PDPA – Procedures for Filing Complaint

Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) is a new law in Thailand, fully effective on 1 June 2022, which was enacted for the purpose of protecting personal data of data subjects.

Data subject is a person who owns his/her personal data and is the one who gives away his/her necessary personal data to a service provider (called data controller) in order to have them perform according to what both parties agreed under the contract. Therefore, personal data is something that can be used to identify individual the data subject directly or indirectly. However, the data subject does not include a juristic person and deceased person.

Rights of data subject are right to access, right to rectification, right to data portability, right to erasure, right to restriction, right to object, right to withdraw consent and right to complain.

For the data subject’s right to complaint under Section 73 of PDPA, one may file a complaint to the Office of Personal Data Protection Committee (“Office”) against an offender (i.e., data controller, data processor or any person who violates his/her rights) if his/her personal data is violated.

On 12 July 2022, there was a subordinate regulation which is the Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)(“Subordinate Regulation”)specifying procedures, timeframes and documents required for filing the complaint to the Office. However, since this Subordinate Regulation has been enforced for a month, people still question the practical procedures regarding filing the complaint.

There is no fixed complaint form and there is only a list of required documents specified in the Subordinate Regulation. However, the complaint must be made in a letter consisting of the complainant’s name, address, telephone number or email address, facts with details and related information, details of damage or effects, evidence, and things that the data subject requests to do, together with a sentence certifying that the information in the letter is true.

Once a complaint letter and all documents have been well prepared, the data subject can either send the complaint by registered mail to the Office or submit it in person at the Office. Also, the Subordinate Regulation stipulated that a complaint can be submitted via an electronic channel.

An identification card of the data subject must be presented at the time of submitting the complaint. In the case that the data subject appoints an attorney. A power of attorney with a completed specifications of assigned duties and correct stamp duty together with the attorney’s certification of a copy ID card, passport or any identity document issued by the government must be submitted together with the complaint.

For the timeframe for consideration, the Subordinate Regulation has divided it into three stages as follows:

• The competent official shall review and check the completeness of complaint and evidence within 15 days from receipt whether they will accept the complaint for further consideration.
• After the competent official accepted such complaint, the complainant shall receive an acknowledgment receipt and complaint’s number. Then, the competent official will consider the matter as follow within another 15 days.
• Whether the action specified in the complaint violates the provisions of PDPA.
• Whether the complaint has grounds as specified by PDPA and it is reasonable to make a complaint.
• Whether the expert committee has the authority to consider the complaint.
• The competent official will then pass such complaint to the expert committee for further consideration. At this stage, the duration is not specified.

If the complaint is complete and accurate, the expert committee will further consider the complaint and result shall be categorized as one of the follows:

• Dismissing, if the expert committee considers that it has no ground under PDPA.
• Not accepting complaint, if the evidence is incomplete and has not been considered as a data breach.
• Setting a conciliation session, if the complaint can be settled by conciliation proceedings
• Rendering the punishment as an administrative fine.

If there is any question during the above period, for example, incorrect or incomplete evidence, the competent official will contact the complainant until they receive all required information and documents. The complaint letter and evidence must be well prepared and sufficient to show the competent official that there is an actual violation. Please note that the expert committee will not consider the complaint if details and documents are not complete and accurate. Such complaint shall be deemed invalid, and the expert committee may dismiss the complaint.

In conclusion, for the data subject, your personal data is important, and it is something that you should keep confidentially. You should consider and select to give away your personal data to the service provider who is able to comply with PDPA and has high-security measures to collect and process your personal data.