Contributed By Chandler MHM Limited
The Personal Data Protection Act, BE 2562 (2019) (PDPA) is the primary law regulating the processing of personal data. Similar to in other jurisdictions, “personal data” is defined as any data which, by itself or in combination with other data, can be used to trace back to an individual, excluding the data of deceased persons in particular.
The PDPA focuses on the protection of data subjects whose personal data is processed – including by collection, storage, use, disclosure, etc – regardless of the original source of such personal data. Entities that make decisions and process personal data (known as “Personal Data Controllers” or “controllers” under the PDPA) are required to have a lawful basis for processing any personal data and to maintain proper security measures to prevent any loss, unauthorised access, use or disclosure of personal data. These requirements also apply to service providers who process personal data as instructed by or on behalf of a controller (known as “Personal Data Processors” or “processors” under the PDPA).
The PDPA, which is mainly based on the General Data Protection Regulation (GDPR) of the European Union (EU), has created obligations on the private sector and government (ie, both Personal Data Controllers and Personal Data Processors) regardless of the mode of processing (ie, both automated and non-automated processing), especially regarding burden of proof.
The PDPA itself applies to most activities, with certain exemptions, such as:
For businesses regulated by specific supervisory authorities (such as banks and insurance businesses), the PDPA allows those supervisory authorities to issue the standard form or guideline for their operators to follow. Although the PDPA has been in effect for five years, some points of uncertainty still remain, owing to lack of sub-regulations. As such, the supervisory authority under the PDPA takes a compromising approach when dealing with any misconduct, instead of pursuing punishment.
On 18 January 2022, the Cabinet officially appointed the Personal Data Protection Commission (PDPC) as a supervising authority under the PDPA, while the PDPA established the Office of the PDPC to support the PDPC in developing and facilitating enforcement. Under the PDPA, the PDPC shall have several duties, such as:
In addition, the PDPC shall appoint expert committees for considering any complaints under the PDPA, as regards investigating any act in connection with personal data, settling disputes, and carrying out any act assigned by the PDPC.
As mentioned in 1.2 Regulators, the expert committee will consider and investigate any complaints on behalf of the PDPC in accordance with the PDPC’s rules. If any complaint does not comply with such rules, the expert committee shall not accept such complaint for consideration.
If the expert committee’s consideration or investigation finds that such complaint can be settled, and if the relevant parties are willing to settle, the expert committee must proceed with the dispute settlement before issuance of any order mandating the operator (either the controller or processor) to perform or rectify their act, or prohibiting the operator from carrying out an act which would cause damage to the data subject.
If the operator does not then comply with the expert committee’s order, the administrative procedure will be applied (including the power to order seizure, attachment and sale by auction as allowed by law). The expert committee’s order shall be final. Any party may appeal such order in accordance with the administrative procedure within 15 days after receiving such order.
As a member state of ASEAN, Thailand has implemented the ASEAN Framework on Personal Data Protection (2016) to encourage trust among the ASEAN digital ecosystem. Recently, the PDPA recognised ASEAN Model Contractual Clauses for Cross-Border Data Flows (MCCs) as an acceptable appropriate safeguard for cross-border transfers, by issuing the sub-regulations relating to cross-border transfers (effective in March 2024). In addition to MCCs, the Standard Contractual Clauses (SCCs) prescribed by the GDPR serve as an alternative appropriate safeguard for cross-border transfers, given the strong influence of the GDPR on the PDPA.
There are currently no official non-governmental organisations (NGOs) or self-regulatory organisations (SROs) concerning privacy or data protection in Thailand.
As mentioned in 1.4 Multilateral and Subnational Issues, the PDPA draws significant influence from the GDPR, incorporating similar provisions to those found in EU countries. However, when it comes to enforcement, the authority adopts a compromising approach for all operators. This is because the PDPA only became fully effective in 2022, and there is a notable lack of awareness among operators, especially among SMEs.
Over one year following the PDPA’s becoming fully effective (ie, June 2022), the PDPC announced around 20 sub-regulations in the Royal Gazette to remove uncertainties for operators, especially regarding the requirements on:
The PDPC has also published three manuals (ie, a manual for SMEs, a manual for data subjects, and a manual on risk assessment and data breach notification) and two guidelines (ie, a guideline on the acceptable consent form and on the details of privacy notice) to raise awareness among the public and to support operators regarding how to comply with the PDPA.
Although around 20 sub-regulations have been announced during one year, the enforcement of certain sub-regulations is still pending owing to lack of further sub-regulations or announcements, such as adequate decisions and details regarding appropriate safeguards for cross-border transfers (“Certificates”).
The PDPC may play a more active role in 2024, as many complaints and requests have been sent to it. The PDPC (by expert committee) is investigating cases and inviting some operators to clarify such complaints or requests. Rulings and further interpretation from the PDPC may be published soon.
Basis of Treatment
The PDPA splits personal data into two types:
Both of these types may be treated under different sets of bases.
Ordinary Data
Like data protection regulations in other countries, the PDPA provides for a set of lawful bases under which treatment of ordinary data can occur, as follows:
Of the above list, the four most important and often-used lawful bases for processing personal data are:
Additional explanations for the first three of these items are as follows.
Consent
Consent must generally be clear and be in written, electronic or other unequivocal form; and different objectives should be kept separate to assist the understanding of the data subjects. Consent must also provide other information to allow the data subjects to carefully consider whether their consent should be given to the Personal Data Controller (such as rights of data subjects, contact information, retention period, etc). Note that consent must not be lumped in with information gathered on a contractual performance basis.
Contractual performance/entering into a contract
The most important principle to remember is that all items of personal data given on this basis must be necessary for the performance of or entering into a contract. If a piece of data is not needed for performance of or entering into a contract, it cannot be lumped in with this basis and must, by itself, find its own basis.
Legitimate interests
Legitimate interests of the controller must always be weighed against fundamental rights of the data subjects over such personal data. There is no official guideline under the PDPA as to any mechanism for weighing such interests, or as to what extent a controller can trust their own judgement. Therefore, it is recommended that the surrounding circumstances for a single use of data on this basis be thoroughly considered before an operator decides to proceed with this treatment. Any miscalculation will mean treatment of data without a proper lawful basis, rendering the operator liable to penalties under the PDPA.
Sensitive Data
Like data protection regulations in other countries, the PDPA provides for a set of bases under which treatment of sensitive data can occur. These bases, although different from bases for ordinary data, have largely been derived from the same fundamentals. The bases are as follows:
Treatment of sensitive personal data by commercial operators will most likely occur via express consent, with that basis being the most common in day-to-day operations.
Rights of Data Subjects
The PDPA provides an extensive list of the rights of data subjects, many of which can be universally invoked, while others can be used only under certain circumstances. The rights are as follows:
The rights outlined above are not always absolute as the controller may have the ability to argue against such requests, depending on specific facts of the case, such as:
Security Measures
The PDPA provides a blanket requirement for both controllers and processors to treat personal data in an appropriate manner, which materially includes well-organised safe-keeping of data, safe storage (physical and electronic), automatic deletion of data, etc. Additional details on minimum-security measures were set out in a PDPC Notification announced in the first half of 2022. The security measures must (at least):
If a controller hires a processor, the agreement between both parties must outline proper security measures for preventing loss or unauthorised or unlawful access, use or disclosure of personal data, as mentioned above.
Data Protection Officer (DPO)
The PDPA recognises that there may be a need for organisations to have a DPO (or multiple DPOs in the case of high complexity or a large volume of work). On 14 September 2023, the PDPC announced a sub-regulation to provide the criteria for “regular or systematic monitoring of personal data” and “on a large scale” in order to consider the necessity of DPO appointment under Section 41(2) of the PDPA. The criteria are similar to those of the GDPR, but provide some examples which are deemed as automatically large-scale and where a DPO may be needed, such as:
In this regard, the PDPC issued the DPO notification template, and asked all operators to submit this form again in order to verify that their DPO does not perform any contrary tasks and duties.
Sensitive Data
The PDPA does not define “sensitive data”, but provides an exhaustive list of sensitive data, as including:
In this regard, the PDPC may specify any data as sensitive data in the future if such data may affect the data subject in the same manner as other sensitive data. The PDPA further describes biometric data as personal data arising from the use of technics or technology related to the physical or behavioural characteristics of a person, which can be used to identify such person apart from other persons (such as facial recognition data, iris recognition data or fingerprint recognition data).
In general, any collection of sensitive data without explicit consent from the data subject is prohibited, except in certain cases as mentioned in 2.1 Omnibus Laws and General Requirements. The PDPA does not provide specific requirements for each type of sensitive data, except for criminal records. The PDPA sub-regulation provides that a criminal record shall be a record related to a criminal offence or criminal penalty, which is officially collected or certified by government agencies, regardless of the status of the case. The collection of a criminal record is limited to cases:
Minors’ Data
The PDPA stipulates that in the case where a data subject is a minor and does not meet the legal age by marriage (ie, 20 years of age) or does not have status as a person meeting the legal age under Section 27 of the Civil and Commercial Code (ie, where a minor is deemed as acting as a person of legal age if acting in matters relating to commercial transactions, other business or employment, and where the guardian has given their consent to the minor), a request for consent from that data subject must comply with the following rules.
The above provisions shall apply mutatis mutandis to:
Generally, online marketing may be based on legitimate interest or consent of the data subject. Behavioural and targeted advertising is regarded as too intrusive for data subjects, and consent under the PDPA is required.
In addition to the PDPA, online marketing may be counted as computer data or electronic mail under the Computer Related Crime Act BE 2550 (2007). Where an operator sends any computer data or electronic data (such as email, SMS or comments) to another person in a manner that disturbs that person, such operator must give that person an easy opportunity to cancel or to notify the wish to deny receipt of such computer data or electronic mail (ie, an opt-out option). Otherwise, such operator shall be liable to a fine not exceeding THB2 million. Once any person requests to deny such receipt, the operator must stop sending such marketing messages immediately (ie, after no more than seven days).
There are no specific regulations concerning workplace privacy in Thailand. Only general PDPA provisions are applicable to this area.
As described in 1.3 Administration and Enforcement Process, the PDPA provides the expert committee with an enforcement power to issue an administrative order for addressing any misconduct under the PDPA. However, most cases have been discharged or have ceased at the expert committee stage. In addition to the powers of the expert committee, the PDPA contains three types of liabilities:
For criminal liabilities, the authority may pursue a criminal case against any commercial operator who has breached the PDPA. Any use or disclosure of sensitive data without consent and which has caused damage to the data subject carries penalties of imprisonment of up to six months or a fine of up to THB500,000, or both. However, any use or disclosure, if undertaken for undue benefit of the commercial operator, will double the above-stated maximum imprisonment duration and fine amount. In this regard, the relevant director or manager of the juristic person may be subject to the same penalties as the juristic person.
A PDPC Notification on Administrative Penalties relates to the enforcement of administrative penalties, and sets out the criteria for how administrative penalties (as determined by the expert committee) are used. The expert committee will consider and apply administrative penalties to a controller or processor based on the level of seriousness of such offence. Offences are separated into two groups: serious and non-serious offences. Under the Notification on Administrative Penalties, the expert committee is empowered to levy administrative penalties as follows.
Serious Offences
The expert committee can impose administrative fines on a controller and/or processor. In addition, administrative fines can be imposed on offenders who fail to comply with an order from the expert committee to remedy a violation. Such orders include remedying, stopping, suspending or seizing related processing activities.
Non-serious Offences
The expert committee may issue orders to remedy, stop, suspend or seize related processing activities, or it may carry out any other acts to stop/minimise the damage within a specific time.
For civil liabilities, a damaged data subject may bring a civil suit against a controller and/or processor who has wronged them. The PDPA expressly allows the court to award punitive damages, which is generally rare in Thailand and which shall not exceed two times the actual damages (if the court believes the breach is severe). As this civil liability is based on tort law and privacy cases often involve more than one impacted data subject, class actions are allowed for privacy cases.
Evidence acquired in contravention of the rights of the parties or of the stipulations in the Criminal Procedure Code will not be admissible. The authority is mandated to act in accordance with procedures prescribed by law. Generally, prior approval from a court judge is mandatory for any compulsory search or seizure. Note that the PDPA does not apply to activities conducted in line with criminal justice procedures.
Generally, the laws empowering government authorities to access personal data will provide a clear scope and application for such surveillance and/or access – eg, to protect national security or to acquire documents and/or information relating to the commission of an offence. In addition, the legislation generally requires that there must be an element of “necessity” for said interference.
The term “national security” is broadly interpreted, and in practice it is common for interference with the rights to privacy to be allowed based on the grounds of national security and public interests. In many circumstances, national security may be exploited to serve certain political purposes against opponents; this thus leads to a deterioration in terms of legal certainty. However, the approval from a court judge must be obtained, except in the event of an emergency.
In this regard, the PDPA provides exemptions for controllers from compliance with the PDPA when the controllers receive a request for personal data from certain government agencies, such as:
Although these controllers are exempted from compliance with the PDPA, they are still required to ensure the safety of personal data by implementing the appropriate security measures required by the PDPA.
There is no specific lawful basis permitting organisations in Thailand to collect and transfer personal data for the purpose of a foreign government access request. However, a controller is exempted from compliance with the PDPA for the collection of personal data in operations related to:
Note that Thailand does not participate in a Cloud Act agreement with the USA.
The fundamental privacy concern revolves around the inclusion of unnecessary information in official documents. While the PDPA promotes data minimisation and discourages the collection of sensitive data unless absolutely essential, certain official documents (particularly identification cards and government official identification cards) still include sensitive information such as religious affiliation and blood type (without a clear specific purpose). This poses a challenge for operators who are required to collect such documents, necessitating the redaction of superfluous information.
The PDPA does not provide for the concept of absolute restriction for any type of transfer of personal data outside the jurisdiction of Thailand. Instead, controllers, as the transferors, may be subject to several obligations and/or must ensure that the transferee meets the qualifications as prescribed under the PDPA.
In general, in the case of transfer of personal data outside Thailand, the countries in which the transferee is located should have adequate personal data protection measures. The list of countries deemed to have adequate personal data protection measures is set to be prescribed by the PDPC; however, such list has not yet been prescribed. Two key criteria to consider regarding whether a country is deemed as having adequate personal data protection measures are as follows:
In any event, even upon the prescription of such list, several exemptions exist where the controller may transfer the personal data to countries outside such list (eg, regarding compliance with the law, obtaining consent from the data subject, the execution of a contract to which the data subject is one of the parties, etc).
Another exemption to the limitation of personal data transfer to only those countries included in such list applies when the following qualifications are fulfilled:
During the period where no list is prescribed for those countries deemed to have adequate personal data protection, or where the BCR have not been approved by the PDPC office, the PDPA stipulates that the transferor provide appropriate security measures to be enacted in accordance with the rights of the data subject, as well as the effective legal remedial measures – ie, appropriate standard contractual clauses for cross-border transfer (SCCs) and a certificate. Under the PDPA’s notification, SCCs from the ASEAN Model Contractual Clauses for Cross-Border Data Flows, and GDPR SCCs, are acceptable.
Please see 4.1 Restrictions on International Data Issues.
Cross-border transfer does not require government notification or approval.
In certain cases, operators have to retain documents on their premises, such as accounting documents and a VAT certificate. However, an operator can duplicate and transfer such data internationally (see 4.1 Restrictions on International Data Issues for more detail).
No software code, algorithms, encryption or other technical details are required to be shared with the Thai government.
An organisation collecting or transferring data in connection with foreign government data requests, foreign litigation proceedings (eg, civil discovery) or internal investigations is not exempted from the cross-border requirements mentioned in 4.1 Restrictions on International Data Issues.
There are no blocking statutes under Thai privacy laws.
Even though Thai society has seen the introduction of various new technologies (such as big data analytics, automated decision-making, profiling, AI and IoT), many of these emerging technologies lack specific legal frameworks and regulations. Consequently, addressing digital and technology issues often involves navigating through several general laws, including those related to data protection (such as the PDPA), consumer protection and trade competition.
Presently, authorities are making efforts to introduce new laws specifically governing AI and digital platforms. The aim is to consolidate necessary requirements into one or a few regulations, thereby alleviating the operational burden on stakeholders in these fields.
The Electronic Transactions Development Agency (ETDA) was established with the mission of promoting and advancing Thailand’s economy and society towards a digital economy and society. The goal is to create an environment where all sectors can confidently and securely conduct reliable transactions online. To achieve this objective, ETDA has issued various standards and recommendations for the implementation of digital technologies in both public and private sector operations. These guidelines aim to enhance the efficiency, security and safety of online transactions across diverse industries.
As described in 1.3 Administration and Enforcement Process and 2.5 Enforcement and Litigation, enforcement or litigation in privacy or data protection cases is not notably prominent, as the supervisory authority tends to adopt a compromising approach in addressing any misconduct.
While the PDPA does not specifically mandate a due diligence process, it is crucial to emphasise that due diligence must be given to privacy issues during corporate transactions. Buyers are obligated to gather comprehensive information in order to identify any gaps or risks associated with the target’s operations. It is noteworthy that, in this context, privacy concerns should be taken into account, given that targets may only disclose essential information. The following privacy issues are usually encountered when conducting due diligence.
Notice to Relevant Data Subjects
The PDPA requires that all data subjects be informed about the data processing, while the due diligence may be conducted secretly in order to mitigate any operational risks. Therefore, some operators have addressed the details of business acquisition or transfer in their privacy documents. The PDPA also provides some exemptions for indirect collection of personal data in order to avoid the necessity of further notice to data subjects.
Sharing Personal Data to Several Stakeholders
A corporate transaction may involve several advisers/service providers from both the seller and buyer side. Some of these may be considered as processors. As such, the data-processing agreement should be executed as between a controller and a processor. The seller has to ensure the safety of personal data uploaded in the data room by implementing adequate security measures, especially access control.
Data Minimisation
Although the buyer needs to get as much information as possible, the seller must still only share data necessary for the purpose of due diligence. As such, certain information which it is not important to note or address during the due diligence stage can be redacted.
There are no laws specifically pertaining to privacy or data protection that mandate the disclosure of an organisation’s cybersecurity risk profile or experience. However, an occurrence deemed as essential for making investment decisions may be considered a material event triggering the obligation for listed companies to inform all investors. Additionally, certain specific industries, such as financial enterprises, have additional disclosure requirements as part of their risk-management practices.
It is important to note that the Cybersecurity Act of Thailand, BE 2562 (2019) mandates the National Cyber Security Agency to publicly warn of any serious cyber threats. These threats are defined as those significantly increasing attacks against a computer system, computer data or computers with the intention of targeting critical infrastructure. The impact of such threats extends to the functionality or service outage of a computer system or critical information infrastructure relevant to the provision of critical infrastructure services in the areas of:
As described in 5.1 Addressing Current Issues in Law, the authorities are making efforts to streamline regulations to facilitate business operators. Furthermore, Thailand is contemplating the introduction of new laws aligned with international standards, similar to the PDPA, to enhance the recognition of Thai business operators on the global stage. A noteworthy example is the draft digital economy law, inspired by the Digital Markets Act and the Digital Services Act of the EU.
Despite the recent effectiveness of the PDPA and the relatively low awareness among operators, the efficacy of PDPA enforcement may be influenced by the limited number of personnel in the PDPC office. This limitation could lead to the PDPC adopting a compromising approach in handling current privacy cases.
However, there has been a positive development, as the PDPC office has bolstered its team by recruiting additional authorities in 2023. This expansion is expected to pave the way for a more proactive approach in the near future.
17th and 36th Floors
Sathorn Square Office Tower
98 North Sathorn Road
Silom
Bangrak
Bangkok 10500
Thailand
+66 2 009 5000
+66 2 009 5080
bd@mhm-global.com www.chandlermhm.com