Thailand – New Data Protection Law
by Panisa Suwanmatajarn and Jin Sukme
In lights of advancement in information technology which may lead to abuse of personal data, Thailand has raised its awareness and developed the law regarding data protection in which the provisions of the same comply with an international standard. Recently, the National Legislative Assembly of Thailand has approved a draft Personal Data Protection Act (“Data Protection Act”), which is currently pending for endorsing by the King and publishing in the Royal Gazette. We under this article would like to point out the material issues specified in the Data Protection Act for your attention.
Under Section 6 of the Data Protection Act, the term “Personal Data” means any information relating to a person which can directly or indirectly identify such person but excludes information of a dead person. A person or entity who has authority to determine on collecting, using or, disclosing the Personal Data is referred to as the “Data Controller”. According to Section 5 of the Data Protection Act, the Data Protection Act generally enforces upon collection, utilization, or disclosure of personal data conducted by the Data Controller who resides in Thailand, regardless of whether such performing of collection, utilization, or disclosure is conducted overseas or in Thailand.
The most significant principle of the Data Protection Act is that the Data Controller shall not collect, utilize, or disclose the Personal Data without directly obtaining consent from the data owner on or before the date of collecting, utilizing, or disclosing. Such consent shall be made clearly in writing or through an electronic system. To seek for the consent from the data owner, the Data Controller has to follow procedures as specified in the Data Protection Act, for example, the Data Controller needs to specify its objectives of collecting, utilization, or disclosure of such Personal Data. If the data owner is a child, the consent shall also be obtained from the child’s parent. However, there are some exemptions on such consent requirements and procedures, for example, if the Data Controller collects any Personal Data for the purpose of public interest or for complying with the law, the Data Controller then does not have to seek for the consent from the data owner. The data collected in such case also does not need the consent from the data owner to be utilized or disclosed. In order to transfer the Personal Data to overseas, the Data Controller shall also comply with an announcement issued by the committee appointed under the Data Protection Act according to Section 28.
In addition, the Data Protection Act entitles the data owner several rights. The data owner may request for accessing or copying of his/her Personal Data or request the Data Controller to disclose an origin of such Personal Data acquiring without consent from the data owner. The data owner may also object any collection, utilization, or disclosure of his/her Personal Data or even request the Data Controller to dispose his/her Personal Data provided that it satisfies requirements specified in the Data Protection Act.
The above explanation is only the main principle of the Data Protection Act. However, other details specified in the Data Protection Act needs a legal profession to assist you in providing the same. If your business is related to the Personal Data, we recommend you preparing your entity for complying with the requirements of Data Protection Act in which soonest it will becomes enforced and that both civil and criminal sanctions are applied. Please contact us at any time, if you have any further question regarding this.