Current Practice of PDPA in Thailand

SRPP Publication l 15 November 2022

After a postponement of an enforcement for approximately 2 years due to the unexpected outbreak of Covid-19, finally, the Personal Data Protect Act B.E. 2562 (A.D. 2019) (“PDPA”) of Thailand finally come into force on 1 June 2022. Once the PDPA comes into force, it is expected that it will change practices of business operators who are doing business in Thailand with respect to their collection, retention, and disclosure of the personal data of individuals in Thailand. Although PDPA contains general concepts of the personal data protection in the body of the Act; many additional details—such as qualification of the data protection officer (“DPO”), list of the recipient overseas country which considered as having security measures for personal data protection equivalent to Thailand, form of the data processing agreement etc. —still requires to be further issued by the Personal Data Protection Committee (“PDPC”) as a sub-regulations/implementation notification under the PDPA.

As of this date, the PDPC has not yet completely issued sub-regulation or notification to set specific rules on such issues. However, since the PDPA had been drafted by having the General Data Protection Regulation (“GDPR”) of the European Union as its model, many advisors, to ensure that proper actions towards the personal data protection would be implemented, would advise their clients to adopt and apply the available models of personal data protection recommended by the GDPR in the issues that are still requires additional recommendation from the PDPC in a meantime and may later change if the PDPC issues the sub-regulations/notification governing such specific issues in the future.

Addressing below are issues which their general concepts are adopted under the PDPA, but some additional details would be required the issuance of the sub-regulations/notification from the PDPC.

The PDPA does not require that every and all data controller/ processor appoint the DPO. Only the data controller/ processor who (i) engages in any activities which require regular monitoring of the personal data, (ii) implements the system which processes a large amount of personal data as prescribed and announced by the PDPC, or (iii)conducts the core activity of the processing of the sensitive personal data under Section 26 of the PDPA, is required to appoint/designate the DPO (Section 41 of the PDPA).

However, as at the date of this article, the PDPC has not yet issued the relevant announcement. It is therefore still unclear and lack of precedent to determine what are the activities which required the regular monitoring of the personal data or to what extent it would be consider as the large amount of personal data processing by the data controller/processor. Despite the lack of this clear precedent setting out by the PDPC, it is recommended that the business operator who offers membership program or collects the customers’ personal data on the regular basis, such as a hospital, hotel, airlines, supermarket or department store etc., is likely to be required to appoint the DPO to oversee the personal data activities of the company.

If the data controller/ processor is required to appoint the DPO under the PDPA but fails to do so, the data controller/ processor will be liable with an administrative penalty by way of a fine not exceeding THB 1,000,000.

The DPO may be an employee of the data controller, or an outsourced service provider, provided that in a case where the DPO is the employee of the data controller, the data controller should be able to confirm to the Office of the PDPC that his/her duties and responsibility are not in conflict with the designated duties as the DPO. Furthermore, the data controller will be prohibited from terminating the DPO for a reason that he/she properly performed his/her duties as the DPO.

The PDPA sets out the duties of the DPO in matters relating to the protection of personal data which comprise of:

1. Giving advice to the data controller, including the employees or service providers of the data controller with respect to compliance with the PDPA;

2. Investigating the performance of the data controller, including the employees or service providers of the data controller, with respect to the collection, use or disclosure of the personal data for compliance with the PDPA;

3. Coordinating and cooperating with the Office of the PDPC in the circumstance where there are problems with respect to the collection, use, or disclosure of the personal data undertaken by the data controller, including the employees or service providers of the data controller, with respect to compliance with the PDPA;

4. Keeping confidential the personal data known or acquired in the course of his/her performance of the duties as the DPO.

The PDPA does not specify the specific qualifications of the DPO, but provides that the PDPC may later issue the sub-regulation/ notification about the DPO qualification.

General Data Protection Regulation (“GDPR”) which is the model law of the PDPA requires that the data controller must carry out the data protection impact assessment (“DPIA”) prior to the processing of personal data to minimise risks associated with such processing. A conduct of DPIA will help the data controller or data processor to foresee and prepare necessary measures to mitigate risks and impacts associated with the processing of personal data. Therefore, the DPIA should be conducted before starting any project which requires a processing of personal data that is likely to result in a high-risk to the data subjects.

Unlike the GDPR, the current PDPA does not have a clear guideline on how to conduct the DPIA before a processing of personal data that may result in the high risks to the data subjects.

However, the data controller who obtains the license from Bank of Thailand (“BOT”) is required by the BOT to carry out the DPIA before starting the processing of personal data under the Personal Data Protection Guidelines issued by the Bank Association of Thailand (“BAT’s PDPA Guideline”). The BAT’s PDPA Guideline adopts the general principles and recommendations regarding the GDPR’s DPIA for its licensees to comply with which includes:

Setting out processing activities which the data controller is required to conduct the DPIA as follows:

(A) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(B) processing on a large scale of sensitive personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or of personal data relating to criminal convictions and offences; or

(C) a systematic monitoring of a publicly accessible area on a large scale.

Additionally, the BAT’s PDPA Guideline also adopts the checklist for the Personal Data Processing Activities and the data controller needs to carry out the DPIA (before processing of personal data) if it is appeared that the processing activities includes at least two conditions of the following list as suggested by the GDPR:

1. Evaluation or scoring

2. Automated decision-making with legal or similar significant effect

3. Systematic monitoring

4. Sensitive data or data of a highly personal nature

5. Data processed on a large scale

6. Matching or combining datasets

7. Data concerning vulnerable data subjects

8. Innovative use or applying new technological or organizational solutions

9. Data transfer across borders

10. Preventing data subjects from exercising a right or using a service or contract

Furthermore, the BAT’s PDPA Guideline also suggests the template for recording the DPIA which requires the data controller to record the following issues:

(a) Details about the processing activities, including the list of personal data which will be processed and the objectives and reasons for such processing;

(b) Reason for conducting the DPIA for the processing activities in (a);

(c) Nature, scope, context and purpose of the data processing activities;

(d) Legal basis for the data processing activities, other measures or methods which the data controller may take instead of adopting the processing activities in (a); and

(e) Risks and effects that may occur and affect the data subjects from the processing activities in (a).

The PDPA sets out the duty of the data controller that in the case of a personal data breach, it must notify the Office of the PDPC and the data subject within 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedom of such person.

As of this date, the rules and methods of notifying the personal data breach incident to the Office of PDPC have not yet been issued by the PDPC. Therefore, the data controller may use the methods as it deems appropriate to inform the Office of PDPC and the data subject, provided that in a case where the incident resulted in a high risk to the rights and freedom of the data subject, the data controller must inform the details of the personal data breach incident and propose measures to rectify and indemnify such breach as well.

If the data controller fails to comply with the above requirement, the data controller will be liable with an administrative penalty by way of a fine not exceeding THB 3,000,000.

-----------------------------------------------------------------------------------------------------------------------------------------

Author: Panuwat Chalongkuamdee (Founding Partner) and Chositar Daecharux (Counsel)

You may view Panuwat's profile here.

You may view Chositar's profile here.