Thailand: Rights and enforcement under the PDPA - Part three
The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and aims to ensure the protection of personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.
Similar to part one and part two of this three-part series on the PDPA, this article intends to highlight key provisions in the PDPA, focusing on the rights of individuals and liability under the PDPA.
Data subject rights
The right to be informed (Sections 21, 23, and 41)
When collecting, using, or disclosing personal data according to the purpose notified to the data subject, the data controller is required to only collect, use, or disclose personal data in a manner that is different from the purpose previously notified to the data subject where:
- the data subject has been informed of such new purpose, and consent is obtained prior to the time of collection, use, or disclosure; or
- it is in line with the provisions of the PDPA or other laws.
When collecting personal data, except in cases where the data subject already knows of such details, the controller must inform the data subject about:
- the purpose of the collection, use, or disclosure, including the purpose for processing without the data subject's consent;
- when the data subject must provide their personal data, including possible effects for the data subject of not providing such personal data:
- in compliance with a legal obligation;
- for the performance of a contract; and
- where it is necessary for the purpose of entering into a contract;
- the personal data to be collected and the period for which it will be retained, or, if it is not possible to specify the retention period, the expected data retention period according to the data retention standard;
- the categories of persons, or entities, to whom the personal data may be disclosed;
- information, addresses, and contact channel details of the data controller, where applicable, of their representative or data protection officer ('DPO'); and
- data subject rights.
In addition, the data controller and data processor have an obligation to provide the data subject and the Personal Data Protection Committee ('PDPC') with the information of the DPO, including contact address and contact channels. The data subject must be able to contact the DPO with respect to the collection, use, or disclosure of their personal data and to exercise their rights under the PDPA.
In particular, the Guidelines on notifying the purpose and details of data collection, use, and disclosure of personal information ('the Guidelines on Notification') establish that the notification of the purpose and details for collecting, using, and disclosing personal information to data subjects can be divided into two different types. Notably, the Guidelines on Notification distinguish between the declaration of purpose and details of collection, use, and disclosure of personal data, and cases where there is a specific law or regulatory agency that has its own guidelines and criteria, as well as a declaration where there is no specific law or regulatory body, noting that data controllers in the latter scenario should use the Guidelines on Notification (Article 3 of the Guidelines on Notification).
Furthermore, the Guidelines on Notification outline exceptions to the requirement to notify data subjects of the purpose of collection, use, and disclosure of their personal data. Such exceptions, including situations where the data subject is already aware of the new purpose of processing or relevant details, and where the personal data controller can prove the notification, will impede the use or disclosure of applicable information.
More significantly, the Guidelines on Notification highlight that notification must be given explicitly, and may be done in multiple ways, such as text, email, QR Code, links, or any other technical means that makes data subjects aware of the purpose of the collection, use, and disclosure. Likewise, the Guidelines on Notification detail that the notification of the purposes of collection, use, and disclosure may be done in a window or small screen in the corner of the computer screen or mobile phone, with the use of a dashboard or layered approach being recommended.
Data controller requirements resulting from the Notification on Processing
The Draft Notification of the Purpose and details of personal data processing ('the Notification on Processing') establishes requirements that apply to data controllers. These include those found under Section 2.2 of the Notification on Processing, whereby a controller should inform of the different purposes of processing personal data in clear, transparent, understandable, and accessible manner, that is in accordance with the nature and circumstances of collection of the specific data in question. In the event that the purposes for processing personal data change or new purposes are introduced, the data controller must notify the potential impact on the rights and freedoms of the personal data subject arising from any changes to the purposes of use of processing personal data, and may also require evidence so to prove that the data subject has responded to, and accepted, those that have been made.
In the instance of processing for historical, scientific, or statistical purposes, according to Section 2.3 of the Notification on Processing, the data controller may process personal data for such purposes if they are new, as long as they can prove different factors, including that:
- the processing is similar to the original purposes notified to the data subject;
- the nature of the personal data that is processed is in accordance with Section 26 of the PDPA;
- it is in the public's interest to process such personal data for these purposes; and
- security measures are in place to protect personal data intended to be processed.
Section 2.4 of the Notification on processing establishes that for the processing of personal data through the use of automated means, such as using artificial intelligence ('AI'), the data controller must implement measures, such as higher security standards, and may be required to prove those to the expert committee by notifying them of such processing and measures.
Moreover, Section 2.5 of the Notification on Processing establishes that data controllers have the duty to record the purposes for which data has been collected, while Sections 2.6, 2.8, and 2.10 of the Notification on Processing require that the data subject is notified of the purposes in a clear manner so they can understand them, which includes notifying them of potential benefits or impact to their rights, unless an exemption applies that does not require to notify the data subject. Moreover, the data controller must provide the data subject with information on the types of data that it indents to collect, and for how long.
Section 2.11 of the Notification on Processing sets out that, where the duration length for keeping such personal data has not been notified or determined, the data controller must prove the length of time necessary for that purpose to be achieved.
Under Section 2.12 of the Notification on Processing, the data controller must notify the data subject if there is a disclosure of their data, and to which entities. If the data controller is unable to confirm which entities have the data subjects' information disclosed to, the controller must clarify and explain this circumstance sufficiently to the data subject, to understand the nature of the individual, entities, or organisations that may be recipients of the data subjects' personal data, such as by giving examples of such individuals. In addition to this, Sections 2.13 and 2.14 of the Notification on Processing establish that the data controller must provide to the data subject contact information of the data controller, and inform them of their data subject rights under the PDPA.
Right to access (Sections 30 and 31)
The PDPA provides data subject with a right to access. Specifically, data subjects are entitled to request access to, and obtain a copy of, the personal data related to them, which is under the responsibility of the data controller, or to request the disclosure of the acquisition of the personal data obtained without their consent.
The data controller is permitted to reject such request only where it is permitted by law or pursuant to a court order, and such access would adversely affect the rights and freedoms of others. However, the PDPA imposes recordkeeping requirements in line with Article 39 for such rejections. On this point, a request cannot be rejected based on the reasons outlined above, whereby the data controller must fulfil the request without delay, no longer than 30 days from the date of receiving such request.
In relation to accessing the personal data relating to the data subject, the PDPA states that the data controller must ensure the personal data is in a readable or commonly used format by ways of automatic tools or equipment, and can be used or disclosed by automated means.
In relation to records of processing and access requests, the data controller must take steps to enable data subjects to request their rights and implement measures for access to such requested data. To provide access to their data, the data controller must verify the identity of the data subject and confirm their eligibility for accessing such personal data. The data controller may reject the request to access personal data where the request is unfounded or unreasonable, or if the data subject cannot be verified. In addition, the data controller may choose to charge reasonable operating costs, considering the costs and time taken to comply with such requests.
Under Section 2.10 of the Notification on Records of Processing and Access Request where a request for access is made, a copy of the data requested must be given to the data subject without delay, but not later than 30 days from the receipt of the request. An extension may be made to a further 60 days if necessary, dependant on the complexity or amount of requests the data controller has received. In this regard, the data subject must be informed of the receipt of the access request, together with the reason for any delay to comply with such request.
Right to data portability (Section 31)
Data subjects are entitled to request the data controller to send or transfer personal data in a readable or commonly used format by ways of automatic tools or equipment to other data controllers where it can be done by automatic means. In addition, the data subject can request to directly obtain personal data that the data controller sends or transfers to other data controllers in such format, unless it is impossible to do so because of technical circumstances.
In this regard, the personal data must be given based on consent according to the rules under the PDPA or be exempted from consent requirements under Section 24(3) of the PDPA, or any other personal data referred to under Section 24 of the PDPA as prescribed by the PDPC.
The right to data portability will not apply when sending or transferring personal data which is for the performance of a task carried out in the public interest, for compliance with legislation, or where it violates the rights and freedoms of others. Where a data controller rejects the request for the reasons outlined above, it must make a record of the rejection with reasons as prescribed in Section 39 of the PDPA.
Right to object (Section 32)
The PDPA provides specific instances in which a data subject can object to the collection, use, or disclosure of their personal data. Specific instances in which a data subject can object include where personal data is collected with the exemption to consent under Sections 24(4) or (5), unless the data controller can prove that:
- there is a compelling legitimate ground for the collection, use, or disclosure; or
- the collection, use, or disclosure is carried out for the establishment, compliance, exercise, or defence of legal claims.
This right also applies to the collection, use, or disclosure for the purpose of direct marketing and for the purpose of scientific, historical, or statistic research, unless it is necessary to the performance of a task carried out for reasons of public interest by the data controller. However, where a data controller rejects the request for the reasons outlined above, it must make a record of the rejection with its reasons as prescribed in Section 39 of the PDPA.
Right to erasure and destruction (Section 33)
Data subjects have the right to request the data controller to erase, destroy, or anonymise personal data. For data to be classified as anonymous data, it cannot identify the data subject. The PDPA outlines four instances when this right can be used, including:
when the personal data is no longer necessary for the purposes for which it was collected, used, or disclosed;
- when the data subject withdraws consent, and the data controller has no legal ground for such collection, use, or disclosure; and
- the unlawful collection, usage, or disclosure under Chapter 3 of the PDPA.
An exception to the above applies where personal data retention is necessary:
- for the purpose of freedom of expression;
- for the purpose of establishment, compliance, exercise, or defence of legal claims;
- for the purposes under Sections 24(1) or (4), 26(5)(a) or (b); or
- to comply with the law.
On this point, the PDPA clarifies that where the data controller has made the personal data public and a request for erasure, destruction, or anonymisation is made, the data controller is responsible for the course of action, both the implementation of technology and the expenses to fulfil the request and inform other data controllers in order to obtain their responses regarding the actions to be taken to fulfil such request.
Importantly, where the data controller does not take action, the data subject has the right to complain to the PDPC to order the data controller to take such action.
Right to restrict the use of personal data (Section 34)
The PDPA provides the right to request to restrict the use of the personal data in a number of circumstances, including:
- when the data controller is pending examination in accordance with the data subject's request pursuant to Section 36 of the PDPA;
- when the personal data will be erased or destroyed, but the data subject requests the restriction of the use instead;
- when it is no longer necessary to retain the personal data, but the data subject requires further retention for the purposes of the establishment, compliance, exercise, or defence of legal claims; or
- when pending verification with regard to Section 32(1) of the PDPA, or pending examination with regard to Section 32(3) of the PDPA in order to reject the objection request.
Notably, where the data controller does not take action, the data subject has the right to complain to the PDPC to order the data controller to take such action.
Restrictions on data subject rights
Additionally, the Draft Notification of the Determination of the Scope of Enforcement of PDPA and Appointment of Agents ('the Draft Enforcement Notification') outlines restrictions to data subject rights, outlining restrictions to various sections of the PDPA that apply to data controllers who are legal professionals, processing for statistical purposes, and documenting for historical or public interest purposes (Section 1.4 of the Draft Enforcement Notification).
Furthermore, the Draft Enforcement Notification provides that data controllers must provide measures to ensure data subject rights under the PDPA, including making a record of data processing activities, and the denial of the exercise of rights. Equally, the Draft Enforcement Notification clarifies data controller obligations, specifying, among other things, response timeframes, response formats, and notification processes of data subjects on the outcome of their requests. Specifically, the Draft Enforcement Notification provides that data subject requests should be actioned within 30 days from the date of receipt and can be extended for another 60 days where it appears there something that prevents the request from being actioned within the specified period. This will be based on the complexity and number of requests. On this point, the data subject must be notified of the extension, along with the reason for the delay. In relation to the form, where a data subject makes a request through the electronic system, the data controller must equally provide the response electronically, unless the data subject states otherwise (Section 1.4 of the Draft Enforcement Notification).
The PDPA provides data subjects with the right to file a complaint in the event that the data controller or data processor violates, or does not comply with, the PDPA or notifications issued in accordance with the PDPA. The PDPA clarifies that a complainant that does not comply with the rules provided in Section 73(2) of the PDPA, or the complaint filed is prohibited from being accepted for consideration under such rules, the expert committee will not accept said complaint for consideration.
Where the expert committee finds, following the complaint or the investigation, that the complaint has no basis, the same will issue an order to dismiss the complaint or investigation. Conversely, where following the expert committee's consideration or investigation, it is found that the complaint can be settled, and the concerned parties are willing to settle the dispute, the expert committee will proceed with the dispute settlement. However, where the complaint cannot be settled, or the dispute settlement fails, the expert committee will have the power to issue orders, including requiring data controllers or data processors to perform or rectify their act within the specified period or prohibiting data controllers or data processors from carrying out an act which causes damage to the data subject, or any act to cease the damage within the specified period.
The PDPA establishes that where the data controller or data processor does not comply with the orders provided under Articles 74(1) and (2) of the PDPA, the provisions in connection with administrative enforcement under the law on administrative procedure will be applied mutatis mutandis.
The Draft Regulations for the Process for Receiving and Considering Complaints Regarding Violations or Non-compliance with the PDPA ('the Draft Regulations on Complaints') provide that any data subject disputing their rights or suffering damage as a result of the data controller or data processor, including employees or contractors, has the right to file a complaint with the PDPC. In addition, the Draft Regulations on Complaints specify that the contents of complaints should include, among other things, surname, address, telephone number/email address, details of the complaint's context, relevant evidence, and certification that the statement given is true. Furthermore, under the Draft Regulations on Complaints, complaints must be made in writing or through a reliable electronic medium.
Nonetheless, on the role of the expert committee when receiving complaints, the Draft Regulations on Complaints hold that where complaints have not been completed owing to missing information, the complainant must be notified and provided advice on resolving the complaint, noting that the complaint is not in full effect until the additional information has been provided. However, the Draft Regulations on Complaints also clarifies that such complaints will be responded to within seven days after receipt.
Civil liability (Sections 77 and 78)
Data controllers or data processors, whose operation in relation to personal data violates, or fails to comply with, the provisions of the PDPA causing damage to the data subject, will compensate them for such damages, regardless of whether such operation is performed intentionally or negligently, except where the data controller or data processor can prove that such operation was a result of:
- a force majeure, the data subject's own act, or omission to act; and
- an action taken in compliance with an order of a government official exercising their duties and power under the law.
The compensation includes all necessary expenses incurred by the data subject for the prevention of the damages likely to occur, or which was spent to suppress the damages occurred.
The respective court has the power to order the data controller or data processor to pay punitive damages in addition to the actual compensation the court deems fit. This will not exceed two times the amount of the actual compensation, taking into consideration a number of factors, including:
- the severity of damages incurred by the data subject;
- the interest obtained by the data controller or the data processor;
- the financial status of the data controller or data processor;
- remedies provided by the data controller or the data processor; or
- the data subject's role in contributing to cause the damage.
Finally, the PDPA establishes that claims for compensation from the wrongful acts under the PDPA will be barred by prescription after the lapse of three years from the date the injured person knew of the damages and the identity of the data controller or the data processor, or after ten years from the date of which the wrongful act against the personal data took place.
Criminal liability (Sections 79 to 81)
Data controllers that violate Sections 27(1) and (2), or fail to comply with Section 28 of the PDPA, in a manner that is likely to cause other persons to suffer any damage, impair their reputation, or expose such other person to be scorned, hated, or humiliated, will be punished with imprisonment for a term not exceeding six months, or a fine not exceeding THB 500,000 (approx. €13,620). In addition, a data controller that violates the above in order to unlawfully benefit themselves or another person, will be punished with imprisonment for a term not exceeding one year, or a fine not exceeding THB 1 million (approx. €27,460). Importantly, the offences for criminal liability are compoundable.
In addition to the above, where a person gains knowledge of the personal data of another person as a result of performing duties under the PDPA and discloses it to any other person, they will be punished with imprisonment for a term not exceeding six months, or a fine not exceeding THB 500,000 (approx. €13,620). The PDPA provides exceptions to this offence where the disclosure satisfies one of the following:
- the performance of duty;
- for the benefit of an investigation, or a trial in court;
- a disclosure to a domestic or foreign government agency which has authority under the law;
- the written consent of the data subject has been obtained for the disclosure for such specific occasion; or
- in relation to a legal lawsuit, which is openly disclosed to the public.
Finally, the PDPA stipulates that, where the offender is a juristic person and the offence is conducted as a result of the instructions given by any director, manager, or person who will be responsible of the acts of the juristic person, or in the case where such person has a duty to instruct or perform any act, but omits to instruct or perform such act until the juristic person commits such offence, the punishment outlined above will also be imposed on them.
Administrative liability (Sections 82 to 90)
The PDPA imposes administrative penalties on data controllers and data processors for violations of its provisions with administrative fines of up to THB 5 million (approx. €136,200). In particular, any data controller that violates Sections 26(1) or (3) (on sensitive data), or Sections 27(1) or (2) (on the use or disclosure of personal data), or Section 28 (on transfers to a foreign country) in relation to sensitive data, or fails to send or transfer sensitive data in accordance with Sections 29(1) or (3) (on transfers to a foreign country), will be punished with an administrative fine not exceeding THB 5 million (pprox.. €136,200). In addition, data processors that send or transfer personal data under Sections 26(1) or (3) (on sensitive data), by not complying with Sections 29(1) of (3) (on transfers to a foreign country), will be punished with an administrative fine not exceeding THB 5 million (pprox.. €136,200).
In regard to the PDPC, the expert committee will have the power to render the punishment as an administrative fine. Where it deems fit, the expert committee may issue an order for rectification or a warning first. In determining whether to issue an order to impose an administrative fine, the expert committee should take into consideration the severity of the circumstances of the offence, size of the business, or other circumstances according to the rules prescribed by the PDPC. However, where there is no officer to execute an administrative order, or there is such officer, but such order cannot be executed otherwise, the expert committee will be entitled to file a lawsuit with the Administrative Court of Thailand in order to request the payment of such fine.