Types of Business and Agency in which Certain Parts of the PDPA Shall not Be Applicable
A data controller is defined as a person or juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of personal data. Under the PDPA, the data controller shall be imposed with various obligations, for example, notifying of personal data collection, obtaining consent (if applicable), and having in place security measures, etc.
On July 11th, 2023, the cabinet approved the Draft Royal Decree Prescribing Types of Business and Agency in which certain parts of the PDPA shall not be applicable B.E. …. (the “Draft Royal Decree”). The Draft Royal Decree is intended to exempt certain obligations of the certain types of data controller, in order to ease their usual objectives or operations. Essentially, the key provisions of this Draft Royal Decree are, (1) certain obligations under the PDPA may be exempted where the collection of personal data is for the public interest, and such government agency is authorized by law; (2) consent for disclosure of personal data may not be required where the government agency is authorized to do so according to the law; and (3) the Draft Royal Decree reaffirm the data subject’s right to file a request to the Personal Data Protection Committee (“PDPC”) for interpretation of various matters.
According to the summary of the cabinet’s minutes by the government’s spokesperson, the certain government agencies may be exempted from the obligations under Part 2 ‘Personal Data Collection’ and Part 3 ‘Use or Disclosure of Personal Data’ of the PDPA to the extent that their processing of personal data is in accordance with the exemption’s conditions and purposes of personal data processing (prescribed under the Draft Royal Decree).
That being said, we also noted that the summary of the Draft Royal Decree by the government spokesperson signifies that there has been a significant amendment from the previously published version (the Ministry of Digital Economy and Society’s Results of Public Hearing Group 2). In the previous version, it was also specified the cases where other types of data controllers (i.e., not government agencies) may be exempted from certain obligations. For example, where the data controller’s purposes for processing of personal data would be tampered by complying with the personal data collection notification requirements, then such data controller may be exempted from the said obligations.
At this stage, the approved Draft Royal Decree shall soon be published in the Royal Gazette. Monitoring of this publication and enforcement of this Draft Royal Decree may be of the essence to all data controllers and/or data processors who are subjected to the PDPA’s obligations. As the exemption may be applicable to their cases as well.
- Compliance with Takedown Notice Practices in Thailand
- USTR Annual Review on Thailand Intellectual Property Protection 2023
- Why Businesses Should Choose Rehabilitation
- Trade Competition Commission Draft Announcement on Suggested Price List
- Proposed Rehabilitation Processes for Small and Medium Enterprises (SMEs)
- Registration and Renewal of Pharmacopeia: Ensuring Quality, Effectiveness, and Safety