Tag: GDPR

on by

New Regulation Governing the Services Related to Digital Identity Proofing and Authentication System

Most people nowadays conduct their transactions through electronic means. Before engaging in such electronic transactions, they must go through the process of verifying the person’s identity, which is currently supported by the digital system and is an important step in assisting the party to know their customers.

The Digital Identity Proofing and Authentication System is designed to provide a secure and efficient process for validating the identity of users who are attempting to access sensitive information. This system employs cutting-edge technology to ensure that only users with legitimate credentials can access the data they need. The system allows organizations to reliably authenticate user identities using a variety of methods such as biometrics, physical documents, government-issued IDs and other types of identification.

The Digital Identity Proofing and Authentication System also features robust data encryption techniques to protect the sensitive information from unauthorized access. This ensures that only users with appropriate credentials can access the data. Additionally, the system has been designed to be tamper-resistant and provide comprehensive reports that allow organizations to track user activity and access history.

code projected over woman

In addition to security features, the system includes a range of tools for user management. Administrators can manage user roles, access rights, and account information quickly and easily. They can also enable or disable users in bulk and set temporary passwords for new users.

The main regulations on digital identification include the European eIDAS Regulation, the General Data Protection Regulation, the Identity Theft Prevention Act, the EU Payment Service Directive and the Anti-Money Laundering Directive. These regulations set out requirements for digital identities, such as customer authentication, data protection and fraud prevention. Companies providing digital identification services in EU must ensure compliance with these laws. Additionally, some countries have their own regulations in place that must be adhered to when offering such services.

The Digital Identity Proofing and Authentication System is an essential tool for any organization that needs to maintain accurate records and secure access to sensitive data. It provides a simple yet powerful solution for verifying user identities while also ensuring the security.

In this regard, the Royal Decree on Supervision of Services Related to Digital Identity Proofing and Authentication System B.E. 2565 (2022) (“Royal Degree“) was announced on 23 December 2022 and will be effective 180 days after the announcement (i.e. 21 June 2023) to govern an operation of a legal entity who provides services related to digital identity proofing and authentication systems.

The Royal Degree Decree specifies the characteristics of the service provider who must obtain a license to operate digital identity proofing and authentication, i.e. (1) Identity proofing services, (2) Authenticator, (3) Identity authentication services and (4) services of exchanging the digital proofing and authentication data through the network or system. Furthermore, applicants must be a limited company, public limited company or other legal entity that meets the qualifications defined by Electronic Transactions Development Agency (“ETDA“) by submitting all required documents and information to the ETDA, such as information about the system and technology used to provide services, a risk assessment and management plan, a personal data protection plan and security plans and measures for information systems.

black android smartphone on top of white book

The licensee has duties to report as follows:

  1. Submitting a Business Readiness Assessment Report to Electronic Transactions Development Agency (“ETDA”) within 180 days of receiving a license. Otherwise, EDTA may consider revoking the license.
  2. Notifying ETDA if a third party collects or retains Digital Identity Proofing and Authentication System Information on its behalf. Any changes to such third-party must be reported to EDTA within 15 days of the change.
  3. Notifying ETDA of any changes in registered capital, director, manager or person in charge of operating the services, as well as system and technology that may have an impact on service provision.
  4. Notifying ETDA if they receive a complaint or a lawsuit relating to the licensee’s business operations.
  5. Submitting an annual report to ETDA in the format, content and method prescribed by ETDA.
  6. Inspecting the digital identity proofing and authentication system and report the same to the ETDA.
  7. Notifying ETDA at least 60 days before the expected date of discontinuation of business.

The ETDA shall consider announcing the rules, procedures and conditions concerning the period for business termination, transfer of services to another Licensee, management and collection of information relating to digital identity proofing and authentication and any other matters that ETDA deems appropriate in order to prevent damage, protect service users and ensure that users can continue to use the services.

The service providers who require the license and have been in operation prior to the effective date of this Royal Decree may continue to do their businesses. However, they must apply for a license and submit a business readiness assessment report within 90 days of the Royal Decree’s effective date. Therefore, if you are required to obtain this license, please read this Royal Degree and begin preparing your application, as well as keep up to date on any new sub-regulations that may be announced.

Author: Panisa Suwanmatajarn, Managing Director.

on by

Guideline for Privacy Notice and Collection of Personal Data

By now, Data Controller should be aware that under Section 23 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), the Data Controller is required to notify the Data Subject of the details and purposes of the collection, use, or disclosure of personal data through a Privacy Notice before or at the time of collection. In this regard, the Personal Data Protection Commission “PDPC” has issued a guideline regarding this matter of Privacy Notice and the collection of personal data which the Data Controllers must firstly determine whether there are any specific regulations issued by other regulators governing the same matter before complying with this guideline, respectively. If there are and such regulations do not have lower standard than those of PDPA, the Data Controller must follow those regulations.

man in white crew neck shirt

Prior to preparation of the Privacy Notice, Data Controller must consider the fairness that Data Subject will receive including considering the consequences after the collection, use and disclosure of personal data and specifying the purpose of such collection in clear and plain language, not deceptive or misleading, plus, the purpose for processing personal data must be obvious, specific and lawful in order for the Data Subject to explicitly understand and aware of, particularly for the section relating the disclosure of personal data to third parties, before giving his or her consent. If there are any cases where other legal basis can be applied to the collection, use or disclosure of personal data, the Data Controller may rely upon those legal basis as well. The guideline also lists down details that should be specified in the Privacy Notice.

Section 25 of PDPA imposes the Data Controller to not collect personal data from other sources apart from Data Subject directly, however, the Data controller may do so if the following exceptions are met.

  1. The Data Controller is required to inform the Data Subject of such indirect collection within thirty days of the collection date in order to request consent from the Data Subject and process such personal data for a new purpose to which the Data Subject had never previously consented. In practice, this Data Controller who receives personal data from other sources in some cases does not need to provide details under Section 23 because the Data Controller collecting data from other sources supposes to notify it to the Data Subject in the first place. However, if Data Controller collecting data from other sources did not do so, the current Data Controller must comply with Section 23 notifying the Data Subject within thirty days as previously stated above.
  2. The current Data Controller is not required to notify the Data Subject of the Privacy Notice and obtain any consent from the Data Subject again if the Data Subject was aware of the purpose and details of personal data collection.
  3. If it is impossible for the current Data Controller to notify the Data Subject, the Data Controller must have an appropriate security system to protect the rights, freedoms and benefits of the Data Subject.
woman in black framed eyeglasses holding smartphone

In this regard, the Data Controller shall either make a public announcement and state the necessities of such personal data collection or provide the Data Protection Impact Assessment (DPIA) in order to identify and assess the risk or damage that may result from the use or disclosure of personal data.

Author: Panisa Suwanmatajarn, Managing Partner.

on by

PDPA – Procedures for Filing Complaint

Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) is a new law in Thailand, fully effective on 1 June 2022, which was enacted for the purpose of protecting personal data of data subjects.

Data subject is a person who owns his/her personal data and is the one who gives away his/her necessary personal data to a service provider (called data controller) in order to have them perform according to what both parties agreed under the contract. Therefore, personal data is something that can be used to identify individual the data subject directly or indirectly. However, the data subject does not include a juristic person and deceased person.

Rights of data subject are right to access, right to rectification, right to data portability, right to erasure, right to restriction, right to object, right to withdraw consent and right to complain.

businesspeople talking

For the data subject’s right to complaint under Section 73 of PDPA, one may file a complaint to the Office of Personal Data Protection Committee (“Office”) against an offender (i.e., data controller, data processor or any person who violates his/her rights) if his/her personal data is violated.

On 12 July 2022, there was a subordinate regulation which is the Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)(Subordinate Regulation”)specifying procedures, timeframes and documents required for filing the complaint to the Office. However, since this Subordinate Regulation has been enforced for a month, people still question the practical procedures regarding filing the complaint.

There is no fixed complaint form and there is only a list of required documents specified in the Subordinate Regulation. However, the complaint must be made in a letter consisting of the complainant’s name, address, telephone number or email address, facts with details and related information, details of damage or effects, evidence, and things that the data subject requests to do, together with a sentence certifying that the information in the letter is true.

Once a complaint letter and all documents have been well prepared, the data subject can either send the complaint by registered mail to the Office or submit it in person at the Office. Also, the Subordinate Regulation stipulated that a complaint can be submitted via an electronic channel.

An identification card of the data subject must be presented at the time of submitting the complaint. In the case that the data subject appoints an attorney. A power of attorney with a completed specifications of assigned duties and correct stamp duty together with the attorney’s certification of a copy ID card, passport or any identity document issued by the government must be submitted together with the complaint.

For the timeframe for consideration, the Subordinate Regulation has divided it into three stages as follows:

  • The competent official shall review and check the completeness of complaint and evidence within 15 days from receipt whether they will accept the complaint for further consideration.
  • After the competent official accepted such complaint, the complainant shall receive an acknowledgment receipt and complaint’s number. Then, the competent official will consider the matter as follow within another 15 days.
  • Whether the action specified in the complaint violates the provisions of PDPA.
  • Whether the complaint has grounds as specified by PDPA and it is reasonable to make a complaint.
  • Whether the expert committee has the authority to consider the complaint.
  • The competent official will then pass such complaint to the expert committee for further consideration. At this stage, the duration is not specified.

If the complaint is complete and accurate, the expert committee will further consider the complaint and result shall be categorized as one of the follows:

  • Dismissing, if the expert committee considers that it has no ground under PDPA.
  • Not accepting complaint, if the evidence is incomplete and has not been considered as a data breach.
  • Setting a conciliation session, if the complaint can be settled by conciliation proceedings
  • Rendering the punishment as an administrative fine.
man in black crew neck t shirt covering his face with his hand

If there is any question during the above period, for example, incorrect or incomplete evidence, the competent official will contact the complainant until they receive all required information and documents. The complaint letter and evidence must be well prepared and sufficient to show the competent official that there is an actual violation. Please note that the expert committee will not consider the complaint if details and documents are not complete and accurate. Such complaint shall be deemed invalid, and the expert committee may dismiss the complaint.

In conclusion, for the data subject, your personal data is important, and it is something that you should keep confidentially. You should consider and select to give away your personal data to the service provider who is able to comply with PDPA and has high-security measures to collect and process your personal data.

on by

Benefit of Outsourcing DPO

According to the Personal Data Protection Act B.E. 2562 (PDPA) fully enforced on 1 June 2022, baseline standard of the law is to strengthen and reinforce the rights of the individual and create a much need harmonization of data protection law. Under the PDPA, most organisations are required to designate at least one individual, a natural person or a legal entity, as the data protection officer (DPO).

Currently, while the Personal Data Protection Committee (PDPC) has issued several sub-regulations, it has not yet prescribed qualifications of DPO. PDPA only sets out its roles and responsibilities. DPO roles are, among other things, to uphold the rights of data-subject which may vary from   an organization to another one and to ensure legal compliance of PDPA.

Who needs a DPO?

  • Company’s activities requiring regular and systematic monitoring of a large scale of personal data (The Draft PDPA Sub-Relations suggests that “large scale” means data controller or data processor has in its possession of personal data of more than 50,000 data subjects or 5,000 data subjects in case of sensitive data processing within 12 months)
  • Public authorities including governmental agencies, state enterprises, local administrative agencies, and other state agencies.
  • Company’s core activities concerning collection, use or disclosure of sensitive personal data.

To have an in-house DPO might benefit from fully conversant with processes within the business entity. However, to have outsource DPO provides you an expert knowledge on specifical field and experience of working with numbers of organisation and avoids a possible conflict of interest within an organization. A DPO, under PDPA, must be independent enough to challenge the management of the organization on existing vulnerabilities. Since Thailand is still new to PDPA, to hire an in-house DPO, who is a highly qualified on PDPA, may be difficult. Thus, outsourcing this task to a qualified external firm is an option.   

To outsource the Data Protection Officer (DPO), the company would benefit from:

  • Timesaving; while, the organization can focus on core businesses.
  • Meeting the independence requirements for the DPO role without compromising existing internal duties or roles.
  • Assurance regarding the correctness of decisions made.
  • Quickly access specialized, skilled and experienced consultants in the event of a personal data breach, supervisory authority investigation or other privacy impact events.
  • It is not accessary to set up an individua workplace, employment’s benefits and to integrate a new staff member to the cohesive work environment.

on by

New PDPA Subordinate Regulations

According to Section 16(4), 73 paragraph 2, and 90 paragraph 2 of the Personal Data Protection Act B.E. 2562 (2019) or “PDPA”. The PDPA is Thailand’s very first law in relation to protection of personal data and put in place effective remedial measures for data subjects whose rights to be protected if their personal data are violated. The PDPA established the Personal Data Protection Commission or PDPC to govern the PDPA and also established the Office of the PDPC or OPDPC to act on the administrative matters and act as the secretariat of the PDPC.

On 29 June 2022, the two legislations under the PDPA were approved by the PDPA and published in the Royal Gazette on 17 July 2022 namely;

  1. The Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)
  2. The Qualifications and Prohibitions, Term of Office, Vacate Office, and Other Operations of the Expert Committee B.E. 2565 (2022)

security logo

The Criteria for Filing, Refusal of Acceptance, Dismissal, Consideration and Timeframe for Consideration of Complaint B.E. 2565 (2022)

1. In case that any data controller and the data processor and their employees and contractors breach any provision of PDPA, the data subject is able to report to the expert committee by filing a complaint either in a form of hard copy or electronic (hard copy can be either directly submitted to the PDPC or sent by a registered mail).

2. Details of complaint shall include name, address, phone number, email of the reporter or attorney, copy of the reporter’s ID card, passport or any identity document issued by the government.

In the case that the data subject has authorized the attorney, the power of attorney with a complete specification of assigned duties and correct stamp duty together with the attorney’s certification of a copy ID card, passport, or any identity document issued by the government must be submitted together with the complaint.

The complaint must specify facts and details of the data breach in which the data controller and the data processor and their employees and contractors have committed against any provision of the PDPA and also specify the effect of such breach. All relevant evidence must be attached in order to support such a complaint. Moreover, the reporter must specify the request of ordering the data controller or data processor to comply in accordance with the PDPA. There must be a statement certifying that the statements in the complaint are true.

Please note that the reporter can be data subject, attorney or any person who is the holder of parental responsibility over the child (parents), custodian and curator of the data subject.

3. The competent official shall review the complaint and all evidence within 15 days since they receive such complaint to consider whether they will accept the complaint for further consideration. The competent official will contact the reporter in case of more information is needed. Please note that the competent official will accept the complaint and pass it to the expert committee only if all information is correct and complete. After accepting such complaint, the reporter will receive an acknowledgement receipt and number of complaints.

The matters that the competent official must consider within such 15 days are as follows:

  • Whether the action specified in the complaint is violation of the provisions in PDPA.
  • Whether the complaint has grounds as specified by PDPA and it is reasonable to make a complaint.
  • Whether the expert committee has the authorization to consider the complaint.

The competent official will then pass such complaint to the expert committee for further consideration. After receipt of the complaint, the expert committee will consider such complaint and the results may categorize as follows:

  • Dismissing, if the expert committee considers that it has no ground under the PDPA.
  • Not accepting complaint, if the evidence is incomplete and has not been categorized as a data breach.
  • Setting a conciliation session, if the complaint is seen to be settled by conciliation proceedings
  • Rendering the punishment as an administrative fine.

In the case that the expert committee deems that consideration of such a complaint is an important legal issue, the expert committee shall pass this complaint to the PDPC for further consideration.

The expert committee must inform the reporter of the result of the complaint with its reason in relation to the result.

The Qualifications and Prohibitions, Term of Office, Vacate Office and Other Operations of the Expert Committee B.E. 2565 (2022)

  1. The PDPC shall appoint a group(s) of expert committees in accordance with their expertise. Each group consists of one chairperson and at least 4 members.
  2. A person to be appointed as chairperson of the expert committee and its members must have qualifications such as being Thai nationality, not lower than 25 years old, not being bankrupted or having been previously dishonestly bankrupted, not being an incompetent or quasi-incompetent person, not having been previously fired, dismissed or discharged from official service, government agency or state enterprise or private agency on the ground of dishonest performance of duties or having committed severe wrongful conducts.
  3. Moreover, the chairperson and members shall be vacated from office if death, resignation, imprisonment by the court verdict, disqualification as specified above or dismissing by the PDPC due to failure to pass the performance evaluation or commit disgraceful.
  4. The chairperson of the expert committee and the members shall hold office for a term of four years.
  5. The meeting of expert committee shall consist of one-half of all members to constitute a quorum. The decision of the meeting shall be made by a majority of votes and each has one vote. In the case of equal votes, the chairperson shall have the casting vote. The meeting may be taken placed by an electronic mean.
  6. Any member who has any interest in the matter being considered in the meeting must inform all members regarding such interest prior to the meeting and such member shall be prohibited from attending such meeting.
  7. The Secretary-General of PDPC shall appoint a maximum of two secretaries to each expert committee.
  8. If there is a joint meeting of more than one expert committee. The chairperson of the expert committee holding the most senior level shall preside over the meeting. This joint meeting of the expert committee shall all consist of not less than 6 members and the members attended the meeting must be from all committee invited to attend the meeting in order to constitute a quorum.