PDPC Notification on Security Standards for Personal Data Controllers Exempted from PDPA

The Office of Personal Data Protection Commission (PDPC) conducted a public hearing on the draft PDPC Notification Concerning the Security Standards for Personal Data under Responsibility of Data Controllers exempted from the enforcement of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) (“Notification”). This public hearing occurred from 17 October 2023 to 31 October 2023.

Under Section 4 of the PDPA, certain data controllers, including public authorities, the media, the House of Representatives, the Senate, the Parliament, the courts, and the credit bureau, are exempted from the enforcement of the PDPA. However, Section 4 paragraph 3 of the PDPA mandates that these exempted data controllers must implement security measures to protect personal data.

black android smartphone on top of white book

The draft Notification sets out the security measures that exempted data controllers must adhere to. These measures are similar to those prescribed in the PDPC’s Notification on Security Measures for the Protection of Personal Data B.E. 2565 (2022). The key measures include:

  1. Implementing organizational, technical, and physical measures to safeguard personal data, regardless of its form (physical or digital).
  2. Ensuring the confidentiality, integrity, and availability of personal data.
  3. Extending security measures to servers, software, or applications for storing or processing personal data.
  4. Implementing access control, identity proofing and authentication, need-to-know basis access, user access management, determination of user responsibilities, and personal data audit trails.
  5. Raising awareness about privacy and security among employees or users with access to personal data.
  6. Adopting pseudonymization or encryption measures to minimize the risk of unauthorized or unlawful processing of personal data.

The enforcement of these measures will be closely monitored once the draft Notification becomes enforced.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Personal Data Protection for NBTC license holders

The Notification on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”) was approved by the National Telecommunications Commission. The Notification has been officially published in the Royal Gazette and became effective since September 4, 2023.

Key provisions of the Notification include:

Section 6 stipulates that license holders must obtain separate consent from users before using or disclosing their personal data for purposes other than operating the telecommunications business. License holders must clearly inform users about the scope and objectives of the business, the types of personal information that will be used or disclosed, and any third parties involved. Users must be provided with the option to confirm or revoke their consent. License holders must comply with the conditions specified in the notification and any additional requirements imposed by the NBTC. The language used must be clear and easily understandable, without misleading users about the purpose. Consent may be obtained in writing or through technological means. However, users’ consent or withdrawal should not interfere with their use of telecommunications services.

two person standing under lot of bullet cctv camera

Section 7 outlines the details regarding sensitive data, which includes race, ethnicity, political opinions, beliefs, sexual behavior, criminal record, health record, disabilities, union information, genetic data, biological data, and any other data specified in the Personal Data Protection Law that may affect users.

Section 10 addresses the notification requirements for collecting personal data. Generally, license holders must inform consumers during or before collecting their personal data. However, when collecting data from other sources, license holders must notify the data subject within 30 days from the collection date. License holders are not required to notify when the collection does not require consent under Sections 6 and 7.

Section 14 states that if a violation poses a high risk to individuals’ rights and freedoms, license holders must immediately notify the NBTC within 24 hours of recognizing the violation. The notification must include a remediation measure for affected users.

Section 20 mandates that license holders must publicly announce their policies to protect users’ rights to personal information, privacy, and freedom of communication through telecommunications. These policies must be in accordance with the notification and the personal data protection law and should be displayed on the license holders’ website, place of service, application form, and service agreement. Additionally, these policies must be approved by the NBTC.

Given these revisions, it is crucial for all license holders to update their practices to ensure compliance with the personal data protection policies. The protection of personal information is of utmost importance, particularly in the telecommunications industry.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Certified Courses and Training Program for DPO and Registered Instructor

The Office of the Personal Data Protection Committee (“Office”)  has launched an Announcement of the Office of the Personal Data Protection Committee (“Committee”) Re: Criteria for Certified Courses and Training Programs for the Data Protection Officer and Registered Instructor (“Announcement”) and its guidelines on 8 August 2023 in order to provide knowledge and understanding in both legal terms and practical proceedings, for the Data Protection Officer (“DPO”) and those who are registered instructors and training agencies in order comply with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“).

This Announcement sets guidelines for 2 main matters with the details as follows:

1.Certified courses and training programs

Agencies or institutions that would like the Office to certify their courses and training programs must apply for the same via an official email at course@pdpc.or.th. After consideration, the Committee will deliver its opinion to the Secretary-General of the Personal Data Protection Committee (“Secretary-General”) for its final consideration. Those who have been certified will be published to the public.

two person standing under lot of bullet cctv camera

2.Registered instructors

While the agencies or institutions are registered per item 1, any person who would like to register himself/herself to be a registered instructor can apply for the same via email at course@pdpc.or.th. If the applicant’s qualifications meet the requirements, the applicant must attend the seminar and take some exams organized by the Office. After that, the registration process will be completed, and his/her name will be announced to the public. The registration will be valid for one year and will need to be renewed by attending further seminars.

This Announcement has been effective as of the date of publication. Currently, there is no civil liability, administrative liability, or criminal penalty applied to the agencies or institutions in case of non-compliance with the PDPA and its guidelines. The Office aims to encourage the agencies or institutions to attend the training programs to understand the provisions of PDPA and then they can distribute their knowledge to the DPO.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Thailand – defamation and insult can be considered as cyberbullying  

Previously, we discussed the difference between laws regulating cyberbullying in other countries and in Thailand. Some countries enact a law that enforces direct harm caused by one to another through electronic means either privately or publicly, such as the Cyber Protection Act 2017 in Canada, whereas Thailand uses the law on defamation, which requires a third party and intention to impute the others as components of offense.  

Therefore, in this article, we will now address cyberbullying legislation with an emphasis on children since bullying is more common among young people and children and it can now be engaged in social media. In accordance with the statistics of cyberbullying, the range between ages 14-18, the high school age, where reported bullying happened the most. Since the school is the place where the bullying happened physically and digitally. As a result, some countries have implemented legislation to protect minors against cyberbullying such as the United States and the Philippines which are Massachusetts Anti-Bullying Law and Anti-Bullying Act of 2013, respectively.  

two men about to kiss

In Massachusetts, following the incident involving Phoebe Prince, a student at the age of 15 at South Hadley School, the state adopted such Massachusetts Anti-Bullying Law governing in regard to cyberbullying. It includes district policy requirements such as the need for Massachusetts school districts to prevent and respond to bullying conducted by one or more students developing a bullying prevention and intervention plan, which districts must review and keep up to date at least biennially.  

The Philippines also enacted Republic Act No.10627, or the Anti-Bullying Act of 2013, which defines cyberbullying as an act of bullying and requires all elementary and secondary schools to adopt policies addressing the existence of bullying by specific acts such as prohibiting bullies, identifying the measures to take against perpetrators, and the Department of Education (DepEd) to provide training programs for school administrators and staffs to improve knowledge and skills in bullying. The aforementioned rules also encompass cyberbullying that happens outside of school premises or on non-school devices, since these criteria demonstrate the serious concerns and obligations for minors who engage in cyberbullying.  

In Thailand, there is no specific law governing cyberbullying act or protecting minors against cyberbullying at all. The case of cyberbullying will be governed by either the Penal Code (PC) regarding defamation and insult or the Computer-Related Crime Act B.E. 2560 (2017) (CRC Act).

The difference between defamation and insult is whether it involves a third party or not. For example, if the bully intends to impair the bullied’s reputation by spreading the message with a third party which can cause hate or scorn, it can be considered as defamation offense under Section 326 of the PC. However, if the bully decides to spread the intention to impair the bullied’s reputation through the publication on the social media platforms, i.e. posting on Facebook or Twitter, it can be considered as defamation offense under Section 328 of the PC.  

Moreover, the case could be applied to Section 14 (1) of the CRC Act since cyberbullying must distort the computer data into a computer system such as a social media platforms. In the case of insult, if the bully insults the bullied in a private forum without the third party’s involvement, it could be applied to Section 393 of the PC. Whether it could be applied to Section 392 of the PC if the bully threatens the bullied causing fear or fright even though it is from the social network service platforms.  

Let’s be honest. Even though the Thai law has several ways to take the bully as guilty, it is just the offenses of defamation or insult. The Thai law should be more specified to cover the action of cyberbullying especially in minors since the high school age, between 14-18, were reported bullying happened the most. This can also reduce the increase of bullying behaviors and the depression or anxiety in the children since being bullied is the major cause.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles