Supervision of Financial Business Groups of Commercial Banks that Operate Business and Transact on Digital Asset

on by

Supervision of Financial Business Groups of Commercial Banks that Operate Business and Transact on Digital Asset

Digital Asset plays a significant role in contributing to the development of innovative financial services which is beneficial to consumers and the economy as a whole. However, Digital Asset exposed to risks in many forms, especially in cases where consumers have an insufficient understanding of Digital Asset, and is also at risk of being used as a tool for money laundering or terrorist financing.

In order to balance between supporting innovations related to Digital Asset of the financial business groups of commercial banks for benefits and managing risks that may arise, it is an important concept for the Bank of Thailand to improve and defines relevant rules for business operation and transaction related to Digital Asset to be more flexible and to allow discreet investment and business relevant to Digital Asset under the rules and investment ratio in Digital Asset Business as required.

Therefore, the Bank of Thailand has issued the Notification of the Bank of Thailand No. SorNorSor. 6/2565 on Regulations on the Supervision of Financial Business Groups of Commercial Banks that Operate Business and Transact on Digital Asset (“Notification”) which comes to force on October 22, 2022,  and applies to commercial banks, parent companies, subsidiaries, and affiliated companies of commercial banks in financial business groups according to the financial institutions business law with key principles such as: (1) to allow companies in financial business groups except commercial banks to discreetly operate a Digital Asset business under flexible regulations, and support technologies or development of financial services to increase financial system’s efficiency for the benefit of the people, business and economy; (2) to supervise and manage the risks from transactions in relation to Digital Asset; (3) to protect consumers and for consumers to receive fair services; and (4) to raise the Digital Asset business standard.

This Notification stipulates that commercial banks can transact on Digital Asset but cannot operate a Digital Asset business, and companies in financial business groups can operate businesses and transact in Digital Asset as prescribed in this Notification without contravening the key principles of this Notification and other relevant laws of Thailand and internationally such as prohibiting the use of Digital Asset as a means of payment or encouraging the general public to hold Digital Asset. However, such transactions are subject to the purpose of developing innovations to increase the efficiency and quality of providing financial business.

Furthermore, this Notification also specifies the principles of risk management governance in the following subjects:

  1. Limiting the amount of credit, investing, creating contingent liabilities, or conducting transactions similar to lending to businesses related to digital assets (Digital Asset Related Business Limit)
  2. Good Governance Supervision
  3. Capital maintenance
  4. Liquid assets maintenance
  5. Classification and provisioning
  6. Supervision of large debtors
  7. Intragroup Contagion Risk
  8. Official supervision (Supervisory Review Process)
  9. Disclosure
  10. Know Your Customer: KYC
  11. Consumer Protection

Author: Panisa Suwanmatajarn, Managing Partner

on by

What the Data Controller needs to do when a Personal Data Breach occurs

The Personal Data Protection Committee (“PDPC”) is currently considering issuing a Personal Data Protection Announcement on how to report an incident of personal data breach to the Office of PDPC and whether it needs to report to the Data Subject.

According to Section 37(4) of Personal Data Protection Act B.E. 2562 (“PDPA”), a Data Controller has to notify the Office once there is a data breach without delay or within 72 hours after having become aware of the data breach. The data breach may be occurred by the Data Controller, Data Processor, Representative, any related person, or any other factors, such as an accidental, technological and computer processing system, computer crime, or cyber threat, who acts willfully, negligently, unauthorizedly, or unlawfully, affecting the completeness and accuracy of the personal data and the rights of the Data Subject. The Data Breach Category is divided into three types which are the leak of confidential personal data (Confidentiality Breach), the personal data misfiling (Integrity Breach), and inaccessibility of personal data, which can result in permanent inaccessibility or destruction (Availability Breach).

woman wearing hooded pullover hoodie facing tablet computer

At the same time, the Data Controller is required to check its security measures in all aspects, including Organizational Measures, Technical Measures, and Physical Measures. And conduct a risk assessment of all possible effects on the Data Subject considering whether the data breach is likely to result in a high risk to the Data Subject’s rights and freedoms, the risk assessment factors as stated in the Announcement, if so, Data Controller is required to notify the Data Subject without delay, along with the remedial measures.  In case where Data Controller cannot contact Data Subject for any reason, the data breach notification to Data Subject can be carried out on a public platform, such as social media or any other means by which the public can become aware of such notification. However, Data Controller is not required to notify the Office if such data breach is unlikely to result in a risk to the rights and freedoms of the Data Subject due to the reasons such as personal data being anonymous information that cannot be used to identify the Data Subject, unusable personal data due to adequate technological security measures or other reliable reasons according to the law.

Furthermore, the Data Controller must take immediate remedial action against the cause of such data breach either by restricting access to personal data or by any other means as necessary.

The data breach notification submitted to the Office must be included the details such as the number of personal data that has been leaked or violated, the name and address to contact the Data Protection Officer, consequences of a data breach, security measures that the Data Controller or Data Processor have to prevent data breach together with the remedial action in all respects, including personal, procedure and technology. In the event that the Data Controller fails to notify the Office in due time, the Data Controller must clarify reasons and details regarding the inevitability of such an offense to the Office within 15 days of becoming aware of the data breach in order for the Office to consider exempting so. The failure to comply with all of the above is an offense under the PDPA penalized by Administrative Liability with a fine of not exceeding three million Baht.

The Announcement also contains details and sample cases on data breach notification, which will guide Data Controllers in determining which cases must be reported and who must be notified. Therefore, Data Controllers should study this Announcement in order to prepare themselves in case that the data breach occurs and to be in compliance with the PDPA.

Author: Panisa Suwanmatajarn, Managing Partner

on by

Asia IP : IP infringement and data misuse: The dark side of the dark web

“The traffic of the Dark Web is almost as much as the normal web,” said Panisa Suwanmatajarn, managing partner at The Legal Co. in Bangkok. “It is almost to impossible to trace who is actually doing what.” 

However, there are ways to do the tracing without letting copyright and trademark infringers as well as data privacy violators know they are being hunted down in the Dark Web.  

“IP and data privacy lawyers/attorneys and enforcement authorities need sophisticated technological tools and providers of specialized services to take down these wrongdoers,” said Suwanmatajarn. 

Panisa Suwanmatajarn said in Asia IP, IP infringement and data misuse: The dark side of the dark web on 9 November 2022

Read Full Article

on by

Safe Harbor: Suppression of Dissemination and Removal of Computer Data from the Computer System B.E. 2565 (2022)

Recently, the Ministerial Notification of Ministry of Digital Economy and Society (MDES) re: Procedures for the Notification, Suppression of Dissemination and Removal of Computer Data from the Computer System B.E. 2565 (2022) (the “Ministerial Notification”) was published in the Government Gazette, replacing the previous version which came into force in 2017. The Ministerial Notification lays down safe harbor procedures to be complied by service providers and social media platforms in order to be exempted from liability for cooperating, consenting, or supporting offences in relation to illegal computer data under Section 15 of the Computer Related Crime Act B.E. 2550 (2007) as amended by Computer Related Crime Act (No.2) B.E.2560 (2017) (the “CCA”).

According to the Ministerial Notification, service providers offering the following types of service could benefit from safe harbor if they can prove that they have complied with conditions specified therein.

green and white line illustration
  1. Intermediary services, for example, facilitate computer information transmission routing, transitory communication – mere conduit, provide necessary transient storage, or hosting carried out by an automatic technical process;
  2. System caching;
  3. Storing information residing on systems or network at direction of users;
  4. Linking users to computer information by using information location tools; and
  5. Social media platform.

In general, service providers/social media platforms must transmit, storing or linking computer information in their control without any modification or interference and have no collaboration in, relation to or knowledge upon illegal activities specified in Section 14 of the CCA carried out by services users or other third parties. Also, service providers must not receive direct or indirect compensation or benefit for disseminating such illegal computer information.

In addition to the above-mentioned conditions, service providers/social media platforms must also prove that they have implemented Notice & Takedown Policy, which outlines as follows:

security logo
  1. Notification procedures must be adopted by service providers for suppression of dissemination and removal of illegal computer data, providing service users or other third-party channels to report illegal activities. A take down notice must contain at least name and contact details of service providers/social media platforms and complaint form for service users to report, for example, details of alleged perpetration and damages occurred.
  2. Service users can notify illegal computer information by either filing a report or a complaint to the inquiry officer or notifying service providers/social media platforms by completing the provided complaint form.
  3. Service providers/social media platforms must respond expeditiously by suppressing the dissemination of and/or removing illegal computer data from their system as well as forwarding a copy of the complaint form to service users, members, or other relevant persons.  

Furthermore, takedown measures also available to officers by issuing an order to service providers/social media platforms who are reported by an injured person, government officials and etc. to have illegal computer contents in their control. Similar to Notice & Takedown Policy adopted by service providers, upon receiving an order from officers, service providers/social media platforms must expeditiously suppress the dissemination and/or remove illegal computer data as well as forward a copy of the complaint to service users, members, or other relevant persons under their control. However, service providers/social media platforms may file an appeal against the order to the Permanent Secretary of MDES within 30 days from the receipt of order.

Author: Panisa Suwanmatajarn, Managing Director

on by

Exemption of Showing Evidence of Medical Certificate as a Person Without Prohibited Diseases and Appearing in Person to Collect Digital Work Permits at the Department of Employment for Long-Term Resident Visa (LTR Visa) Applicants and Holders.

Recently, the Cabinet has approved in principle the Draft Notification of the Ministry of Labor Re: Permission for Aliens to Work in the Kingdom as a Special Case according to the Measures to Stimulate Economy and Investment by Attracting High Potential Foreigners to Thailand (No. ..) B.E. …. (the “Draft Notification”), which exempts LTR Visa applicants/holders and their spouses from submitting medical certificate showing no prohibitive diseases and appearing in person to collect work permits at the Department of Employment.

man in black suit sitting on chair beside buildings

Before this Draft Notification, the Ministry of Labor has issued the Notification of the Ministry of Labor Re: Permission for Aliens to Work in the Kingdom as a Special Case according to the Measures to Stimulate Economy and Investment by Attracting High Potential Foreigners to Thailand dated 2 June 2022, permitting those who hold LTR Visas and their spouses to apply for work permits in Thailand under the following requirements.

  1. The applicants must be free from prohibited diseases, leprosy, tuberculosis, elephantiasis at the stage that its appearance is disgusting to society, drug addiction, alcoholism and third phase of syphilis.
  2. The applicants must collect a work permit issued by the registrar by themselves in person.
five women sitting on tree trunk

However, the Board of Investment Committee (BOI) has subsequently issued a letter requesting the Ministry of Labor to consider waiving the above two requirements for LTR visa applicants/holders in order to reduce unnecessary steps and facilitate foreigners with high quality and high potential to stay and work in Thailand. After the approval from the Board of Foreign Worker Management Policy, the Ministry of Labor proposed the Draft Notification to the Cabinet which has recently granted their approval in principle of the same.

This Draft Notification allows foreigners and their lawful spouses who have been granted a special case of long-term resident visas (LTR Visa), to apply for  work permits in Thailand with no requirement for showing medical certificates to prove that they are free from prohibited diseases. Moreover, under this Draft Notification, no foreigners under the LTR visas are required from collecting work permits issued by the registrar in person.

on by

Disciplinary Fine in Thailand

As the Constitution of the Kingdom of Thailand, Section 77, stipulates that the state should prescribe criminal penalties only for serious offences. Therefore, the Council of Ministers deems it appropriate to prescribe offences in a manner that violates or fails to comply with the laws in the case that they are not considered as serious offences and, under their nature, those do not cause serious effects on public order or good morals or have no widespread impact on the public, to be deemed as disciplinary offences. Those disciplinary offences will not be considered as criminal offences and disciplinary fines shall be imposed.

With the reasons and principles aforementioned, the Disciplinary Fine Act, B.E. 2565 (2022) (“Act”) has been enacted and published in the Government Gazette on October 25th, 2565 (2022) and will come into force on June 3rd, 2565 (2023), except for Section 37 and Section 38 Paragraph One which came into force on the date of its publication in the Government Gazette. It stipulates the rights and duties of relevant government agencies and competent officers to take actions in order to be ready to implement the provisions of this Act to meet its objectives upon the date this Act shall come into force.

man in black crew neck t shirt covering his face with his hand

Generally, criminal penalties for inflicting upon the offenders are death, imprisonment, confinement, fine and forfeiture of properties. However, subject to this Act, any criminal offences to be penalized in a form of fine only as stipulated in 204 different laws will be changed to disciplinary offences and no longer be considered as criminal offences except for:

1. Criminal offences to be penalized by imprisonment or higher penalty if such offences are committed by a natural person, but to be penalized in a form of fine only if a juristic person commits the same offences;

2. Criminal offences to be penalized in a form of fine only, provided that a higher penalty has been applied when the offences repeatedly commit the same or when there are other grounds impose that offenders shall be penalized with a higher penalty as prescribed by any other applicable laws; and

3. Criminal offences to be penalized in a form of fine only as stipulated in List no. 2 of this Act. However, such offences are entitled to be applied to be disciplinary offences in case that royal decrees for such offences have been enacted.

a no smoking signage on a tree

The 204 different laws as mentioned above are such as Land Transport Act, B.E. 2522 (1979), Highways Act, B.E. 2535 (1992), Alcoholic Beverage Control Act, B.E. 2551 (2008), Public Assembly Act, B.E. 2558 (2015), Accounting Act, B.E. 2543 (2000). In addition, examples of minor offences in which those will be changed from criminal penalties to disciplinary fines are as follows:

1. Failure to show a driver’s license, a fine not exceeding 1,000 Baht;

2. Smoking in a non-smoking area, a fine not exceeding 2,000 Baht; or

3. By any means, cause a child not to study in an educational institution without reasonable cause, a fine not exceeding 10,000 Baht.

low section of man against sky

The change of penalties from non-serious offences, i.e. no imprisonment, to disciplinary fines has benefits in many ways including

1. The offenders will not have criminal records nor fingerprints kept in their record to discredit, dishonor, defame and affect their career and reputation.

2. The offenders will be fined only without detention during the trial and therefore it does not cause the burden of bail.

3. Disciplinary fines can be either paid in installments or chosen to work in social services instead of paying disciplinary fines.

4. The court will always take the behavior of the offenders and economic situation into consideration and may consider reducing disciplinary fines or just admonishing without collecting disciplinary fines if any crime was committed due to an offender’s poverty.

Author: Panisa Suwanmatajarn, Managing Partner

on by

Acquisition of Land for Use as Residence by Potential Foreigners in Thailand

On 25th October 2022, the Cabinet approved in principle a draft Notification of Ministry of Interior on Acquisition of Land for Use as Residence for Foreigners in accordance with Economic and Investment Stimulus Measures by Attracting High Potential Foreigners to Thailand by B.E. .… (the “Draft Ministerial Regulation”).

The Draft Ministerial Regulation allows four groups of high potential foreigners, namely wealthy global citizens, wealthy pensioners, foreigners who want to work from Thailand, and highly skilled professionals or specialists, to purchase and own land for residential purpose. The Draft Ministerial Regulations introduces new criteria regarding types and duration of investment specifically for such groups of foreigners.  These new criteria will be added to general requirements prescribed in the currently implemented Ministerial Regulation Re: Rules, Procedures and Conditions for Acquisition of Land by Aliens B.E. 2545 (2002) (the “Ministerial Regulation B.E.2545 (2002)”) which have already permits foreigners to own land for residential purposes if they meet the requirements of making at least 40 million Baht investments for at least 5 years in, for example, Thai government bonds or Bank of Thailand bonds, real estate funds or mutual funds for resolving financial institution problems established under the law on securities and stock exchange, shares capital of juristic persons who received investment promotion under the law on investment promotion, or businesses that qualify for investment promotion under the law on investment promotion as announced by the Board of Investment (BOI).

money cash euro pay

The Draft Ministerial Regulation stipulates that high potential foreigners who invest and maintain the investment capital of at least 40 million Baht for 3 years reducing from 5 years in businesses that are beneficial to the economy and society of Thailand or in businesses that are eligible for investment promotion as announced by the BOI under the law on investment promotion will be entitled to own land for residential purposes with an area not exceeding 1 Rai or 1,600 sq.m. or about 0.4 Acres.

 In addition to types of investment mentioned in the Ministerial Regulation B.E.2545 (2002), the Draft Ministerial Regulations also includes investment in infrastructure funds and Real Estate Investment Trusts (REIT) established under the law on Trust for Transactions in Capital Market. However, the land acquired must be located in Bangkok, Pattaya city area, municipal area or within the area designated as a residential area according to the Town and Country Planning Act.

The Ministerial Regulation will be in force for 5 years after its publication in the Government Gazette. For the next step, the Draft Ministerial Regulation will be submitted to the Council of State for its consideration before the Draft Ministerial Regulation retuned to the Cabinet for its final consideration and approval.

on by

Guideline for Privacy Notice and Collection of Personal Data

By now, Data Controller should be aware that under Section 23 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), the Data Controller is required to notify the Data Subject of the details and purposes of the collection, use, or disclosure of personal data through a Privacy Notice before or at the time of collection. In this regard, the Personal Data Protection Commission “PDPC” has issued a guideline regarding this matter of Privacy Notice and the collection of personal data which the Data Controllers must firstly determine whether there are any specific regulations issued by other regulators governing the same matter before complying with this guideline, respectively. If there are and such regulations do not have lower standard than those of PDPA, the Data Controller must follow those regulations.

man in white crew neck shirt

Prior to preparation of the Privacy Notice, Data Controller must consider the fairness that Data Subject will receive including considering the consequences after the collection, use and disclosure of personal data and specifying the purpose of such collection in clear and plain language, not deceptive or misleading, plus, the purpose for processing personal data must be obvious, specific and lawful in order for the Data Subject to explicitly understand and aware of, particularly for the section relating the disclosure of personal data to third parties, before giving his or her consent. If there are any cases where other legal basis can be applied to the collection, use or disclosure of personal data, the Data Controller may rely upon those legal basis as well. The guideline also lists down details that should be specified in the Privacy Notice.

Section 25 of PDPA imposes the Data Controller to not collect personal data from other sources apart from Data Subject directly, however, the Data controller may do so if the following exceptions are met.

  1. The Data Controller is required to inform the Data Subject of such indirect collection within thirty days of the collection date in order to request consent from the Data Subject and process such personal data for a new purpose to which the Data Subject had never previously consented. In practice, this Data Controller who receives personal data from other sources in some cases does not need to provide details under Section 23 because the Data Controller collecting data from other sources supposes to notify it to the Data Subject in the first place. However, if Data Controller collecting data from other sources did not do so, the current Data Controller must comply with Section 23 notifying the Data Subject within thirty days as previously stated above.
  2. The current Data Controller is not required to notify the Data Subject of the Privacy Notice and obtain any consent from the Data Subject again if the Data Subject was aware of the purpose and details of personal data collection.
  3. If it is impossible for the current Data Controller to notify the Data Subject, the Data Controller must have an appropriate security system to protect the rights, freedoms and benefits of the Data Subject.
woman in black framed eyeglasses holding smartphone

In this regard, the Data Controller shall either make a public announcement and state the necessities of such personal data collection or provide the Data Protection Impact Assessment (DPIA) in order to identify and assess the risk or damage that may result from the use or disclosure of personal data.

Author: Panisa Suwanmatajarn, Managing Partner.

on by

Special Permission for Certain Classes of Aliens to Stay in the Kingdom for Highly Skilled Manpower, Investors, Executives and Startups Entrepreneurs

On 27 September 2022, the Cabinet approved in principle the draft Notification of Ministry of Interior on Special Permission for Certain Classes of Aliens to Stay in the Kingdom for Highly Skilled Manpower, Investors, Executives and Startups Entrepreneurs (No…) B.E. (….) (“Notification”) which was proposed by the Ministry of Interior. The purpose of this draft Notification is to add the numbers of targeted industries under the Smart Visa Program from 13 to 18 industries. This will attract and gather highly skilled manpower, investors, executives and startups entrepreneurs capable of developing the targeted industries to apply for the Smart Visa in order to bring in technology and knowledge to the Kingdom.

Additional targeted industries are as follows:

  1. National defense industry;
  2. Industries that facilitate the circular economy directly and significantly, for example, fuel production from waste, water resources management, etc.;
  3. Environmental management and renewable energy;
  4. Technology innovation and startup ecosystem management; and
  5. International business center.

Those who have obtained this type of visa are eligible for several benefits such as exemption from applying for a work permit, reporting himself/herself to the Immigration Bureau once a year instead of every 90 days, and unlimited travel back into the Kingdom (Re-entry permit). Furthermore, the spouse and legitimate child have the same right to stay and work as the primary visa holder. Therefore, those involve in this matter should be aware of this draft Notification for expanding opportunities for the growth of their industries.

Hire Purchase Agreement for Vehicle and Motorcycle is Now Regulated

on by

Hire Purchase Agreement for Vehicle and Motorcycle is Now Regulated

On 12 October 2022, the Committee on Contract (“Committee”) set up by virtue of the Consumer Protection Act B.E. 2522 (1979) (“Act”) issued an announcement regarding updated rules, conditions and particulars of vehicle and motorcycle hire purchase agreement (“Announcement”), which is a contract-controlled business under the Act, in order to protect consumers’ rights from being taken advantage by business operators. This Announcement will become effective after 90 days from the date of publication, which will be on 10 January 2023.

This Announcement only applies to a hire purchase agreement for a vehicle or motorcycle (“vehicle”) between a business operator and a consumer. The vehicle must be used solely for personal purposes, not for transportation or commercial purposes. The following are examples of requirements that must be specified in the agreement which have changed from the previous announcement issued in 2018.

  1. The hire purchase interest will be charged in the effective interest rate method of no more than 10% per year for a new car, no more than 15% per year for a used car and up to 20% per year for a motorcycle.
  2. When the hire purchase provider terminates the agreement because of the hirer’s failure to pay debts in three consecutive installments or by any legitimate reason and hire purchase provider proceeds to sell the vehicle at private or public auction, the hire purchase provider must notify the hirer and the guarantor (if any) in writing at least thirty days in advance so that the hirer can exercise the right to purchase such vehicle within twenty days at the price of outstanding debt under the agreement. If the hirer wishes to do so and pay off all debts at once, the hire purchase provider must provide the hirer with the discount. However, if the hirer ignores or fails to exercise such rights, the guarantor may do so instead. The hirer and guarantor have the right to assign this right to any third party.
  3. The debt as mentioned above shall refer to and include the default payment, the installment that has not yet been due and any fee or charge spent by the hire purchase provider to collect hire purchase installment(s) that has been due prior to the termination of the agreement.
  4. The Hire Purchase provider must notify the hirer and the guarantor (if any) of the details of the seller, the date and time of the auction, and the selling price at least fifteen days before the auction date. Once the vehicle has been sold at auction, the hire purchase provider shall deduct the net proceeds of the auction from the debt owed by the hirer, any surplus shall be refunded to the hirer. However, if the net proceeds are less than the debt, the hirer shall be responsible for the remaining amount of such debt. Furthermore, the hire purchase provider must notify the hirer within fifteen days from the date the vehicle is sold with all details of the auction and the amount of debt as well.
man inside vehicle in front of opened door

In light of this, the aforementioned is only a partial requirement of the agreement that the hire Purchase provider must follow. There are still many details that the hire purchaser should know in order to prepare a legally binding agreement.  Any business operator who fails to deliver the agreement containing terms and conditions to the consumer in accordance with the Announcement shall be liable to imprisonment for a term not exceeding one year or to a fine not exceeding one hundred thousand Baht or both. Plus, the consumer should also be aware of this Announcement because it directly affects his or her rights. If a consumer sees that any business operator fails to comply with the Announcement, a consumer can file a complaint to Consumer Protection Board respectively.