News – PDPA Thailand
PDPA Thailand
Thailand releases new guidelines for consent and notification requirements under the PDPA
26/09/2022
On September 7th, Thailand’s Personal Data Protection Committee (PDPC) released a new set of guidelines for data controllers to follow in relation to obtaining data subjects’ consent and notifying data subjects of required information (i.e., regarding collection, use, or disclosure of their personal data). These guidelines have been designed in order to help data controllers mitigate the risks of violating the Personal Data Protection Act.
In this article we will explore the details contained within this notification.
Points clés
- These new guidelines set out and state the requirements which must be satisfied in order for consent to be considered valid.
- The guidelines establish two sets of requirements for the collection and processing of data for the following age groups, between 10 and 20, and under 10.
- The guidelines for notifying data subjects about the collection of their personal data creates the following two key principles of fairness and purpose limitation.
- If a data controller is subject to other specific laws and regulations from other authorities e.g the SEC, that data controller is required to adopt the standard forms prescribed by the governing body.
What are the PDPA consent guidelines?
These new guidelines released by the PDPC for obtaining consent set out the requirements which must be satisfied in order for consent to be considered valid. These requirements include the following:
- stipulations on timing of requests,
- elements that need to be included in requests and,
- the nature of requests.
For example, data controllers must seek and be granted consent before or at the time of obtaining personal data. Furthermore, the data subjects must be informed of both the purpose of keeping the personal data and details of how the data will be handled, among other specific requirements. There must also be a clear act of acceptance by the data subject when giving consent.
When obtaining consent from minors, data controllers are subject to more stringent requirements, such as the implementation of appropriate identification and age-verification measures.
The guidelines establish two sets of requirements, for the following 2 sets of age groups — between 10 and 20, and under 10. For the any data subjects aged between 10 and 20, parental consent is not required for all circumstances. For data subjects aged younger than 10, parental consent is mandatory at all times.
Should a person be deemed to be “incompetent” or “quasi-incompetent”, consent must always be given by the subject’s legal guardian.
What are the PDPA notification guidelines?
The guidelines for notifying data subjects about the collection of their personal data creates the following two key principles of fairness and purpose limitation.
The fairness principle states that when data controllers are notifying a data subject about the use of their data, they must use language and terms that are clear and easy-to-understand. They must also notify the data subject of suitable reasons for, consequences, and other relevant information about data processing prior to or upon collection.
The guidelines also state that the notification must include the legal basis on which the data controller relies on when processing the personal data, and the details of any cross-border transfer of personal data.
The purpose limitation principle states that the notification, or privacy policy, must be clear, specific, and lawful.
The guidelines also provide details about how to format the privacy policy, such as:
- The privacy policy can be written or verbal, and
- Can be delivered via a variety of different means such as; physical, telecommunications, or electronic means.
- The use of a prominent hyperlink directing the data subject to the policy is also acceptable.
When collecting personal data from sources other than the data subjects themselves, a data protection impact assessment must be undertaken. This is especially important when a data subject is not aware or did not give consent, or when data controllers use new technology when processing a large volume of personal data.
What form should the consent requests and privacy policies take?
If a data controller is subject to other specific laws and regulations from authorities such as the Bank of Thailand, Office of the Securities and Exchange Commission, Office of Insurance Commission etc, that data controller is required to adopt the standard forms prescribed by the relevant law to be bound by.
Should there be no prescribed standard form, data controllers can rely on the standard forms recommended by industry associations, as long as they comply with the PDPC guidelines and requirements.
Comment Belaws peut-il vous aider ?
If you need more information about the PDPA and how to ensure full compliance, you can talk directly to one of our experts.
Veuillez noter que cet article est fourni à titre d'information seulement et ne constitue pas un avis juridique.
Nos consultations durent jusqu'à une heure et sont menées par des juristes experts qui parlent couramment l'anglais, le français et le thaï.
Les consultations peuvent être organisées sur WhatsApp ou sur le Logiciel de Vidéoconférence de votre convenance. Une consultation avec l’un de nos experts juridiques est sans aucun doute le meilleur moyen d’obtenir toutes les informations dont vous avez besoin et de répondre à toutes les questions que vous pourriez avoir sur votre nouvelle entreprise ou votre projet.
150 USD
Jusqu'à 1 heure
Paiement en ligne (Paypal ou carte bancaire)
Les consultations juridiques peuvent être menées en anglais, en français ou en thaï.
Les consultations juridiques sont assurées par des des avocats expérimentés dans les domaines concernés.
Questions fréquemment posées
What is Thailand Personal Data Protection Act?
The PDPA is a law that prevents the infringement of a data subjects personal information. The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand. However, when a data controller or data processor is located outside of Thailand, the PDPA will still apply if the data subject whose data is collected, used or disclosed is located in Thailand.
Does GDPR apply in Thailand?
The GDPR applies to organisations that have a presence in the EU, notably entities that have an ‘establishment’ in the EU. The GDPR also applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to the offering of goods, or services to individuals in the EU, or to the monitoring of the behaviour of individuals in the EU.
Which countries have the best data protection?
Denmark, Norway and Canada are considered to have the best Data Protection laws along with the EU.
What is the difference between PDPA and GDPR?
The GDPR states specific rules for the processing of personal data for research purposes, including data minimisation and anonymisation. The PDPA does not include specific rules for the collection, use, and disclosure of personal data for such purposes, but requires that ‘suitable measures are put in place.
What is the difference between PDPA and GDPR?
- The GDPR states specific rules for the processing of personal data for research purposes, including data minimisation and anonymisation.
- The PDPA does not include specific rules for the collection, use, and disclosure of personal data for such purposes, but requires that ‘suitable measures are put in place.
Who does Thai PDPA cover?
The PDPA covers all uses or disclosure of personal data obtained by a data controller or data processor within Thailand. Data controller and processors is located outside of Thailand, the PDPA will still apply.
What is personal data protection?
Personal data protection refers to how both public and private entities receive consent from data subjects. Data protection also covers the correct methods for processing, collecting or disclosing personal data.
Who are exempted from PDPA?
The only exemptions to the PDPA is where the disclosure of the information is in the interest of investigation procedures, proceedings by the courts, or the data subject provided written consent.
Who is subject to PDPA?
The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand.
Does PDPA apply to individuals?
The PDPA applies to both individuals and companies alike..
Articles connexes
What are the taxes on Cryptocurrency in Thailand and do I need to pay tax?
Thailand is currently experiencing a Blockchain boom, with exchanges and Fraction all being granted a Digital Assets Exchange License from Thailand’s Ministry of Finance.
Quel est le coût d'enregistrement d'une société en Thaïlande en 2024 ?
Tout ce que vous devez savoir sur le coût de création et d'enregistrement d'une société en Thaïlande.
Raising funds in Thailand with a SAFE
As an entrepreneur seeking funding in Thailand, there are a variety of term sheet options available, including the SAFE (Simple Agreement for Future Equity).
Abonnez-vous aujourd'hui
Abonnez-vous aujourd'hui
À notre newsletter pour les dernières actualités juridiques
en Asie du Sud-Est, les mises à jour de Belaws et
les offres spéciales sur nos services.
To our newsletter today for all the latest legal news in South East Asia,
Belaws updates and special promotions on our services.
Belaws 2017 - 2024.
Belaws ne fournit que des informations et une plateforme technologique. Belaws n'est pas un "service de mise en relation avec des avocats" et ne fournit pas de services juridiques ni ne participe à aucune représentation juridique.
Belaws n'est pas un cabinet d'avocats ou un substitut à un avocat ou un cabinet d'avocats.
