PDPA Consent Form and Company Policy

Personal data, as defined in Article 6 of the PDPA, is any data that directly or indirectly identifies a person. This includes a person’s name, address, e-mail address, phone number, identification number, and any other information that identifies them. The PDPA provides additional protection for sensitive personal data, which includes information about:

If the data collected by a business, a website or an employer about someone can be used to identify this person (the data subject), this person is protected under the PDPA. If there is a legal basis, personal data about customers, clients, website users or employees, may be obtained. Legal obligations, public interest, legitimate interest, or consent are all examples of this.

The Thai Personal Data Protection Act 2019 (PDPA) was published in the Royal Gazette of Thailand on May 27, 2019. The PDPA is Thailand’s first data protection legislation. Personal data privacy is a major topic around the world, and it is quickly becoming a priority for Thai politicians. They understand that their organizations’ procedures require thorough preparation and thoughtful improvements. There is no other way to ensure compliance and demonstrate accountability than to handle and preserve personal data.

Thai businesses are fully aware of data privacy risks and requirements, and they have made significant progress in this area. We can see that the foundation has been laid, yet there is still more to be done. Companies must take a comprehensive approach across all key areas and functions, with enough resources and clearly defined duties, in order to be completely prepared for June 2022 and beyond.

All individuals, corporations, and websites that gather personal data from Thai users are subject to the PDPA. However, the law also applies to international enterprises who conduct business with Thai citizens or gather personal data for the purpose of providing products or services to them or monitoring their behavior.

A data controller may continue to use personal data gathered before June 1, 2022, under the PDPA. The data controller, on the other hand, must:

Personal data must be collected, used, and disclosed in accordance with one of the six legal bases stated below. In all other circumstances, the data subject’s consent is required for the collection, use, and dissemination of personal data. The following are the legitimate goals:

1. for the creation of historical or archival materials of public interest, or for research or statistics, provided that suitable safeguards for the data subject’s rights and freedoms are in place, and in accordance with any notification mandated by the Office;

2. to avoid or remove a threat to a person’s life, body, or health;

3. it is required for the fulfilment of a contract to which the data subject is a party, or to act at the data subject’s request prior to entering into a contract;

4. where the data controller’s execution of a duty in the public interest or the exercise of official power vested in the data controller necessitates it;

5. for the data controller’s or any other person’s legitimate interests, unless those interests are overridden by the data subjects’ basic rights with relation to their Personal Data; or

6. where it is required by any law to which the data controller is subject.

The consent requests must now be separated from the other documents and presented in plain English and Thai. This means that consent requests cannot be hidden in small print or bundled with other terms and conditions. If the consent is only written in one language, there is a real risk that it will be challenged by native speakers of other languages as not being requested in accordance with the PDPA. The following criteria must be completed for PDPA consent to be valid:

Before or at the time of collecting personal data, a data controller must provide a privacy notice to the data subject. The notice must include the following information:

A data controller must notify the Office within 72 hours of becoming aware of a data breach affecting personal data. If the breach is considered to pose a high risk to the data subject’s rights and freedoms, the latter must be notified as soon as possible.

A data controller has an obligation to protect Personal Data, which includes:

Unless an exemption is met, when a data controller sends or transfers personal data to a foreign jurisdiction, the destination country that receives the data must have acceptable data protection standards (e.g. consent of the data subject is obtained for the transfer of personal data to a country with inadequate data protection standards, or the transfer is to comply with the law). The sufficient data protection standards guideline has yet to be released.

A violation of the PDPA can result in civil, criminal, and administrative penalties. A data controller who collects, uses, or discloses personal data without the data subject’s consent (where consent is necessary) faces fines of up to THB 5 million (or up to 4% of a company’s total revenue) and criminal penalties of up to one year in prison.

Step 1: Determine if the PDPA applies to your company and its operations. If you are subject to the PDPA, you must take the following steps:

Step 2: Create a flowchart for your data (e.g. what data does the organization collect and how is it collects and how is it used).

Step 3: Allow data subjects to object to the continuous use of their personal data for existing personal data, and only use personal data for the intended purpose. However, if the data controller has not already given a privacy notice to its data subjects containing the relevant information, it must do so by June 1, 2022.

Step 4: Determine the legal basis for future collection, use, or disclosure of personal data to see if data subjects’ consent is required. Your customers, business partners, or any other party from whom you receive personal data will require a privacy notice and, if necessary, a consent request.

Step 5: Follow the PDPA’s other requirements for the data controller.

When it comes to PDPA compliance, we propose that businesses (i.e. data controllers) focus on obtaining consent from their individual consumers as little as possible, because consent is a vulnerable legal basis that can be revoked at any time. Because the PDPA is still new, some people believe that consent is always required, however this is not the case. In truth, data controllers can depend on a number of more long-lasting legal basis, such as contractual need, legitimate interest, and legal responsibilities, which should be used wherever possible.

Furthermore, when preparing a privacy notice to comply with the PDPA’s notification requirements (under section 23 of the Act), businesses must ensure that the notice contains “clear and sufficient information” so that data subjects can understand and reasonably expect the consequences of their personal data being shared.

It should be noted that, unlike other criteria, the idea and rules for personal data belonging to children (minors) deviate from international standards since they have been expressly localized for Thailand to match with the Thai Civil and Commercial Code’s restrictions on minors.

International and local multinationals with subsidiaries in various countries may consider drafting binding corporate standards (or localizing them where appropriate) for cross-border transfers of personal data within their corporate group in light of the PDPA’s cross-border transfer requirements.

The Data Protection Commission will issue additional regulations in the near future to clarify the requirements for 72-hour notice of data breaches and the credentials necessary of the Data Protection Officer (DPO).

Finally, the PDPA contains a grandfathering clause that may allow businesses to continue collecting and using personal data for their original purposes after the PDPA takes effect in 2022. When implementing their compliance plan, companies should pay special attention to these requirements and their implications for existing practices and processes.

The Thai Ministry of Digital Economy and Society (MDES) published a notification in the Government Gazette on July 17, 2020, outlining the Personal Data Protection Act’s minimum security criteria for personal data (PDPA). This MDES notice is valid from July 18, 2020, through May 31, 2022.

The notification’s minimal standards are roughly in line with widely accepted security standards around the world, as stated in the International Standards Organization’s ISO/IEC: 27001 information security standard (ISO). Those who are familiar with ISO/IEC standards, on the other hand, may observe that the MDES notification is less thorough and provides less assistance.

For convenience of reference, comparisons of the essential elements of the MDES notification with the comparable aspects of ISO/IEC: 27001 are provided below.

When using personal data, the security standards defined by the MDES notification require the adoption of administrative, technical, and physical protections for access control. Implementing the measures indicated in the left-hand column below (always in connection to the corresponding ISO/IEC: 27001 measures) is required to achieve these protections.

The standards outlined in the notification are the very minimum that data controllers must follow, and there are no restrictions on standards or actions that go above and beyond the basic criteria (such as ISO/IEC 27001). As a result, many multinational organizations may explore adopting data protection standards that go above the new Thai notification’s criteria in order to harmonize their data protection responsibilities across several jurisdictions and ensure legal compliance. This notification can be enforced by the Minister of MDES.

This extension allows businesses additional leeway in preparing for PDPA compliance. Companies should continue to watch additional regulations that will be published for public hearings prior to adoption throughout the extension period. The government has publicly stated that the supplementary regulations will recognize and follow international data protection standards, similar to the principles recognized in the PDPA itself, which are heavily influenced by international data protection standards particularly the EU’s General Data Protection Regulation (GDPR).