Types of Business and Agency in which Certain Parts of the PDPA Shall not Be Applicable

Previously, on June 1st, 2022, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) came into force, imposing obligations on any person who collects, uses, or discloses personal data.  

A data controller is defined as a person or juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of personal data. Under the PDPA, the data controller shall be imposed with various obligations, for example, notifying of personal data collection, obtaining consent (if applicable), and having in place security measures, etc.

On July 11th, 2023, the cabinet approved the Draft Royal Decree Prescribing Types of Business and Agency in which certain parts of the PDPA shall not be applicable B.E. …. (the “Draft Royal Decree”). The Draft Royal Decree is intended to exempt certain obligations of the certain types of data controller, in order to ease their usual objectives or operations. Essentially, the key provisions of this Draft Royal Decree are, (1) certain obligations under the PDPA may be exempted where the collection of personal data is for the public interest, and such government agency is authorized by law; (2) consent for disclosure of personal data may not be required where the government agency is authorized to do so according to the law; and (3) the Draft Royal Decree reaffirm the data subject’s right to file a request to the Personal Data Protection Committee (“PDPC”) for interpretation of various matters.  

white caution cone on keyboard

According to the summary of the cabinet’s minutes by the government’s spokesperson, the certain government agencies may be exempted from the obligations under Part 2 ‘Personal Data Collection’ and Part 3 ‘Use or Disclosure of Personal Data’ of the PDPA to the extent that their processing of personal data is in accordance with the exemption’s conditions and purposes of personal data processing (prescribed under the Draft Royal Decree).  

That being said, we also noted that the summary of the Draft Royal Decree by the government spokesperson signifies that there has been a significant amendment from the previously published version (the Ministry of Digital Economy and Society’s Results of Public Hearing Group 2). In the previous version, it was also specified the cases where other types of data controllers (i.e., not government agencies) may be exempted from certain obligations. For example, where the data controller’s purposes for processing of personal data would be tampered by complying with the personal data collection notification requirements, then such data controller may be exempted from the said obligations.  

businesspeople talking

At this stage, the approved Draft Royal Decree shall soon be published in the Royal Gazette. Monitoring of this publication and enforcement of this Draft Royal Decree may be of the essence to all data controllers and/or data processors who are subjected to the PDPA’s obligations. As the exemption may be applicable to their cases as well.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Monitoring of Personal Data or the System that Requires an Appointment of DPO

Section 41 (2) of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) prescribed that the data controller and the data processor shall designate a data protection officer (“DPO”) if the activities of the data controller/processor in the processing of personal data require regular monitoring of personal data or the system, by reason of having a large number of personal data as prescribed and announced by the Personal Data Protection Committee (“PDPC”).  

Given that the PDPA has been in effect for a year, many organizations in Thailand are still unsure whether they are required to appoint a DPO or not. As a result, the PDPC is considering the Draft Notification of the PDPC re: data controllers and data processors who collect, use, or disclose personal data that requires regular monitoring of the personal data or the system due to a large scale of personal data that must appoint a DPO, B.E. …. (the “Draft Notification”). This Draft Notification was posted on the Law Portal on July 13th, 2023, for the public to consider and express their opinion (public hearing closes on July 27th, 2023).  

software engineer standing beside server racks

Under the Draft Notification, the PDPC intends to clarify 3 following criteria, (1) what constitutes a core activity; (2) what is meant by regular monitoring of personal data or the system; and (3) how to determine if a data controller or data processor is having a large number of personal data. The summary is as follows:  

1. Core Activities:

The core activities are defined under the Draft Notification as actions required to achieve the data controller’s or data processor’s business objectives or goals.  

2. Regular Monitoring of Personal Data or the System:

The Draft Notification deems that a data controller or data processor regularly monitors personal data or the system, if the core activities of the said data controller or data processor systematically or regularly track, monitor, or predict data subject’s behavior (i.e., profiles).  

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to require regular monitoring, example includes:

  • Processing of personal data relating to the holder of a membership card, electronic card, or any other card that allows the card service provider or any other person to review the card usage information.
  • Processing of personal data for the purpose of behavioral advertising.
  • Processing of personal data for security purposes.

3. A Large Number of Personal Data:

Further, the Draft Notification sets out the criterion in which the data controller or data processor shall determine if their processing of the personal data is considered to be on a large scale or not. The criteria are as follows: (1) the proportion of the number of data subjects and the amount of personal data; (2) the quantity and type of personal data; (3) retention period and permanence; and (4) territorial or geographical scale of personal data collection.  

black android smartphone on top of white book

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to be of a large scale, example includes:  

  • Processing personal data for the purpose of behavioral advertising through the use of search engines or social media.
  • Processing of personal data by a type 3 telecommunication business operator.

By reading this far, you probably have the idea of whether your organization would need to appoint a DPO or not, but please note that organizations whose DPO performs duties or tasks other than data protection must consider the scope of his/her duties or tasks and warrant to the PDPC office that his/her duties or tasks do not conflict with the DPO’s main duties under the PDPA. The Data Controller and Data Processor should read this Draft Notification carefully and monitor the development of this Draft Notification.

It is crucial for all data controllers and data processors to note that if subjected but fail to appoint the DPO as required by the PDPA, they may be subject to an administrative fine of up to 1 million Baht.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

PDPA – Procedures for Filing Complaint

Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) is a new law in Thailand, fully effective on 1 June 2022, which was enacted for the purpose of protecting personal data of data subjects.

Data subject is a person who owns his/her personal data and is the one who gives away his/her necessary personal data to a service provider (called data controller) in order to have them perform according to what both parties agreed under the contract. Therefore, personal data is something that can be used to identify individual the data subject directly or indirectly. However, the data subject does not include a juristic person and deceased person.

Rights of data subject are right to access, right to rectification, right to data portability, right to erasure, right to restriction, right to object, right to withdraw consent and right to complain.

businesspeople talking

For the data subject’s right to complaint under Section 73 of PDPA, one may file a complaint to the Office of Personal Data Protection Committee (“Office”) against an offender (i.e., data controller, data processor or any person who violates his/her rights) if his/her personal data is violated.

On 12 July 2022, there was a subordinate regulation which is the Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)(Subordinate Regulation”)specifying procedures, timeframes and documents required for filing the complaint to the Office. However, since this Subordinate Regulation has been enforced for a month, people still question the practical procedures regarding filing the complaint.

There is no fixed complaint form and there is only a list of required documents specified in the Subordinate Regulation. However, the complaint must be made in a letter consisting of the complainant’s name, address, telephone number or email address, facts with details and related information, details of damage or effects, evidence, and things that the data subject requests to do, together with a sentence certifying that the information in the letter is true.

Once a complaint letter and all documents have been well prepared, the data subject can either send the complaint by registered mail to the Office or submit it in person at the Office. Also, the Subordinate Regulation stipulated that a complaint can be submitted via an electronic channel.

An identification card of the data subject must be presented at the time of submitting the complaint. In the case that the data subject appoints an attorney. A power of attorney with a completed specifications of assigned duties and correct stamp duty together with the attorney’s certification of a copy ID card, passport or any identity document issued by the government must be submitted together with the complaint.

For the timeframe for consideration, the Subordinate Regulation has divided it into three stages as follows:

  • The competent official shall review and check the completeness of complaint and evidence within 15 days from receipt whether they will accept the complaint for further consideration.
  • After the competent official accepted such complaint, the complainant shall receive an acknowledgment receipt and complaint’s number. Then, the competent official will consider the matter as follow within another 15 days.
  • Whether the action specified in the complaint violates the provisions of PDPA.
  • Whether the complaint has grounds as specified by PDPA and it is reasonable to make a complaint.
  • Whether the expert committee has the authority to consider the complaint.
  • The competent official will then pass such complaint to the expert committee for further consideration. At this stage, the duration is not specified.

If the complaint is complete and accurate, the expert committee will further consider the complaint and result shall be categorized as one of the follows:

  • Dismissing, if the expert committee considers that it has no ground under PDPA.
  • Not accepting complaint, if the evidence is incomplete and has not been considered as a data breach.
  • Setting a conciliation session, if the complaint can be settled by conciliation proceedings
  • Rendering the punishment as an administrative fine.
man in black crew neck t shirt covering his face with his hand

If there is any question during the above period, for example, incorrect or incomplete evidence, the competent official will contact the complainant until they receive all required information and documents. The complaint letter and evidence must be well prepared and sufficient to show the competent official that there is an actual violation. Please note that the expert committee will not consider the complaint if details and documents are not complete and accurate. Such complaint shall be deemed invalid, and the expert committee may dismiss the complaint.

In conclusion, for the data subject, your personal data is important, and it is something that you should keep confidentially. You should consider and select to give away your personal data to the service provider who is able to comply with PDPA and has high-security measures to collect and process your personal data.

Benefit of Outsourcing DPO

According to the Personal Data Protection Act B.E. 2562 (PDPA) fully enforced on 1 June 2022, baseline standard of the law is to strengthen and reinforce the rights of the individual and create a much need harmonization of data protection law. Under the PDPA, most organisations are required to designate at least one individual, a natural person or a legal entity, as the data protection officer (DPO).

Currently, while the Personal Data Protection Committee (PDPC) has issued several sub-regulations, it has not yet prescribed qualifications of DPO. PDPA only sets out its roles and responsibilities. DPO roles are, among other things, to uphold the rights of data-subject which may vary from   an organization to another one and to ensure legal compliance of PDPA.

Who needs a DPO?

  • Company’s activities requiring regular and systematic monitoring of a large scale of personal data (The Draft PDPA Sub-Relations suggests that “large scale” means data controller or data processor has in its possession of personal data of more than 50,000 data subjects or 5,000 data subjects in case of sensitive data processing within 12 months)
  • Public authorities including governmental agencies, state enterprises, local administrative agencies, and other state agencies.
  • Company’s core activities concerning collection, use or disclosure of sensitive personal data.

To have an in-house DPO might benefit from fully conversant with processes within the business entity. However, to have outsource DPO provides you an expert knowledge on specifical field and experience of working with numbers of organisation and avoids a possible conflict of interest within an organization. A DPO, under PDPA, must be independent enough to challenge the management of the organization on existing vulnerabilities. Since Thailand is still new to PDPA, to hire an in-house DPO, who is a highly qualified on PDPA, may be difficult. Thus, outsourcing this task to a qualified external firm is an option.   

To outsource the Data Protection Officer (DPO), the company would benefit from:

  • Timesaving; while, the organization can focus on core businesses.
  • Meeting the independence requirements for the DPO role without compromising existing internal duties or roles.
  • Assurance regarding the correctness of decisions made.
  • Quickly access specialized, skilled and experienced consultants in the event of a personal data breach, supervisory authority investigation or other privacy impact events.
  • It is not accessary to set up an individua workplace, employment’s benefits and to integrate a new staff member to the cohesive work environment.