PDPC’s Guideline for Data Controller and Data Processor
The Personal Data Protection Committee (“PDPC“) has announced the Guidelines for Data Controller and Data Processor
Re: Case studies extracted from this discussion on the enforcement of the Personal Data Protection Act, B.E. 2562 (2019) (“PDPA“) includes sample actions of each specific case as a scenario for all relevant parties under PDPA, including the Data Controller, Data Processor, Data Subject, and other relevant persons to consider and apply. This guideline also aims to put in place effective remedial measures for Data Subjects whose personal data and rights must be protected as well as to prevent any data breach by the PDPA, with the samples of scenarios as follows:
- Does the bank need to obtain consent from minors aged 7 to 20 in order to collect and/or use their facial recognition for mobile banking transactions? As we all know, face recognition is classified as sensitive personal data in a type of biometric data in which its data arises from the use of technics or technology related to the physical or behavioral dominance of the person under Section 26 of the PDPA, in which consent is required only if other legal bases such as Contract, and Legal Obligation cannot be applied. Furthermore, the procedure for obtaining minor consent must be in accordance with PDPA sections 19 and 20.
- Is consent required when a bank introduces new products to a minor for marketing purposes? If this is the case, can minors freely consent on their own behalf? Since the collection of personal data for marketing purposes is not considered an activity under the legal basis of a contract for opening a bank account, and if such personal data was not collected for the purpose under Sections 24(1) – 24(6) of PDPA, such as Vital interest and Legal obligation then the consent of the minor must be obtained, and the consent of the holder of parental responsibility over the child may also be required as the case by case according to Section 20 of PDPA.
- If the limited company operates its trading and service business and enters into an agreement with an individual business partner. Furthermore, that company would like to collect personal data such as the name, phone number, and other information of a business partner’s employee in order to contact him/her directly for matters related to operating in accordance with an agreement. In this case, the Data Controller cannot apply the legal basis of “Contract” to such an employee, but the legal basis of “Legitimate interest” might be applied if the data processing does not override the fundamental rights of the said employee, as a Data Subject.
- What are the advantages and disadvantages of appointing an outsourced Data Protection Officer (“DPO”)? Is it necessary for the company to set up a separate department to handle this specific task? The Data Controller might appoint the DPO depending on its suitability and necessity of the Data Controller complying and responsible with the duty as mentioned in Section 42 of the PDPA. Furthermore, DPO cannot be dismissed or terminated due to his/her performing duty under PDPA, plus, DPO should be a person who can report directly to executives of the Data Controller or Data Processor. As a result, it is the internal matter of the company to select the DPO as they deemed appropriate.
In conclusion, to assist the government agencies and private companies in answering all concerns and questions regarding PDPA compliance, the PDPC has assigned the Sub-Committee to gather all such questions and concerns and propose the same, along with the recommended answer, to the PDPC for further consideration, and later provide those correct answers and consultations to the government agencies and private companies. In the future, all of those inquiries may be published as sample scenarios, just as they were in this guideline.