Personal Data Protection for NBTC license holders
The Notification on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”) was approved by the National Telecommunications Commission. The Notification has been officially published in the Royal Gazette and became effective since September 4, 2023.
Key provisions of the Notification include:
Section 6 stipulates that license holders must obtain separate consent from users before using or disclosing their personal data for purposes other than operating the telecommunications business. License holders must clearly inform users about the scope and objectives of the business, the types of personal information that will be used or disclosed, and any third parties involved. Users must be provided with the option to confirm or revoke their consent. License holders must comply with the conditions specified in the notification and any additional requirements imposed by the NBTC. The language used must be clear and easily understandable, without misleading users about the purpose. Consent may be obtained in writing or through technological means. However, users’ consent or withdrawal should not interfere with their use of telecommunications services.
Section 7 outlines the details regarding sensitive data, which includes race, ethnicity, political opinions, beliefs, sexual behavior, criminal record, health record, disabilities, union information, genetic data, biological data, and any other data specified in the Personal Data Protection Law that may affect users.
Section 10 addresses the notification requirements for collecting personal data. Generally, license holders must inform consumers during or before collecting their personal data. However, when collecting data from other sources, license holders must notify the data subject within 30 days from the collection date. License holders are not required to notify when the collection does not require consent under Sections 6 and 7.
Section 14 states that if a violation poses a high risk to individuals’ rights and freedoms, license holders must immediately notify the NBTC within 24 hours of recognizing the violation. The notification must include a remediation measure for affected users.
Section 20 mandates that license holders must publicly announce their policies to protect users’ rights to personal information, privacy, and freedom of communication through telecommunications. These policies must be in accordance with the notification and the personal data protection law and should be displayed on the license holders’ website, place of service, application form, and service agreement. Additionally, these policies must be approved by the NBTC.
Given these revisions, it is crucial for all license holders to update their practices to ensure compliance with the personal data protection policies. The protection of personal information is of utmost importance, particularly in the telecommunications industry.
Author: Panisa Suwanmatajarn, Managing Partner.
Other Articles
- Thailand Takes a Step Towards Marriage Equality: A Closer Look at the Amendment of the Civil and Commercial Code
- Subordinate Legislations under the Foreigners Work Management Emergency Decree
- A Proposal for the Reform of the Foreigners’ Working Management Emergency Decree B.E. 2561: Enhancing Labor Management in Thailand
- Proposal for the Repeal of the Act Governing Offenses Arising from the Use of Cheques B.E. 2534 (1991) : Promoting Fairness and Responsibility
- Enhancing Rights and Welfare: The Freelance Promotion and Protection Bill
- Thailand – New Government with its Executive and Legislative Policies to Promote Foreign Direct Investment