has to establish a lawful basis for the processing of personal data (e.g. request consent from the data subject) and notify the relevant data subjects about the processing.
Similar to the EU's GDPR, the key obligation for the processing of personal data under the PDPA is the lawful basis requirement. Under the PDPA, the data controller must obtain consent for the processing of personal data from the data controller, unless the processing activity can rely on other lawful bases, such as when the personal information is for educational, research, or statistics collection purposes (provided appropriate personal data protection measures are in place), or when it helps to prevent danger to a person's life, body, or health. Also, certain contractual obligations do not require further consent. For instance, an agreement to sell goods and deliver them to various locations or email addresses would not need consent for handling each separate delivery address or email.
In addition, there is an exemption covering the 'legitimate interest' of the data controller or a third party. When the data controller wishes to rely on legitimate interest for processing personal data, the data controller must balance its own or another party's legitimate interest with the need to uphold the fundamental rights and freedoms of data subjects.
When the processing of personal data needs to rely on consent as a lawful basis, the consent must be requested in accordance with the conditions prescribed in the PDPA. The consent must be requested before or at the time of collection of personal data, in writing or electronic form, and using clear and pain language. Moreover, it cannot be deceptive or cause the data subject to misunderstand.
Sensitive personal data
The PDPA also provides more protection to certain types of sensitive personal data by placing more restrictions on the processing of such sensitive personal data, which includes personal data pertaining to race, ethnic origin, political opinions, disability, creed, religious or philosophical beliefs, sexual behaviour, and criminal records, as well as health data, trade union information, genetic data, and biometric data. This list is not fixed, as the regulator under the PDPA, the Personal Data Protection Committee ('PDPC'), may further identify other types of sensitive personal data in the future.
To process sensitive personal data, the data controller must obtain explicit consent from the data subject, unless the processing activity can rely on other lawful bases. The exemptions for the explicit consent requirement or other lawful bases that the data controller could rely on are very limited; they are not the same as the exemptions for the consent requirement for general personal data. Examples of the explicit consent exemption include that the processing of sensitive personal data is:
- conducted to prevent danger to a person's life, body, or health;
- necessary for the establishment, compliance, exercise, or defence of legal claims; or
- necessary for compliance with a law to achieve the purposes with respect to specific matters, including labour protection.
Appropriate safeguards for processing data
The PDPA also prescribes obligations for the data controller to comply with, when processing personal data. Their first obligation is to ensure that, throughout its processing, the personal data remains correct, up-to-date, complete, and not misleading. In terms of security and maintenance, the data controller must implement suitable measures to prevent the loss, unauthorised access, alteration, or disclosure of personal data. These measures must be reviewed whenever necessary, such as after the implementation of technological developments. The data must be recorded in a form - either written or electronic - that can be inspected by the data subject or an authorised party. When the storage period expires, the personal data is no longer relevant or exceeds the scope of necessity, or the consent is withdrawn, the data controller is also responsible for seeing that the personal data is erased.
When a data controller discloses or shares personal data with other persons, it must also implement measures to prevent unauthorised use and disclosure. If the data controller engages a data processor to do this upon its instructions, a data processing agreement must also be in place to ensure that the data processor will comply with the PDPA and the data controller's instructions.
Furthermore, when personal data is to be transferred overseas, the data controller must ensure that the destination country has adequate personal data protection standards. If these standards are not adequate, the data controller may need to apply additional safeguards to personal data when it is transferred to the foreign country.
Conclusion and outlook
Some of the PDPA's many new requirements and rules for the processing of personal data will become more precise with further clarifications from the PDPC. This process may affect data controllers and data processors - both abroad and in Thailand - and bring new understandings of how best to comply with the law. Business operators in Thailand and outside the country therefore need to stay informed about the enforcement of the PDPA and be prepared to adjust their compliance strategies accordingly.
Despite the challenges of adjusting to new regulatory requirements, businesses will likely find that the PDPA enables them to conduct their personal data-related operations more smoothly and according to internationally accepted standards.