Belaws Home ›› Thailand ›› Blog ›› Thailand releases new guidelines for consent and notification requirements under the PDPA
News – PDPA Thailand
PDPA Thailand
Thailand releases new guidelines for consent and notification requirements under the PDPA
26/09/2022
On September 7th, Thailand’s Personal Data Protection Committee (PDPC) released a new set of guidelines for data controllers to follow in relation to obtaining data subjects’ consent and notifying data subjects of required information (i.e., regarding collection, use, or disclosure of their personal data). These guidelines have been designed in order to help data controllers mitigate the risks of violating the Personal Data Protection Act.
In this article we will explore the details contained within this notification.
Key points
- These new guidelines set out and state the requirements which must be satisfied in order for consent to be considered valid.
- The guidelines establish two sets of requirements for the collection and processing of data for the following age groups, between 10 and 20, and under 10.
- The guidelines for notifying data subjects about the collection of their personal data creates the following two key principles of fairness and purpose limitation.
- If a data controller is subject to other specific laws and regulations from other authorities e.g the SEC, that data controller is required to adopt the standard forms prescribed by the governing body.
What are the PDPA consent guidelines?
These new guidelines released by the PDPC for obtaining consent set out the requirements which must be satisfied in order for consent to be considered valid. These requirements include the following:
- stipulations on timing of requests,
- elements that need to be included in requests and,
- the nature of requests.
For example, data controllers must seek and be granted consent before or at the time of obtaining personal data. Furthermore, the data subjects must be informed of both the purpose of keeping the personal data and details of how the data will be handled, among other specific requirements. There must also be a clear act of acceptance by the data subject when giving consent.
When obtaining consent from minors, data controllers are subject to more stringent requirements, such as the implementation of appropriate identification and age-verification measures.
The guidelines establish two sets of requirements, for the following 2 sets of age groups — between 10 and 20, and under 10. For the any data subjects aged between 10 and 20, parental consent is not required for all circumstances. For data subjects aged younger than 10, parental consent is mandatory at all times.
Should a person be deemed to be “incompetent” or “quasi-incompetent”, consent must always be given by the subject’s legal guardian.
What are the PDPA notification guidelines?
The guidelines for notifying data subjects about the collection of their personal data creates the following two key principles of fairness and purpose limitation.
The fairness principle states that when data controllers are notifying a data subject about the use of their data, they must use language and terms that are clear and easy-to-understand. They must also notify the data subject of suitable reasons for, consequences, and other relevant information about data processing prior to or upon collection.
The guidelines also state that the notification must include the legal basis on which the data controller relies on when processing the personal data, and the details of any cross-border transfer of personal data.
The purpose limitation principle states that the notification, or privacy policy, must be clear, specific, and lawful.
The guidelines also provide details about how to format the privacy policy, such as:
- The privacy policy can be written or verbal, and
- Can be delivered via a variety of different means such as; physical, telecommunications, or electronic means.
- The use of a prominent hyperlink directing the data subject to the policy is also acceptable.
When collecting personal data from sources other than the data subjects themselves, a data protection impact assessment must be undertaken. This is especially important when a data subject is not aware or did not give consent, or when data controllers use new technology when processing a large volume of personal data.
What form should the consent requests and privacy policies take?
If a data controller is subject to other specific laws and regulations from authorities such as the Bank of Thailand, Office of the Securities and Exchange Commission, Office of Insurance Commission etc, that data controller is required to adopt the standard forms prescribed by the relevant law to be bound by.
Should there be no prescribed standard form, data controllers can rely on the standard forms recommended by industry associations, as long as they comply with the PDPC guidelines and requirements.
How can Belaws help?
If you need more information about the PDPA and how to ensure full compliance, you can talk directly to one of our experts.
Please note that this article is for information purposes only and does not constitute legal advice.
Our consultations last for a period of up to 1 hour and are conducted by expert Lawyers who are fluent in English, French and Thai.
Consultations can be hosted via WhatsApp or Video Conferencing software for your convenience. A consultation with one of our legal experts is undoubtedly the best way to get all the information you need and answer any questions you may have about your new business or project.
USD 150
Up to 1 hour
Online payment (Paypal or Credit card)
Legal consultation can be conducted in English, French or Thai
Legal consultations are handled by experienced lawyers from the relevant fields of practice
Frequently asked questions
What is Thailand Personal Data Protection Act?
The PDPA is a law that prevents the infringement of a data subjects personal information. The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand. However, when a data controller or data processor is located outside of Thailand, the PDPA will still apply if the data subject whose data is collected, used or disclosed is located in Thailand.
Does GDPR apply in Thailand?
The GDPR applies to organisations that have a presence in the EU, notably entities that have an ‘establishment’ in the EU. The GDPR also applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to the offering of goods, or services to individuals in the EU, or to the monitoring of the behaviour of individuals in the EU.
Which countries have the best data protection?
Denmark, Norway and Canada are considered to have the best Data Protection laws along with the EU.
What is the difference between PDPA and GDPR?
The GDPR states specific rules for the processing of personal data for research purposes, including data minimisation and anonymisation. The PDPA does not include specific rules for the collection, use, and disclosure of personal data for such purposes, but requires that ‘suitable measures are put in place.
What is the difference between PDPA and GDPR?
- The GDPR states specific rules for the processing of personal data for research purposes, including data minimisation and anonymisation.
- The PDPA does not include specific rules for the collection, use, and disclosure of personal data for such purposes, but requires that ‘suitable measures are put in place.
Who does Thai PDPA cover?
The PDPA covers all uses or disclosure of personal data obtained by a data controller or data processor within Thailand. Data controller and processors is located outside of Thailand, the PDPA will still apply.
What is personal data protection?
Personal data protection refers to how both public and private entities receive consent from data subjects. Data protection also covers the correct methods for processing, collecting or disclosing personal data.
Who are exempted from PDPA?
The only exemptions to the PDPA is where the disclosure of the information is in the interest of investigation procedures, proceedings by the courts, or the data subject provided written consent.
Who is subject to PDPA?
The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand.
Does PDPA apply to individuals?
The PDPA applies to both individuals and companies alike..
Related articles
Subscribe today
Subscribe today
To our newsletter for all the latest legal news
in South East Asia, Belaws updates and
special promotions on our services.
To our newsletter today for all the latest legal news in South East Asia,
Belaws updates and special promotions on our services.
We are open:
Monday – Friday
9 am – 6 pm (UTC+7)