Tilleke and Gibbins International Ltd.
What law(s) specifically govern personal data / information?
The primary legislation governing personal data protection in Thailand is the Personal Data Protection Act, B.E.2562 (A.D.2019) (“PDPA”) which came into full effect on 1 June 2022. The PDPA contains the main principles/provisions on personal data protection. The Personal Data Protection Committee (“PDPC”) which is tasked to enforce the PDPA will issue a number of sub-regulations to provide more clarification on the PDPA’s principles and requirements .
What are the key data protection principles in this jurisdiction?:
The PDPA mainly prescribes requirements in relation to the collection, use, and disclosure (“ process”) of the personal data, including the cross-border transfer of the personal data and the security standards that the data controller and the data processor shall have. The key principles are, for example, as follows:
- The personal data under the PDPA refers to any information pertaining to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.
- The collection of personal data must be limited to the extent necessary in relation to the lawful purpose of the data controller.
- The processing of the personal data shall comply with the lawful bases as prescribed in the PDPA, such as consent, contractual obligation, and legitimate interest.
- The processing of certain categories of the personal data, i.e., the sensitive personal data, which includes health data and criminal records, shall be subject to more stringent requirements.
- When transferring the personal data to a foreign country, the destination country shall have adequate personal data protection standards.
- The data controller and the data processor must provide appropriate security measures in relation to the process of the personal data.
What is the supervisory authority / regulator in charge of data protection?
The Personal Data Protection Commission (“PDPC”)
Is there a requirement to register with a supervisory authority / regulator?
Currently, there is no requirement that the data controller or the data processor register itself with the PDPC.
However, PDPA requires that the data protection officer (“DPO”) must be notified to the PDPC upon its appointment. However, the detailed requirements and procedures on the notification and the timeline are to be issued by the PDPC, i.e. the notification is pending for sub-regulations regarding requirements on DPO.
In addition, the local representative of an applicable overseas data controller/processor should be required to notify the PDPC. This is according to the relevant draft sub-regulation issued for public hearing earlier this year.
Is there a requirement to notify the supervisory authority / regulator?
Yes, data controllers must notify the Office of the PDPC if there is a data breach, which may affect the right and freedom of individuals. The details on what constitutes data breach as well as the notification requirements are to be set by the sub-regulation on data breach.
Is it possible to register with / notify the supervisory authority / regulator online?
We understand that it is the aim of the PDPC to also allow online registration/notification. However, it is still pending for further clarification from the PDPC.
What are the key data subject rights under the data protection laws of this jurisdiction?
Under the PDPA, the data subject will have the following rights in relation to their personal data:
- Right to withdraw consent;
- Right to access;
- Right to rectification;
- Right to suspend the use of the personal data;
- Right to object the use of the personal data;
- Right to erasure;
- Right to portability; and
- Right to lodge complaints.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, the data controller/data processor must appoint the DPO if:
- The data controller/data processor is a public authority as prescribed and announced by the PDPC;
- The activities of the data controller/data processor, in respect to the processing of the personal data, requires regular monitoring of the personal data or the relevant system, due to the fact that it has a large quantity of personal data, as prescribed and announced by the PDPC; or
- The core activities of the data controller/data processor involve the processing of sensitive personal data under the PDPA.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Currently no, the PDPA does not prescribe any specific requirements in relation to the data impact assessment.
However, according to relevant PDPC’s guidelines, when collecting personal data through other sources, the data controller ‘should’ conduct data impact assessment.
Does this jurisdiction have any specific data breach notification requirements?
Yes, the PDPA requires the data controller to notify the Office of PDPC and/or the data subject of the data breach.
The data controller is required to notify the Office of PDPC of any personal data breach without delay and, where feasible, within 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the persons. If the personal data breach is likely to result in a high risk to the rights and freedoms of the persons, the data controller shall also notify the personal data breach and the remedial measures to the data subject without delay.
The notification and the exemption to the notification shall be made in accordance with the rules and procedures set forth by the PDPC.
Note that currently, the PDPC has opened for a public hearing on draft notification regarding data breach, to give further clarification on the PDPA’s data breach notification requirements..
What restrictions apply to the international transfer of personal data / information?
The PDPA requires that, when transferring the personal data to an organisation in a foreign country, the relevant destination country, or the international organisation, that receives such personal data shall have adequate personal data protection standards, and the transfer of the personal data shall be performed in accordance with the requirements prescribed by the PDPC, except in certain circumstances, for example, as follows:
- where the law so prescribes;
- where the consent of the data subject is obtained after the data subject has been informed of the insufficient personal data protection standards of the relevant destination country; or
- where it is necessary to comply with the contract in respect of which the data subject is a contracting party.
For overseas transfers within affiliates, the PDPA provides more relaxed restrictions in which the general cross-border transfer requirements requirements/restrictions could be exempted if the data controller has the internal data protection policy relating to sending, or transferring, personal data overseas to the data controller’s affiliates (within the same affiliated business, in order to jointly operate the undertaking or business) (i.e. Binding Corporate Rules), which has been reviewed and certified by the PDPC.
In the event that there are no Binding Corporate Rules, the exemptions for cross-border transfer requirements could still be applied, if the data controller/data processor provides appropriate security measures that could ensure the enforcement of the data subject’s rights under the PDPA, including remedial actions which are available under the law, in accordance with the supplementary rules and methods to be further prescribed by the PDPC.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the PDPA adopts the extra-territorial principle from the GDPR.
According to the PDPA, the data controller and the data processor, which are located outside Thailand, will be subject to the PDPA if there is processing of the personal data of data subjects in Thailand, and the processing activities are as follows:
- The offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject; or
- The monitoring of the data subject’s behaviour, where the behaviour takes place in Thailand.
What rules specifically deal with marketing?
In Thailand, there is no unified legislation which governs marketing activities. When conducting marketing, the business operator then shall comply with regulations which may be applicable to the case.
The legislations, which are basically related to marketing, are for example as follows: (i) the PDPA; (ii) Computer Crimes Act; and (iii) sector specific law (e.g. insurance, banking, securities).
Do different rules apply to business-to-business and business-to-consumer marketing?
As described, the applicable law in relation to marketing would depend on the characteristic of such marketing activities.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The Computer Crimes Act prescribes the prohibitions in relation to the unsolicited computer data, which includes emails and SMS.
Sending computer data or an electronic mail to another person while hiding or faking its sources, in a manner that interferes with such another person’s normal utilisation of the computer system, shall be subject to a fine not exceeding THB 100,000. Furthermore, the Computer Crimes Act also prohibits sending the computer data without an opt-out/unsubscribe function.
What rules specifically deal with cookies?
No, Thai law, including the PDPA, does not prescribe any specific requirements in relation to the use of cookies. Therefore, if cookies are considered as the personal data, the general rules under the PDPA, the PDPA will apply to the processing of cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Under the PDPA, the data controller and the data processor, which fail to comply with the requirements prescribed therein, may be subject to:
- Civil liability, in which the court will order that the actual damages be compensated to the injured data subjects and at discretion of the court, it has the power to impose the punitive damages of not exceeding twice the amount of actual damages.
- Administrative fines, which range from the maximum amount at THB 1,000,000 – 5,000,000.
- Criminal penalties, which include an imprisonment for a period of not exceeding 1 year, and the fines of not exceeding THB 1,000,000.
Under the Computer Crimes Act, the person who violates the prohibitions prescribed therein shall be subject to the criminal penalties, both the imprisonment and the fines, depending on the criminal offences committed.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
It is recommended that, when the business operator wishes to process the personal data of individuals in Thailand, it should first review the extra-territorial requirements/criteria under the PDPA and assess whether it will be subject to the PDPA. This is because if the business operator falls under the PDPA, the business operator will need to comply with a number of obligations prescribed in the PDPA, including appointing its local representative and/or the DPO, requesting for consent, and implementing security measures in accordance with the standards set by the PDPC.
Besides the PDPA, when conducting the direct marketing via emails or SMSs or other electronic means, it shall comply with the rules in relation to the unsolicited emails/SMS prescribed in the Computer Crime Act, which also contains the extra-territorial provision.
What upcoming data protection developments should multinational organisations be aware of?
As mentioned, the PDPA still need further clarifications and guidelines from the PDPC. We expect a number of sub-regulations and guidelines will be further issued by the PDPC in the coming 12 months.