New PDPA Subordinate Regulations

historic construction of post office in new york city

New PDPA Subordinate Regulations

According to Section 16(4), 73 paragraph 2, and 90 paragraph 2 of the Personal Data Protection Act B.E. 2562 (2019) or “PDPA”. The PDPA is Thailand’s very first law in relation to protection of personal data and put in place effective remedial measures for data subjects whose rights to be protected if their personal data are violated. The PDPA established the Personal Data Protection Commission or PDPC to govern the PDPA and also established the Office of the PDPC or OPDPC to act on the administrative matters and act as the secretariat of the PDPC.

On 29 June 2022, the two legislations under the PDPA were approved by the PDPA and published in the Royal Gazette on 17 July 2022 namely;

  1. The Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)
  2. The Qualifications and Prohibitions, Term of Office, Vacate Office, and Other Operations of the Expert Committee B.E. 2565 (2022)

security logo

The Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)

1. In case that any data controller and the data processor and their employees and contractors breach any provision of PDPA, the data subject is able to report to the expert committee by filing a complaint either in a form of hard copy or electronic (hard copy can be either directly submitted to the PDPC or sent by a registered mail).

2. Details of complaint shall include name, address, phone number, email of the reporter or attorney, copy of the reporter’s ID card, passport or any identity document issued by the government.

In the case that the data subject has authorized the attorney, the power of attorney with a complete specification of assigned duties and correct stamp duty together with the attorney’s certification of a copy ID card, passport, or any identity document issued by the government must be submitted together with the complaint.

The complaint must specify facts and details of the data breach in which the data controller and the data processor and their employees and contractors have committed against any provision of the PDPA and also specify the effect of such breach. All relevant evidence must be attached in order to support such a complaint. Moreover, the reporter must specify the request of ordering the data controller or data processor to comply in accordance with the PDPA. There must be a statement certifying that the statements in the complaint are true.

Please note that the reporter can be data subject, attorney or any person who is the holder of parental responsibility over the child (parents), custodian and curator of the data subject.

3. The competent official shall review the complaint and all evidence within 15 days since they receive such complaint to consider whether they will accept the complaint for further consideration. The competent official will contact the reporter in case of more information is needed. Please note that the competent official will accept the complaint and pass it to the expert committee only if all information is correct and complete. After accepting such complaint, the reporter will receive an acknowledgement receipt and number of complaints.

The matters that the competent official must consider within such 15 days are as follows:

  • Whether the action specified in the complaint is violation of the provisions in PDPA.
  • Whether the complaint has grounds as specified by PDPA and it is reasonable to make a complaint.
  • Whether the expert committee has the authorization to consider the complaint.

The competent official will then pass such complaint to the expert committee for further consideration. After receipt of the complaint, the expert committee will consider such complaint and the results may categorize as follows:

  • Dismissing, if the expert committee considers that it has no ground under the PDPA.
  • Not accepting complaint, if the evidence is incomplete and has not been categorized as a data breach.
  • Setting a conciliation session, if the complaint is seen to be settled by conciliation proceedings
  • Rendering the punishment as an administrative fine.

In the case that the expert committee deems that consideration of such a complaint is an important legal issue, the expert committee shall pass this complaint to the PDPC for further consideration.

The expert committee must inform the reporter of the result of the complaint with its reason in relation to the result.

The Qualifications and Prohibitions, Term of Office, Vacate Office and Other Operations of the Expert Committee B.E. 2565 (2022)

  1. The PDPC shall appoint a group(s) of expert committees in accordance with their expertise. Each group consists of one chairperson and at least 4 members.
  2. A person to be appointed as chairperson of the expert committee and its members must have qualifications such as being Thai nationality, not lower than 25 years old, not being bankrupted or having been previously dishonestly bankrupted, not being an incompetent or quasi-incompetent person, not having been previously fired, dismissed or discharged from official service, government agency or state enterprise or private agency on the ground of dishonest performance of duties or having committed severe wrongful conducts.
  3. Moreover, the chairperson and members shall be vacated from office if death, resignation, imprisonment by the court verdict, disqualification as specified above or dismissing by the PDPC due to failure to pass the performance evaluation or commit disgraceful.
  4. The chairperson of the expert committee and the members shall hold office for a term of four years.
  5. The meeting of expert committee shall consist of one-half of all members to constitute a quorum. The decision of the meeting shall be made by a majority of votes and each has one vote. In the case of equal votes, the chairperson shall have the casting vote. The meeting may be taken placed by an electronic mean.
  6. Any member who has any interest in the matter being considered in the meeting must inform all members regarding such interest prior to the meeting and such member shall be prohibited from attending such meeting.
  7. The Secretary-General of PDPC shall appoint a maximum of two secretaries to each expert committee.
  8. If there is a joint meeting of more than one expert committee. The chairperson of the expert committee holding the most senior level shall preside over the meeting. This joint meeting of the expert committee shall all consist of not less than 6 members and the members attended the meeting must be from all committee invited to attend the meeting in order to constitute a quorum.

Posted in