Subordinate Regulations for Enhanced Security Measures under the PDPA

security logo

Subordinate Regulations for Enhanced Security Measures under the PDPA

Introduction:

The Personal Data Protection Committee (PDPC) in Thailand has recently announced two important notifications as part of its ongoing efforts to enforce the Personal Data Protection Act B.E. 2562 (2019) (PDPA) and ensure robust information privacy practices. These subordinate regulations, namely the PDPC Notification Concerning the Security Standard for Personal Data under the Responsibility of Data Controllers Exempted from the Enforcement of the PDPA, and the PDPC Notification Concerning the Appropriate Security Measures to Protect the Rights and Freedom of the Data Subject in the Processing of Personal Data for Purposes Relating to the Preparation of the Historical Documents or the Archives for Public Interest, are set to come into effect on March 7, B.E. 2567 (2024).

PDPC Notification Concerning the Security Standard for Personal Data under the Responsibility of Data Controllers Exempted from the Enforcement of the PDPA:

Following our previous coverage on this topic – PDPC notification on security standards for personal data controllers exempted from PDPA, the PDPC conducted a public hearing to gather input and evaluate the imposition of obligations on data controllers exempted from the PDPA. The official version of the notification has been published, and its provisions are identical to those previously discussed. For more details, please refer to our earlier article on the PDPC notification on security standards for personal data controllers exempted from the PDPA in the link above.

two person standing under lot of bullet cctv camera

PDPC Notification Concerning the Appropriate Security Measures to Protect the Rights and Freedom of the Data Subject in the Processing of Personal Data for Purposes Relating to the Preparation of the Historical Document or the Archives for Public Interest:

Section 24 (1) of the PDPA exempts certain data controllers from obtaining prior consent from data subjects when collecting, using, or disclosing personal data for the preparation of historical documents or archives for public interest purposes. However, these data controllers are still obligated to implement specific security measures to safeguard the personal data of individuals. The following summary outlines the key security measures:

  1. Implementation of Organizational, Technical, and Physical Safeguards: Data controllers must establish and maintain appropriate organizational, technical, and physical safeguards to ensure that personal data processing is limited to purposes directly connected to the preparation of historical documents or archives for public interest.
  2. Suitable Security Measures: Data controllers must implement security measures that effectively prevent unauthorized or unlawful loss, access, use, alteration, correction, or disclosure of personal data, in accordance with Section 37 (1) of the PDPA.

Additionally, data controllers may consider pseudonymization or encryption of personal data, where applicable, to minimize the risk of exposure. However, such additional safeguards should not compromise the intended purposes of preparing historical documents or archiving and must be assessed based on the specific contexts of personal data processing and the associated risks involved.

Conclusion:

The introduction of these subordinate regulations by the PDPC highlights its commitment to enhancing personal data security measures in Thailand. By providing guidance on security standards and appropriate measures, these regulations reinforce the enforcement of the PDPA and safeguard the rights and freedoms of individuals with regard to their personal data. It is crucial for organizations to understand the nature of their personal data processing activities and undertake a case-by-case interpretation and consideration to ensure compliance with these regulations. As Thailand continues to prioritize data protection, these measures lay a strong foundation for fostering a culture of responsible and secure handling of personal data in the country.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Posted in