Thailand: PDPA Key principles - Part one
The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and aims to ensure the protection of personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.
Similar to part two and part three of this three-part series on the PDPA, this article intends to highlight key provisions of the PDPA, focusing on its scope of application, important definitions, and the grounds on which the collection, use, and disclosure of personal information may be based.
Scope of application
General and sectoral application (Sections 3 to 5)
The PDPA applies to the collection, use, or disclosure of personal data by data controllers or data processors in Thailand, regardless of whether such collection, use, or disclosure takes place in Thailand. Where the data controller or data processor is outside Thailand, the PDPA will apply to the collection, use, or disclosure of personal data where the activities concern:
- offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject; or
- the monitoring of the data subject's behaviour, where the behaviour takes place in Thailand.
The PDPA clarifies that it will not apply in a number of instances, including:
- personal data collection, use, or disclosure for personal benefit or household activities only;
- operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, such as duties with respect to the prevention and suppression of money laundering, forensic science, or cybersecurity; and
- the use or disclosure of personal data for activities of mass media, fine arts, or literature, that are only in accordance with professional ethics or for public interest.
In relation to sector-specific laws governing the protection of personal data, the PDPA stipulates the provisions of such laws will apply, unless exceptions apply, such as the provisions on the collection, use, or disclosure of personal data and rights of data subjects, including relevant penalties, which will apply regardless of whether they are repeating the sectoral law.
The following definitions are set out in Articles 6 and 26 of the PIPL, as well as Section 2.1. of the Notification regarding Data Protection Impact Assessment ('DPIA') and Duties of the Data Controller to have the Data Subject Deny Decision Making using Automated Processes Only ('the Draft DPIA and Automated Processing Notification').
Personal data means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased person.
Data controller means a person, or a juristic person, having the power and duties to make decisions regarding the collection, use, or disclosure of the personal data.
Data processor means a person, or a juristic person, who operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by, or on behalf of, a data controller, whereby such person or juristic person is not the data controller.
Person means a natural person.
Committee means the Personal Data Protection Committee ('PDPC').
The PDPA does not explicitly define sensitive data. However, the PDPA provides specific restrictions on the collection of personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the PDPC.
Biometric data means personal data arising from the use of technics or technology related to the physical or behavioural dominance of a person, which can be used to identify such person apart from other persons, such as facial, iris, or fingerprint recognition data.
Automated Processing means automated decision making and without human participation, based on personal information of the owner, and the information that is generated by the data controller or the data processor themselves (Section 2.1 of the Draft DPIA and Automated Processing Notification).
Profiling means any form of processing of personal data which uses information for evaluating aspects about a person, especially to analyse or make predictions about the individual in terms of efficiency, economic status, health, geolocation, or the movement of a person (Section 2.1 of the Draft DPIA and Automated Processing Notification).
Accuracy principle (Section 35)
The data controller is required to ensure personal data remains accurate, up-to-date, complete, and not misleading. On this point, the PDPA clarifies that where the data subject requests the data controller to act in compliance with Section 35, and the data controller does not take action regarding the request of the data subject, the data controller must record such request of the data subject together with reasons as prescribed in Section 39 of the PDPA.
Lawful processing (Sections 22 and 23)
The collection of personal data must be limited to the extent necessary in relation to the lawful purpose of the data controller.
Data controllers must not collect, use, or disclose personal data, unless the data subject has given prior consent at the time of such collection, use, or disclosure, except in cases where it is permitted to do so by the PDPA or any other laws. Specifically, the PDPA outlines a number of instances where personal data can be processed without consent, including where it is:
- necessary for the performance of a contract;
- necessary for the public interest, or exercise of the official authority vested in the data controller;
- necessary for legitimate interests;
- a legal obligation; or
- preventing or suppressing a danger to a person's life, body, or health.
Furthermore, the Draft Notification on Protection Measures for Processing Personal Data ('the Draft Notification on Measures for Processing') requires data controllers to demonstrate that data is processed for the purposes that it was initially collected for under Section 26 of the PDPA, and that appropriate measures for processing such personal data are taken. The above can be achieved by recording the types of processing activities undertaken by the data controller (Section 2.4 of the Draft Notification on Measures for Processing).
Consent (Sections 19 and 20)
The PDPA details consent requirements, such as the requirement of consent being explicitly expressed in a written statement, or via electronic means, unless it cannot be done. In addition, the PDPA provides eligible requirements, and states that, when requesting consent, the data controller must also inform the purpose of the collection, use, or disclosure of the personal data. Furthermore, the PDPA outlines that the specific requirements for consent include that it must be freely given, and that the data subject can withdraw consent at any time.
In relation to the consent of minors, the PDPA establishes that where the minor giving consent is not entitled to act alone, the consent of the holder of parental responsibility over the child will also be required. Furthermore, where the minor is below the age of ten years of age, consent must be obtained from the holder of parental responsibility over the child. Also, where the data subject is incompetent, consent must be obtained from the custodian who has the power to act on behalf of the incompetent person. On this point, where the data subject is quasi-incompetent, consent must be obtained from the curator who has the power to act on behalf of the quasi-incompetent person.
Importantly, the withdrawal of consent, the notice given to data subjects, the exercise of data subject rights, complaints from data subjects, and any other acts under the PDPA for data subjects who are minors, incompetent, or quasi-incompetent, will be exercised by the person with parental responsibility over the child or the person that has power to act on behalf of the incompetent person.
The Draft Notification for the Criteria and Methods of Obtaining Consent from the Data Subject ('the Draft Notification on Consent') recommends that associations and working groups establish a standard consent form or statement for obtaining consent from data subjects, to make it easier to comply with the PDPA. The PDPC will collect the drafted forms and statements, and designate or create a directory for the convenience of individuals who want to use such statements.
The Operational Guidelines on the Criteria for Obtaining Consent ('the Consent Guidelines') establish the main requirements for valid consent.
Section 3.1 of the Consent Guidelines require that when consent is obtained the following must be established:
- the consent period that it is valid to collect, use, and disclose personal data;
- the purpose and details of the consent request must be communicated;
- that request must be clear, separate from other messages, in an easily accessible format, and understandable, including using language that is easy to read and not deceptive;
- freely given consent from the owner of the personal information without fraud, deception, intimidation, or misrepresentation; and
- consent is not conditional, compulsory, or binding within terms of service, or require consent prior to entering into a contract.
Moreover, under the Consent Guidelines, data controllers must inform the data subject of the following:
- the purpose of collecting, using, and disclosing of specific personal information;
- details on the type of personal information that will be transferred and the number of persons the information will be shared with;
- the contact information of the data controller; and
- the ability to withdraw consent at any time.
Section 3.5 of the Consent Guidelines clarifies that the notification of the purpose and details of the collection, use, and disclosure of personal information can be done in a number of ways, for example, by writing a notice, oral notice, text notification in the form of an SMS, email, MMS, or by phone, as well as any other electronic method, such as specifying details in a URL or QR code.
Furthermore, the Consent Guidelines explain that consent requires a clear affirmative act, for instance by submitting a consent form that the data subject has created by themselves, signing a form provided by the controller, or clicking on the checkbox indicating the data subject's 'consent'. In addition, pressing the button on the mobile phone twice in a row shows the confirmation intent, as well as sliding the screen to indicate the intention of giving consent.
Section 6 of the Consent Guidelines clarify the consent mechanisms for minors. Specifically, the data controllers must set up appropriate measures, including forms and conditions, for age verification for minors who are over ten years of age, but not yet of legal age, and the language used must be easily understood by the minor. In regard to minors under ten years of age, the data controller must receive consent from an appropriate user, such as their parent or guardian, and must set up appropriate measures to verify the parent or guardian of the user.
In the instance of consent for incompetent or quasi-incompetent persons, Section 7 of the Consent Guidelines establish that the same rules apply, and a data controller will be required to set up appropriate measures for the verification and consent of a parent or guardian of the user.
Data collected from third parties (Section 25)
Data controllers must not collect personal data from any other source, apart from the data subject directly, unless exceptions apply. These exceptions include the data controller informing the data subject of the collection of personal data from other sources without delay, which must not exceed 30 days from the date of such collection, and must have obtained consent from the data subject.
Sensitive data (Section 26)
The PDPA stipulates that personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the PDPC, is prohibited, without the explicit consent from the data subject, unless exceptions apply. Exceptions outlined in the PDPA include:
- explicit consent;
- preventing or suppressing a danger to life, body, or health of the person, where the data subject is incapable of giving consent;
- the establishment, compliance, exercise, or defence of legal claims;
- where it is necessary for compliance with a legal obligation; and
- when it is carried out in the course of legitimate activities with appropriate safeguards by the foundations, associations, or any other not-for-profit bodies with a political, religious, philosophical, or trade union purposes.
In relation to criminal conviction data, such collection must be carried out under the control of an authorised authority under the PDPA, or where data protection measures have been implemented according to rules prescribed by the PDPA.
More specifically, Section 2.8 of the Draft Notification on Measures for Processing states that data controllers that intend to process such data must do so with the written consent of the data subject, unless exceptions apply, such as the processing is required by law. In addition, under Section 2.9 of the Draft Notification on Measures for Processing, where a data subject refuses to give consent to the processing of criminal conviction data, the data controller must notify the consequences of not giving consent. Moreover, to authenticate information about criminal records, the data controller may use a certifying agency to confirm the personal information of the data subject, the authentication of such information is not the burden of the data subject.