Thailand: An overview of Vendor Privacy Contracts
1. Governing Texts
- Personal Data Protection Act 2019 ('PDPA')
1.2. Regulatory authority guidance
The Personal Data Protection Committee ('PDPC') has yet to issue sub-regulations as prescribed under the PDPA.
1.3. Regulatory authority templates
Data Controller: A person or legal person having the power and duties to make decisions regarding the collection, use, or disclosure of the personal data (Section 6 of the PDPA).
Data Processor: A person or legal person who operates in relation to the collection, use or disclosure of the personal data pursuant to the orders given by or on behalf of a personal data controller, whereby such person or legal person is not a personal data controller (Section 6 of the PDPA) .
3.1. Are there requirements for a contract to be in place between a controller and processor?
The PDPA provides that a data processor shall have the duty to carry out its activities related to the collection, use or disclosure of personal data, only pursuant to the instructions it is given by the data controller, except where such instruction is contrary to the law or any provisions under the PDPA (Section 40(1) of the PDPA). Furthermore, Section 40 of the PDPA continues that, where the data processor is carrying out its activities subscribed under Section 40(1), the data controller shall prepare an agreement between the data processor and data controller.
3.2. What content should be included?
The PDPA does not specify the contents to be included within any contract or agreement made between the two parties. Section 40 of the PDPA only states that the agreement must control the activities carried out by the data processor to be compliant with the PDPA.
4.1. Are processors required to assist controllers with handling of data subject requests?
The PDPA does not provide for data subject rights handling and assistance requirements by the data processor. Whilst not explicitly referring to data processors, the PDPA requires that where a data controller has made personal data public and is requested to erase, destroy, or anonymise such data, the data controller shall be responsible for the undertaking the request of the data subject, including both the implementation of technology and the expenses to fulfil such request, and inform other data controllers in order to obtain their responses regarding the action to be taken to fulfil such request (Section 33 paragraph three of the PDPA). Furthermore, failure to take action in accordance with Section 33 paragraph one or three, the data subject shall have the right to complain to the PDPC in order for it to take action (Section 33 paragraph four of the PDPA).
For further information see Thailand – Data Subject Rights.
5.1. Are processors required to keep records of their processing activities?
The PDPA requires the data processor to prepare and maintain records of data processing activities in accordance with the supplementary rules and methods set forth by the PDPC (Section 96 of the PDPA).
Exceptions to this Section may apply under rules the PDPC will publish, where an organisation is small (Section 40(3) of the PDPA):
- unless the collection, use, or disclosure of such personal data is likely to result in a risk to the rights and freedoms of data subject; or
- an organisation is not a business where the collection, use, or disclosure of the personal data is occasional; or
- the collection, use, or disclosure of the Personal Data involves personal data pursuant to Section 26 of the PDPA, which includes:
- racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the PDPC, is prohibited, without the explicit consent from the data subject.
6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?
The PDPA requires the data processor to provide appropriate security measures for preventing unauthorised or illegal loss, access to, use, alteration, correction or disclosure, of personal data (Section 40(2) of the PDPA).
7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?
The PDPA requires the data processor to notify the data controller of a data breach that has occurred. The PDPA does not provide on timeframe or content requirements for data processors (Section 40(2) of the PDPA).
For further information see Thailand – Data Breach.
8.1. Are subprocessors regulated? If so, what obligations are imposed?
The PDPA does not provide for requirements on subprocessors.
9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?
Section 28 of the PDPA establishes restrictions on data controllers to the transfer of data to foreign data controllers or data processors, outside of Thailand.
Section 29 of the PDPA requires a data controller or data processor who transfers data outside of Thailand, to either, a data controller or data processor, who is in the same affiliated business, or is in the same group of undertakings, in order to jointly operate the business or group of undertakings. Then such data controller or data processor, must enact a data protection policy that has been reviewed and certified by the PDPC, for the transfer to be carried out in exemption to requirements of Section 28.
Furthermore, Section 29 of the PDPA specifies that where a decision of the PDPC on the data protection policy is absent, a transfer may be made in exemption of Section 28, where the data controller or data processor provides suitable protection measures which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Committee.
For further information see Thailand – Data Transfers.
10.1. Are processors required to assist controllers with regulatory investigations?
The PDPA does not provide for requirements on assistance to data controllers with regulatory investigations.
11.1. Are processors required to appoint a DPO / representative?
The PDPA requires data controllers and data processors to designate a data protection officer in the following circumstances (Section 41 of the PDPA):
- the data controller or the data processor is a public authority as prescribed and announced by the PDPC;
- the activities of the data controller or the data processor in the collection, use or disclosure of the personal data require a regular monitoring of the personal data or the system, by the reason of having a large number of personal data as prescribed and announced by the PDPC; or
- the core activity of the data controller or the data processor is the collection, use or disclosure of the personal data.
For further information see Thailand – Data Protection Officer Appointment.
12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?
Although there are no explicit requirements set for controllers to supervise or monitor processor’s compliance with the PDPA or the contract, the PDPA requires data controllers to ensure compliance of the data processors activities and obligations with the PDPA through their contract (Section 40 of the PDPA).
In addition, the data protection officer assigned by both the data controller and processor may give advice with respect to compliance, and investigate the collection, use or disclosure of personal data is within compliance of the PDPA (Section 42 (1) and (2) of the PDPA).
Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.