New Sub-Regulations under Thailand Personal Data Protection Act

As the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has already been enforced, the sub-regulations specifying details of the same are in process of being released. Therefore, every organisation must always well precaution of their duties as a controller or processor regarding keeping, utilising, storing, and transferring of these data which may cause effect to the data subject and may lead to future damage.

Under this article, we will talk about brief details of sub-regulations issued by the virtue of the PDPA which are  

• Under the PDPA, data controller and data processor are responsible for keeping record of collection and utilisation of personal data. As such, the announcement by the PDPA Committee effective on 21 June 2022 lay out conditions and how to conduct record of data collection and utilisation. The record must include name of the data controller, name of data processor, DPO including its contact details, types, characters, and purposes of collecting and processing of data and detail of security measures. The form of record can be made in a paper or electronic which can be accessible easily by the relevant officer and data controller once request.
• However, such above mentioned keeping record is exempted under the announcement by the PDPA Committee effective also on 21 June 2022. The announcement determines the characters of small businesses to be exemption from performing the same such as small and medium enterprises, cooperatives, foundations, or family businesses under their relevant laws. However, if such activities concern sensitive data or may cause effect to the rights and freedom of data subject, the record is still required

• In addition, the data controller must arrange for security measures which states under the announcement of the PDPA Committee effective on 21 June 2022 in which such measures shall cover keeping, collecting, using, and disclosing of personal data and include necessary organizational measures, technical measure, or physical measures.
• Lastly, if the controller or processor fails to uphold their duties under the PDPA, they shall be subject to civil, criminal and/or administrative sanctions. For the administrative sanctions, the PDPA Committee also launches its announcement effective on 21 June 2022 specifying details that the data subject is entitled to conduct once its right under the PDPA has been breached, how the PDPA officer/specialized Committee can proceed to consider and issue its administrative order and administrative penalties that the PDPA officer/specialize Committee can issue  against the data controller or processor who fails to conduct according to the PDPA.