Thailand: Operationalising PDPA - Notification and consent requirements - Part one
The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.
As part one of the Insight series on the operationalisation of the PDPA, Kowit Somwaiya and Usa Ua-areetham, from LawPlus Ltd., provide an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.
Except for cases where the provisions of the PDPA or any other laws permit, businesses cannot collect, use, or disclose personal data without explicit consent from the data subject.
Key requirements and principles for obtaining consent
- Consent must be obtained prior to, or at the time of, the collection, use, or disclosure of personal data.
- A consent request must be explicitly made in a written statement or via electronic means, except in cases it cannot be done so by its nature.
- In the consent request, the businesses must also inform the data subject of the purposes for which the personal data will be collected, used, or disclosed.
- The consent request must be presented in a manner which is clearly distinguishable from other matters, in an accessible and intelligible form and statement, using a clear and plain language. The consent request must not be deceptive or misleading to the data subject in respect to the purposes of the personal data processing.
- The data subject's consent must be freely given. Businesses cannot require the data subject's consent for the collection, use, or disclosure of personal data as a condition for the entry into a service contract with the businesses where such personal data is not necessary or related to the contract or the services to be provided by the businesses under the contract.
- The data subject may withdraw their consent anytime, except in cases where consent withdrawal is restricted by law or by a contract that is beneficial to the data subject.
Key requirements and principles for responding to consent withdrawal requests
- Businesses must arrange for a simple method for the data subject to withdraw their consent easily.
- If the consent withdrawal will have a negative consequence on the data subject in any manner, the businesses must inform the data subject of such consequence.
- The consent withdrawal does not affect the collection, use, and disclosure of the personal data which the data subject has already given consent to.
- Upon receipt of a consent withdrawal request, businesses must:
- cease further collecting, using, or disclosing personal data;
- notify their data processors and agents of the consent withdrawal; and
o ensure that they cease collecting, using, or disclosing the personal data of the requesting data subject.
Notification requirements for personal data collection
The collection of personal data is subject to the explicit consent of the data subject as discussed above, and must be limited to only the extent necessary for the lawful purposes of businesses.
Key details to be included in the notification to data subjects
Businesses must notify the following details to the data subject prior to, or at the time of, the collection of their personal data, except in cases where they have already known of such details:
- the purpose(s) of the collection for personal data for the use or disclosure of personal data;
- where the collection of personal data can be made without consent for some purposes, as allowed by the PDPA or other laws, such purposes must be stated in the notification;
- the statement noting that it is a legal or contractual requirement for the data subject to provide their personal data, or that it is necessary for the data subject to provide their personal data for the purpose of them entering into the contract, and the possible effects if they do not provide their personal data;
- the categories of the personal data to be collected and retention periods;
- the categories of the persons or the authorities to whom the collected personal data may be disclosed;
- the contact details of the business and the data protection officer ('DPO') (if any) of the business; and
- the rights of the data subject as recognised under the PDPA, including the right to withdraw consent, the right to request access to, and obtain a copy of, personal data, and the right to receive personal data in a readable digital format.
Method and form of notification
The PDPA does not specify the method and form of the notification to the data subject. Thus, each business may notify the details listed above to the data subject by the method and in the form of their choice, such as in the form of a written notice sent by post or posted at the premises of the business, or in the form of a digital notice made available by electronic means (in the website of the business, or sent as an email or a message to the electronic device of the data subject).
Businesses may consider the following factors in determining the delivery method and the form of the notification:
- the circumstances and manner in which the personal data will be collected;
- the amount of the personal data to be collected; and
- the frequency at which the personal data will be collected.