Global Data Privacy Guide |
|
Thailand |
|
| (Asia Pacific) Firm Tilleke & Gibbins Updated 01 Mar 2022 | |
| What is the key legislation? | Personal Data Protection Act B.E. 2562 (2019) The main data protection legislation in Thailand is the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) which was enacted and published in the Government Gazette on May 27, 2019. The provisions of the PDPA on the establishment of the Personal Data Protection Commission (“PDPC”) and the Office of Personal Data Protection Commission (“Office of PDPC”) have already come into force since May 28, 2019. For the remaining provisions, such as those on the obligations of the data controller, data processor and Data Protection Officer (“DPO”), and the collection, use and disclosure of personal data (collectively referred to as “processing” or “process”), they initially were to come into effect on May 27, 2020; however, due to the Covid-19 pandemic, the effective date was deferred to May 27, 2021 and thereafter, to June 1, 2022 (“Effective Date”). Provisions of the Civil and Commercial Code and provisions of the Penal Code are generally applicable. In addition, some laws/regulatory notifications set out special protections for data in particular sectors and/or particular types of data. Apart from the above, there are several industry-specific requirements for sectors such as telecommunications, banking/finance, insurance, securities, healthcare, consumer credit, and electronic payment services (collectively, “Specially-Protected Sectors”), all having separate approaches to personal data protection. There is a separate regime applicable to government entities, and there are also some laws/provisions which bind individuals engaging in certain professions/occupations, such as medical practitioners, pharmacists, druggists, midwives, nursing attendants, priests, advocates, lawyers, or auditors, and assistants or trainees in such professions, as well as government officials. However, both within and outside the Specially-Protected Sectors, people who suffer damage due to unauthorized disclosure of their personal data may claim against the responsible party in tort (under the Civil and Commercial Code); criminal charges (under the Penal Code) may also be possible, depending on the circumstances (e.g. criminal defamation, etc.). |
| What data is protected? | Personal data of a living natural person is protected. Note: The term “personal data” is defined under the PDPA as any data pertaining to an individual which enables the identification of that individual, whether directly or indirectly, but specifically excluding data of a deceased person. Within the Specially-Protected Sectors, some of the regulatory notifications specify particular types of data that are protected. For example, regulations under the Telecommunications Business Act protect personal information of telecommunications subscribers (as specified therein) and the Credit Information Business Act protects credit information (as specified therein). |
| Who is subject to privacy obligations? | Any person who acts as a data controller or data processor is subject to privacy obligations. Note: The PDPA defines “data controller” as a person or legal entity having authority to make determinations regarding the processing of personal data, and “data processor” as a person or legal entity that processes personal data on behalf of or pursuant to the instructions of the data controller. The PDPA does provide exemptions from being subject to its provisions – for example, when the processing is for personal interest or household activity of that person, when the act is carried out by the government agencies responsible for maintaining state stability (including anti-money laundering and cybersecurity), and others. Within the Specially-Protected Sectors, the parties subject to privacy obligations depend on the provisions of each law/regulatory notification. For example, pursuant to regulations under the Securities and Exchange Act, licensees are obligated to address—as part of the application process—how they will protect personal data. Once approved, such effectively becomes a license condition. So, the licensee bears such obligation. Another example is under the National Healthcare Act. It provides that all persons are subject to the obligations restricting disclosure. |
| What are the principles applicable to personal data processing? | The principles applicable to personal data processing under the PDPA include data minimization, purpose limitation, accuracy, storage limitation, and lawfulness, fairness and transparency. These principles are not expressly indicated in the PDPA itself; however, these principles can be implied from the provisions of the PDPA. |
| How is the processing of personal data regulated? | In general, the PDPA only permits the processing of personal data where the lawful basis can be identified – for example, consent, legitimate interest, contractual obligations, legal obligations, etc. Note: Within the Specially-Protected Sectors, some regulatory notifications set out requirements in respect of the use and disclosure of personal data. For example, pursuant to regulations under the Telecommunications Business Act, the use and disclosure of personal information is restricted to those purposes set out in the regulatory notification. Similarly, under the Financial Institutions Business Act, information can only be disclosed for specified purposes. |
| How are storage, security and retention of personal data regulated? | The PDPA does not set out specific regulations for the storage of personal data. However, it does impose requirements on the security and retention of personal data. Note: The PDPA provides that the data controller must implement adequate personal data protection measures to prevent loss, unauthorized or unlawful access, use, modification, alteration or disclosure of personal data, and to review such measures when necessary or when there is a change in technology. The security measures are to be in compliance with the minimum standards prescribed by the PDPC. During this time while the PDPA has not yet been fully enforced, the Ministry of Digital Economy and Society has issued a notification to set forth the security measures to be implemented by the data controller which will be effective until May 31, 2022. Thereafter, data controllers will be required to implement security measures according to the standards to be prescribed by the PDPC. With regard to the retention of personal data, the PDPA does not impose a specific period for which personal data is to be retained; however, it does impose an obligation on the data controller to implement a monitoring system (1) for the deletion or destruction of personal data at the end of its retention period, (2) when it is no longer necessary or relevant for the purposes for which it has been collected, (3) as requested by the data subjects, or (4) when the consent is withdrawn by data subject. Within the Specially-Protected Sectors, some laws/regulatory notifications set out requirements in respect of the storage, security, and retention of personal data. For example, regulations under the Computer Crimes Act impose requirements on service providers (as defined therein) in relation to retaining personal data of service users for a certain period. They set out the specific categories of personal data that must be retained, as they enumerate requirements for how it should be stored. Another example is regulations issued under the Royal Decree on Electronic Payments. As part of the licensing process, an applicant for an electronic payment license must explain how it will protect information of service users. This includes how such information is stored, etc. Once approved, such becomes a license condition. |
| What are the data subjects' rights? | The PDPA grants data subjects various rights in regard to their personal data. Note: These include the right of access, right to data portability, right to object, right to erasure, right to suspension, right to rectification, right to withdraw consent and right to lodge a complaint with the supervisory authority (i.e. the PDPC). Within the Specially-Protected Sectors, various laws and regulatory notifications set out rights to access and correct personal data. Examples include the Credit Information Business Act and regulations issued under the Telecommunications Business Act, each of which contain provisions for an access/correction mechanism. |
| Are there restrictions on cross-border data transfers? | Yes, the PDPA imposes restrictions on cross-border transfers of personal data. Note: Generally, a cross-border transfer is permitted if the destination country or the international organization that receives the personal data has adequate personal data protection standards in place, or if the cross-border transfer falls within any of the permitted activities prescribed by the PDPA – for example, when the data subject has been informed of the inadequacy of the personal protection standards of the destination country or the international organization and has granted consent to the cross-border transfer, or when an intra-group policy has been implemented for the cross-border transfer of personal data among group companies and has been examined and certified by the Office of PDPC. As for the Specially-Protected Sectors, such requirements may exist, depending on the sector. For example, the Credit Information Business Act contains restrictions on the transfer of information abroad. Also, regulations issued under the Telecommunications Business Act specify that a further regulatory notification may be issued to impose restrictions on the transfer of information abroad (thus far, such has not been issued). |
| Are there any notification requirements for data breaches? | Yes, there are notification requirements for data breaches under the PDPA. Note: In such an event, the data controller must notify the Office of the PDPC of the data breach without undue delay and within 72 hours, unless the data breach does not have a risk of affecting the rights and freedom of the affected data subjects. The data controller must also notify the affected data subjects of the data breach if the data breach has a high risk of affecting the rights and freedom of data subjects without undue delay. Data processors are also obligated to notify the data controller of the data breach. |
| Who is the privacy regulator? | The PDPC is the regulator under the PDPA. In the Specially-Protected Sectors, the regulators specific to those sectors may have some authority in respect of privacy matters in those sectors. Note: For example, the Securities and Exchange Commission would have the authority to deal with noncompliance with license conditions that concern privacy. Another example is the Credit Information Protection Committee, which has the authority to deal with noncompliance with privacy obligations under the Credit Information Business Act. |
| What are the consequences of a privacy breach? | A privacy breach can result in civil liability, criminal liability (including fines and/or imprisonment), and/or administrative action/liability. Note: Apart from the foregoing, people who suffer damage due to unauthorized disclosure of their personal data may claim against the responsible party in tort; criminal charges may also be possible, depending on the circumstances (e.g. criminal defamation, etc.). Laws/regulations applicable within the Specially-Protected Sectors set out other specific penalties for breach, which may include fines, imprisonment, or administrative action, such as loss of license. |
| How is electronic marketing regulated? | Generally, privacy matters in the context of electronic marketing are regulated in the same manner as other data privacy matters. However, the Computer Crimes Act and the Telecommunications Business Act are also relevant. Note: Generally, privacy matters in the context of electronic marketing are regulated in the same manner as other data privacy matters. However, it is important to ensure that the relevant activities do not constitute a breach of the Computer Crimes Act or the Telecommunications Business Act. For example, they must not interfere with normal operation of the recipient’s computer equipment, and they must not constitute illegal eavesdropping. |
| Are there any recent developments or expected reforms? | There are multiple pending subordinate regulations to be issued by the PDPC. Note: There are multiple pending subordinate regulations to be issued by the PDPC to clarify and set forth further requirements on the processing of personal data and obligations of the data controller and data processor which must be adhered to. Examples include subordinate regulations on data processing agreements, cross-border transfer of personal data, response to a data subject’s request to exercise the right to his/her personal data, etc. In addition, it is likely that a number of regulators in individual sectors have been working on upgrading regulations regarding data protection matters within their regulatory domain, to ensure that these regulations are in line with the PDPA. |
Global Data Privacy Guide
Personal Data Protection Act B.E. 2562 (2019)
The main data protection legislation in Thailand is the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) which was enacted and published in the Government Gazette on May 27, 2019. The provisions of the PDPA on the establishment of the Personal Data Protection Commission (“PDPC”) and the Office of Personal Data Protection Commission (“Office of PDPC”) have already come into force since May 28, 2019. For the remaining provisions, such as those on the obligations of the data controller, data processor and Data Protection Officer (“DPO”), and the collection, use and disclosure of personal data (collectively referred to as “processing” or “process”), they initially were to come into effect on May 27, 2020; however, due to the Covid-19 pandemic, the effective date was deferred to May 27, 2021 and thereafter, to June 1, 2022 (“Effective Date”).
Provisions of the Civil and Commercial Code and provisions of the Penal Code are generally applicable. In addition, some laws/regulatory notifications set out special protections for data in particular sectors and/or particular types of data.
Apart from the above, there are several industry-specific requirements for sectors such as telecommunications, banking/finance, insurance, securities, healthcare, consumer credit, and electronic payment services (collectively, “Specially-Protected Sectors”), all having separate approaches to personal data protection. There is a separate regime applicable to government entities, and there are also some laws/provisions which bind individuals engaging in certain professions/occupations, such as medical practitioners, pharmacists, druggists, midwives, nursing attendants, priests, advocates, lawyers, or auditors, and assistants or trainees in such professions, as well as government officials. However, both within and outside the Specially-Protected Sectors, people who suffer damage due to unauthorized disclosure of their personal data may claim against the responsible party in tort (under the Civil and Commercial Code); criminal charges (under the Penal Code) may also be possible, depending on the circumstances (e.g. criminal defamation, etc.).
Personal data of a living natural person is protected.
Note: The term “personal data” is defined under the PDPA as any data pertaining to an individual which enables the identification of that individual, whether directly or indirectly, but specifically excluding data of a deceased person.
Within the Specially-Protected Sectors, some of the regulatory notifications specify particular types of data that are protected. For example, regulations under the Telecommunications Business Act protect personal information of telecommunications subscribers (as specified therein) and the Credit Information Business Act protects credit information (as specified therein).
Any person who acts as a data controller or data processor is subject to privacy obligations.
Note: The PDPA defines “data controller” as a person or legal entity having authority to make determinations regarding the processing of personal data, and “data processor” as a person or legal entity that processes personal data on behalf of or pursuant to the instructions of the data controller.
The PDPA does provide exemptions from being subject to its provisions – for example, when the processing is for personal interest or household activity of that person, when the act is carried out by the government agencies responsible for maintaining state stability (including anti-money laundering and cybersecurity), and others.
Within the Specially-Protected Sectors, the parties subject to privacy obligations depend on the provisions of each law/regulatory notification. For example, pursuant to regulations under the Securities and Exchange Act, licensees are obligated to address—as part of the application process—how they will protect personal data. Once approved, such effectively becomes a license condition. So, the licensee bears such obligation. Another example is under the National Healthcare Act. It provides that all persons are subject to the obligations restricting disclosure.
The principles applicable to personal data processing under the PDPA include data minimization, purpose limitation, accuracy, storage limitation, and lawfulness, fairness and transparency. These principles are not expressly indicated in the PDPA itself; however, these principles can be implied from the provisions of the PDPA.
In general, the PDPA only permits the processing of personal data where the lawful basis can be identified – for example, consent, legitimate interest, contractual obligations, legal obligations, etc.
Note: Within the Specially-Protected Sectors, some regulatory notifications set out requirements in respect of the use and disclosure of personal data. For example, pursuant to regulations under the Telecommunications Business Act, the use and disclosure of personal information is restricted to those purposes set out in the regulatory notification. Similarly, under the Financial Institutions Business Act, information can only be disclosed for specified purposes.
The PDPA does not set out specific regulations for the storage of personal data. However, it does impose requirements on the security and retention of personal data.
Note: The PDPA provides that the data controller must implement adequate personal data protection measures to prevent loss, unauthorized or unlawful access, use, modification, alteration or disclosure of personal data, and to review such measures when necessary or when there is a change in technology. The security measures are to be in compliance with the minimum standards prescribed by the PDPC.
During this time while the PDPA has not yet been fully enforced, the Ministry of Digital Economy and Society has issued a notification to set forth the security measures to be implemented by the data controller which will be effective until May 31, 2022. Thereafter, data controllers will be required to implement security measures according to the standards to be prescribed by the PDPC.
With regard to the retention of personal data, the PDPA does not impose a specific period for which personal data is to be retained; however, it does impose an obligation on the data controller to implement a monitoring system (1) for the deletion or destruction of personal data at the end of its retention period, (2) when it is no longer necessary or relevant for the purposes for which it has been collected, (3) as requested by the data subjects, or (4) when the consent is withdrawn by data subject.
Within the Specially-Protected Sectors, some laws/regulatory notifications set out requirements in respect of the storage, security, and retention of personal data. For example, regulations under the Computer Crimes Act impose requirements on service providers (as defined therein) in relation to retaining personal data of service users for a certain period. They set out the specific categories of personal data that must be retained, as they enumerate requirements for how it should be stored. Another example is regulations issued under the Royal Decree on Electronic Payments. As part of the licensing process, an applicant for an electronic payment license must explain how it will protect information of service users. This includes how such information is stored, etc. Once approved, such becomes a license condition.
The PDPA grants data subjects various rights in regard to their personal data.
Note: These include the right of access, right to data portability, right to object, right to erasure, right to suspension, right to rectification, right to withdraw consent and right to lodge a complaint with the supervisory authority (i.e. the PDPC).
Within the Specially-Protected Sectors, various laws and regulatory notifications set out rights to access and correct personal data. Examples include the Credit Information Business Act and regulations issued under the Telecommunications Business Act, each of which contain provisions for an access/correction mechanism.
Yes, the PDPA imposes restrictions on cross-border transfers of personal data.
Note: Generally, a cross-border transfer is permitted if the destination country or the international organization that receives the personal data has adequate personal data protection standards in place, or if the cross-border transfer falls within any of the permitted activities prescribed by the PDPA – for example, when the data subject has been informed of the inadequacy of the personal protection standards of the destination country or the international organization and has granted consent to the cross-border transfer, or when an intra-group policy has been implemented for the cross-border transfer of personal data among group companies and has been examined and certified by the Office of PDPC.
As for the Specially-Protected Sectors, such requirements may exist, depending on the sector. For example, the Credit Information Business Act contains restrictions on the transfer of information abroad. Also, regulations issued under the Telecommunications Business Act specify that a further regulatory notification may be issued to impose restrictions on the transfer of information abroad (thus far, such has not been issued).
Yes, there are notification requirements for data breaches under the PDPA.
Note: In such an event, the data controller must notify the Office of the PDPC of the data breach without undue delay and within 72 hours, unless the data breach does not have a risk of affecting the rights and freedom of the affected data subjects. The data controller must also notify the affected data subjects of the data breach if the data breach has a high risk of affecting the rights and freedom of data subjects without undue delay.
Data processors are also obligated to notify the data controller of the data breach.
The PDPC is the regulator under the PDPA.
In the Specially-Protected Sectors, the regulators specific to those sectors may have some authority in respect of privacy matters in those sectors.
Note: For example, the Securities and Exchange Commission would have the authority to deal with noncompliance with license conditions that concern privacy. Another example is the Credit Information Protection Committee, which has the authority to deal with noncompliance with privacy obligations under the Credit Information Business Act.
A privacy breach can result in civil liability, criminal liability (including fines and/or imprisonment), and/or administrative action/liability.
Note: Apart from the foregoing, people who suffer damage due to unauthorized disclosure of their personal data may claim against the responsible party in tort; criminal charges may also be possible, depending on the circumstances (e.g. criminal defamation, etc.).
Laws/regulations applicable within the Specially-Protected Sectors set out other specific penalties for breach, which may include fines, imprisonment, or administrative action, such as loss of license.
Generally, privacy matters in the context of electronic marketing are regulated in the same manner as other data privacy matters. However, the Computer Crimes Act and the Telecommunications Business Act are also relevant.
Note: Generally, privacy matters in the context of electronic marketing are regulated in the same manner as other data privacy matters. However, it is important to ensure that the relevant activities do not constitute a breach of the Computer Crimes Act or the Telecommunications Business Act. For example, they must not interfere with normal operation of the recipient’s computer equipment, and they must not constitute illegal eavesdropping.
There are multiple pending subordinate regulations to be issued by the PDPC.
Note: There are multiple pending subordinate regulations to be issued by the PDPC to clarify and set forth further requirements on the processing of personal data and obligations of the data controller and data processor which must be adhered to. Examples include subordinate regulations on data processing agreements, cross-border transfer of personal data, response to a data subject’s request to exercise the right to his/her personal data, etc. In addition, it is likely that a number of regulators in individual sectors have been working on upgrading regulations regarding data protection matters within their regulatory domain, to ensure that these regulations are in line with the PDPA.