Vendor management

Similar to the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the PDPA introduces the concept of data controllers and data processors.

Underthe PDPA, a data controller is defined as a person or a juristic person who has the power and duties to make decisions regarding the collection, use, or disclosure of personal data.

On the other hand, a data processor is defined as a person or a juristic person who collects, uses, or discloses personal data pursuant to the orders given by, or on behalf of, the data controller, and is not a data controller itself.

Obligations of data controllers and data processors

The PDPA imposes several obligations on data controllers, such as:

• to inform the data subject of the required information regarding the collection, use, and/or disclosure of personal data;
• to identify the legal basis and necessary purposes for the collection, use, and/or disclosure of personal data, and, if applicable, to obtain the consent from the data subject;
• to prevent such person from using or disclosing personal data unlawfully or without authorisation;
• to put in place the examination system for erasure or destruction of personal data;
• to notify the Office of the Personal Data Protection Committee ('PDPC') and/or the data subject of any personal data breach; and
• to comply with requests when data subjects exercises their rights.

The data processor has the obligation:

• to carry out the activities related to the collection, use, or disclosure of personal data pursuant only to the instruction given by the data controller; and
• to notify the data controller of breaches of personal data that occurred.

There are certain activities with which both data controllers and data processors are obliged to comply, including:

• to provide appropriate security measures for preventing the unauthorised or unlawful loss, access to, use, alteration, correction, or disclosure of personal data;
• to appoint a data protection officer ('DPO'), if applicable;
• to appoint a local representative, if applicable; and
• to prepare and maintain records of personal data processing activities;

Further, if the vendor is a data processor, the data controller must enter into a data processing agreement with such data processor.

What should data controllers do to manage their data processors and other third parties?

The data controller should be able to identify the status of its existing vendors whether they are considered as data processors. The data controller should revisit the existing agreements with those data processors to ensure compliance with the PDPA and sub-regulation requirements. For the vendors in the future, a data processing agreement must be conducted to control the activities carried out in accordance with a data processor's obligations for compliance with the PDPA and its sub-regulation.

Even if the PDPA does not require a data processing agreement for data controllers, data protection clauses should be incorporated to ensure that the data controller's obligations are complied with.

In addition, a due diligence and audit process towards vendors and other third parties should be conducted periodically to demonstrate PDPA compliance with the PDPA.

Execution of data processing agreements

The draft sub-regulation introduces the clauses to be incorporated in a data processing agreement between the data controller and the data processor; for example, the data processor must:

• process the personal data as instructed in writing by the data controller;
• warrant that it has sufficient organisational and technical security measures;
• obtain written approval from the data controller if it wishes to engage a sub-processor;
• assist the data controller in performing duties in relation to maintaining the security of personal data, and reporting any personal data breach; and
• notify the data controller if it is found that any instruction of the data controller is contrary to the law.

The duty of data controllers and data processors to report breaches

Under the PDPA, the data controller must notify the PDPC of data breaches within 72 hours of discovery, unless the data breach is unlikely to result in a risk to the data subjects' rights and freedoms. If the data breach is likely to result in a high risk to the data subjects' rights and freedoms, the data controller must also notify the affected data subjects without delay, including providing information on remedial measures.

In addition, the data processor must notify the data controller if a data breach occurs.

The draft sub-regulation further specifies the details and descriptions that the data controller must notify to the PDPC, for example:

• the nature of the personal data breach;
• name and contact details of the DPO;
• potential consequences of such breach; and
• measures to mitigate its possible adverse effects.

Where the data controller is obliged to notify the data subject of the breach, the data controller must at least notify the data subject of the following information:

• the nature of the breach, and, if identifiable, categories of personal data, the amount of data, and concerned processing activities records;
• the name and contact details of the DPO;
• potential consequences of such breach; and
• measures to address the breach and the remedial actions.

Nonetheless, an exemption is also provided to the data controller, whereby the data controller does not need to notify the data subject of the breach if any of the following conditions is met:

• the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach;
• the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialise; or
• the notification of the breach to the subject would involve disproportionate effort.

If a breach is discovered by the data processor, it must inform the data controller of the type and amount of breached information, number of data subjects involved, and duration of the breach since becoming aware of the breach.

Legal liability

The penalties are imposed upon both the data controller and the data processor. There are different potential penalties under the PDPA as categorised below. Under the PDPA, the maximum penalties are a fine of up to THB 5 million (approx. €136,670), and/or imprisonment up to one year, depending on each case.

• Civil penalties: non-compliance could result in compensation of the actual damages and/or punitive damages of up to two times the amount of actual compensation, unless proven otherwise.
• Administrative penalties: non-compliance could be punished with administrative fines of up to THB 5 million (approx. €136,670).
• Criminal penalties: unlike the GDPR, the PDPA also imposes criminal penalties for non-compliance with imprisonment up to one year, or a fine not exceeding THB 1 million (approx. €27,330), or both.

Dhiraphol Suwanprateep Partner
[email protected]
Thananya Chaikamonsuk Associate
[email protected]
Baker & McKenzie Limited Attorneys at Law, Bangkok