Tag: Information Technology

on by

Brief Notification for the Digital Platform Services

The Notification of the Electronic Transactions Commission regarding the Nature of the Digital Platform Services Requiring a Notification of the Brief List (“Notification”) was published in the Royal Gazette on 18 August 2023 by virtue of Section 8 of the Royal Decree on the Operation of Digital Platform Service Business that are Subject to Prior Notification B.E. 2565 (2022) (“Royal Decree”) and it will be enforced on 21 August 2023 onwards.

This Notification is aimed to prescribe details of the qualification of the digital platform service providers under Section 8 of the Royal Decree  which is  (1) earning a yearly gross income in Thailand of not more than 1,800,000 Baht as a natural person, or not more than50,000,000 Baht as a juristic person, and (2) Digital platform service providers with no more than 5,000 monthly average users (“Digital Platform Service Providers”) to notify information listed below (a brief list) to ETDA prior to operating their platforms:

  • Platform operator’s information, i.e., natural person’s name-surname or juristic person’s name, national identification number or juristic person registration number, address, juristic person’s accounting period, and contact channel which can be URL or application.
  • Digital Platform Service Providers’ information, i.e., name, type, and channel of the Digital Platform Service Providers.
  • Digital Platform Service Providers’ point of contact in Thailand.

In the Notification, we noticed that there are additional qualifications of the Digital Platform Service Providers specified therein which we view that those are in conflict with the principle of definition of the term “digital platform services” and Section 8 of the Royal Decree as it shall not include a digital platform service that is intended for offering goods or services of a single digital platform service operator or an affiliated company which is an agent of such operator, irrespective of whether the goods or services are offered to third persons or to affiliated companies.

Furthermore, the aforementioned Digital Platform Service Providers must notify the ETDA of the following information on an annual basis, i.e., (1) within 60 days of the end of the calendar year in the case of a natural person’s platform operator or (2) at the end of the fiscal year in the case of a juristic person platform operator:

  • Value of transactions incurred on the service platforms (if any)
  • Gross income from providing the service platform in Thailand (if any)

This Notification is only applicable to smaller size Digital Platform Service Providers. However, Digital Platform Service Providers in general are still obligated to comply with. The sanction for failure to notify the required information would be subject to the competent official issuing of an order prohibiting the Digital Platform Service Providers from providing the digital platform services.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Details of Terms and Conditions for the Digital Platform Service Businesses

On 21 August 2023, the Royal Decree on the Operation of Digital Platform Service Businesses that are Subject to Prior Notification B.E. 2565 (2022) (“Royal Decree”) has come into force. In this regard, Section 17 of the Royal Degree requires the digital platform service and the search engine Providers that meet certain requirements to prepare and publish the terms and conditions with minimum information as prescribed in the Royal Decree (“Terms and Conditions”). The Royal Decree itself, however, did not provide details or clarifications in regard to such minimum requirements. As such, the Electronic Transaction Development Agency (“ETDA”) has issued a Notification of ETDA number Thor.Por.Dor. 4/2566 on the Details on the Publication of Terms and Conditions of Services for Users’ Knowledge (“Notification”).

person marking check on opened book
Photo by Pixabay on Pexels.com

The Notification consisted of various details important for the digital platform service providers to comply with. The key provisions can be categorized as provisions that further clarify Section 17 of the Royal Decree and provisions that assign additional obligations to the digital platform service providers. Some of the key provisions are summarized as follows:

  1. The Terms and Conditions must be in Thai, easily understandable by the platform’s users, made easy in terms of accessibility, and composed of enough details for the user to make an informed decision whether to use the platform or not. The digital platform service providers must also notify the ETDA and provide evidence showing that they have published the Terms and Conditions for the users’ knowledge.
  2. Where the digital platform service providers treat each of the products, services, or contents of the business users differently, the digital platform service providers must clearly specify the differences in the Terms and Conditions.
  3. In addition to the prescribed minimum requirement in Section 17 of the Royal Decree, the digital platform service providers that meet the requirement of Section 16 (1) of the Royal Decree must also prescribe an additional item, such as an additional distribution channel, the ownership or entitlement in intellectual property after entering into the Terms and Conditions, ancillary or complementary goods and services that is offered to the users before the transaction is concluded, conditions for suspending or terminating the provision of services, etc.
  4. The Notification further provides an example, easing the digital platform service providers to comply with Section 17 of the Royal Decree, that is, the example of algorithms required to be included in the Terms and Conditions are given, for example, price, keywords, user demographic, quality of products, quality of seller, users’ review towards the goods or services.  
  5. Where Section 17 (8) of the Royal Decree requires the digital platform service providers to include in the Terms and Conditions, “an actions to be taken to illegal goods, services, or contents”, the Royal Decree further clarifies that the digital platform service providers must specify if the processes, measures, or mechanism used by the digital platform service providers in determining if a good, service, or contents are illegal or not, are done by an algorithm decision-making, or by human review. The Notification further requires the digital platform service providers to have in place a notice-and-takedown mechanism and details thereof.
man in black suit sitting on chair beside buildings

Please be reminded that the aforementioned information is only a brief detail prescribed under the Notification. Terms and Conditions to be prepared in accordance with the Notification are said to be of complex structures and details. Digital platform service providers must pay attention to the details to avoid any incompliance with the law.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

ETDA’s Recommendation for an Online Merchant Management System with Cash on Delivery Service

The Electronic Development Transactions Agency (ETDA) has recently proposed a draft of ICT Standards for Electronic Transactions, specifically recommending guidelines for an online merchant management system that offers cash-on-delivery (COD) services. The purpose of this recommendation is to establish consistent practices for service providers in this field, addressing emerging challenges and mitigating potential risks associated with COD transactions. Ultimately, the goal is to enhance customer confidence and trust in the process of buying and selling products through COD.

The recommendation is structured into four main sections: scope, definition, introduction of COD, and conditions for online merchant delivery management services. Key points from each section are summarized as follows:

  • Authentication of COD online merchant service providers are required to authenticate online merchants before allowing them to activate their services on the platform. This includes notifying the merchants about the authentication criteria and the information that needs to be collected, such as their names, identification numbers, and bank account numbers, to be in compliance with relevant laws.
  • Online merchant delivery information must be maintained. Such information includes tracking numbers and recipient details. Additionally, any unusual behavior exhibited by online merchant service providers must be monitored.
laptop technology ipad tablet
  • Provisions of recipient information on parcel cover sheets
    • Information on parcel cover sheets: service providers are obligated to include clear and visible information on the parcel cover sheets. This includes the service provider’s names, contact information, websites or communication channels, and details related to recipients’ support.
    • Information for assisting recipients: service providers must provide information on how the system assists recipients. This includes details on scenarios where the system can assist, channels for reporting problems, and any evidence that recipients may need to submit for investigation.
  • Monitoring and addressing online merchant delivery behavior to prevent scams related to COD transactions: service providers must continuously monitor and track incidents involving online merchants. They should establish procedures for addressing suspicious behavior, which include the following steps:
    • Suspected scammers: if more than 10% of recipients report unexpected deliveries or parcels, they did not purchase from a specific merchant. In this case, the service providers must permanently terminate that merchant’s account.
    • Non-compliant items: if the items received by recipients do not meet the specifications as specified, service providers should notify the online merchants and request information to investigate and resolve the issue for both the merchants and the recipients.
    • Incident recording for future analysis: service providers are required to maintain records of incidents involving online merchant behaviors, which can be analyzed in the future for further insights.
    • Gathering evidence and reporting wrongdoings: if evidence related to scams or other wrongdoings is gathered, service providers should report the findings to the relevant authorities.

It is important to note that the above conditions and procedures are recommendations with no legal enforcement. They serve as guidance for service providers in the industry to establish best practices and maintain a high level of service quality and protection to the customers.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Thailand – defamation and insult can be considered as cyberbullying  

Previously, we discussed the difference between laws regulating cyberbullying in other countries and in Thailand. Some countries enact a law that enforces direct harm caused by one to another through electronic means either privately or publicly, such as the Cyber Protection Act 2017 in Canada, whereas Thailand uses the law on defamation, which requires a third party and intention to impute the others as components of offense.  

Therefore, in this article, we will now address cyberbullying legislation with an emphasis on children since bullying is more common among young people and children and it can now be engaged in social media. In accordance with the statistics of cyberbullying, the range between ages 14-18, the high school age, where reported bullying happened the most. Since the school is the place where the bullying happened physically and digitally. As a result, some countries have implemented legislation to protect minors against cyberbullying such as the United States and the Philippines which are Massachusetts Anti-Bullying Law and Anti-Bullying Act of 2013, respectively.  

two men about to kiss

In Massachusetts, following the incident involving Phoebe Prince, a student at the age of 15 at South Hadley School, the state adopted such Massachusetts Anti-Bullying Law governing in regard to cyberbullying. It includes district policy requirements such as the need for Massachusetts school districts to prevent and respond to bullying conducted by one or more students developing a bullying prevention and intervention plan, which districts must review and keep up to date at least biennially.  

The Philippines also enacted Republic Act No.10627, or the Anti-Bullying Act of 2013, which defines cyberbullying as an act of bullying and requires all elementary and secondary schools to adopt policies addressing the existence of bullying by specific acts such as prohibiting bullies, identifying the measures to take against perpetrators, and the Department of Education (DepEd) to provide training programs for school administrators and staffs to improve knowledge and skills in bullying. The aforementioned rules also encompass cyberbullying that happens outside of school premises or on non-school devices, since these criteria demonstrate the serious concerns and obligations for minors who engage in cyberbullying.  

In Thailand, there is no specific law governing cyberbullying act or protecting minors against cyberbullying at all. The case of cyberbullying will be governed by either the Penal Code (PC) regarding defamation and insult or the Computer-Related Crime Act B.E. 2560 (2017) (CRC Act).

The difference between defamation and insult is whether it involves a third party or not. For example, if the bully intends to impair the bullied’s reputation by spreading the message with a third party which can cause hate or scorn, it can be considered as defamation offense under Section 326 of the PC. However, if the bully decides to spread the intention to impair the bullied’s reputation through the publication on the social media platforms, i.e. posting on Facebook or Twitter, it can be considered as defamation offense under Section 328 of the PC.  

Moreover, the case could be applied to Section 14 (1) of the CRC Act since cyberbullying must distort the computer data into a computer system such as a social media platforms. In the case of insult, if the bully insults the bullied in a private forum without the third party’s involvement, it could be applied to Section 393 of the PC. Whether it could be applied to Section 392 of the PC if the bully threatens the bullied causing fear or fright even though it is from the social network service platforms.  

Let’s be honest. Even though the Thai law has several ways to take the bully as guilty, it is just the offenses of defamation or insult. The Thai law should be more specified to cover the action of cyberbullying especially in minors since the high school age, between 14-18, were reported bullying happened the most. This can also reduce the increase of bullying behaviors and the depression or anxiety in the children since being bullied is the major cause.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Types of Business and Agency in which Certain Parts of the PDPA Shall not Be Applicable

Previously, on June 1st, 2022, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) came into force, imposing obligations on any person who collects, uses, or discloses personal data.  

A data controller is defined as a person or juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of personal data. Under the PDPA, the data controller shall be imposed with various obligations, for example, notifying of personal data collection, obtaining consent (if applicable), and having in place security measures, etc.

On July 11th, 2023, the cabinet approved the Draft Royal Decree Prescribing Types of Business and Agency in which certain parts of the PDPA shall not be applicable B.E. …. (the “Draft Royal Decree”). The Draft Royal Decree is intended to exempt certain obligations of the certain types of data controller, in order to ease their usual objectives or operations. Essentially, the key provisions of this Draft Royal Decree are, (1) certain obligations under the PDPA may be exempted where the collection of personal data is for the public interest, and such government agency is authorized by law; (2) consent for disclosure of personal data may not be required where the government agency is authorized to do so according to the law; and (3) the Draft Royal Decree reaffirm the data subject’s right to file a request to the Personal Data Protection Committee (“PDPC”) for interpretation of various matters.  

white caution cone on keyboard

According to the summary of the cabinet’s minutes by the government’s spokesperson, the certain government agencies may be exempted from the obligations under Part 2 ‘Personal Data Collection’ and Part 3 ‘Use or Disclosure of Personal Data’ of the PDPA to the extent that their processing of personal data is in accordance with the exemption’s conditions and purposes of personal data processing (prescribed under the Draft Royal Decree).  

That being said, we also noted that the summary of the Draft Royal Decree by the government spokesperson signifies that there has been a significant amendment from the previously published version (the Ministry of Digital Economy and Society’s Results of Public Hearing Group 2). In the previous version, it was also specified the cases where other types of data controllers (i.e., not government agencies) may be exempted from certain obligations. For example, where the data controller’s purposes for processing of personal data would be tampered by complying with the personal data collection notification requirements, then such data controller may be exempted from the said obligations.  

businesspeople talking

At this stage, the approved Draft Royal Decree shall soon be published in the Royal Gazette. Monitoring of this publication and enforcement of this Draft Royal Decree may be of the essence to all data controllers and/or data processors who are subjected to the PDPA’s obligations. As the exemption may be applicable to their cases as well.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Monitoring of Personal Data or the System that Requires an Appointment of DPO

Section 41 (2) of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) prescribed that the data controller and the data processor shall designate a data protection officer (“DPO”) if the activities of the data controller/processor in the processing of personal data require regular monitoring of personal data or the system, by reason of having a large number of personal data as prescribed and announced by the Personal Data Protection Committee (“PDPC”).  

Given that the PDPA has been in effect for a year, many organizations in Thailand are still unsure whether they are required to appoint a DPO or not. As a result, the PDPC is considering the Draft Notification of the PDPC re: data controllers and data processors who collect, use, or disclose personal data that requires regular monitoring of the personal data or the system due to a large scale of personal data that must appoint a DPO, B.E. …. (the “Draft Notification”). This Draft Notification was posted on the Law Portal on July 13th, 2023, for the public to consider and express their opinion (public hearing closes on July 27th, 2023).  

software engineer standing beside server racks

Under the Draft Notification, the PDPC intends to clarify 3 following criteria, (1) what constitutes a core activity; (2) what is meant by regular monitoring of personal data or the system; and (3) how to determine if a data controller or data processor is having a large number of personal data. The summary is as follows:  

1. Core Activities:

The core activities are defined under the Draft Notification as actions required to achieve the data controller’s or data processor’s business objectives or goals.  

2. Regular Monitoring of Personal Data or the System:

The Draft Notification deems that a data controller or data processor regularly monitors personal data or the system, if the core activities of the said data controller or data processor systematically or regularly track, monitor, or predict data subject’s behavior (i.e., profiles).  

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to require regular monitoring, example includes:

  • Processing of personal data relating to the holder of a membership card, electronic card, or any other card that allows the card service provider or any other person to review the card usage information.
  • Processing of personal data for the purpose of behavioral advertising.
  • Processing of personal data for security purposes.

3. A Large Number of Personal Data:

Further, the Draft Notification sets out the criterion in which the data controller or data processor shall determine if their processing of the personal data is considered to be on a large scale or not. The criteria are as follows: (1) the proportion of the number of data subjects and the amount of personal data; (2) the quantity and type of personal data; (3) retention period and permanence; and (4) territorial or geographical scale of personal data collection.  

black android smartphone on top of white book

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to be of a large scale, example includes:  

  • Processing personal data for the purpose of behavioral advertising through the use of search engines or social media.
  • Processing of personal data by a type 3 telecommunication business operator.

By reading this far, you probably have the idea of whether your organization would need to appoint a DPO or not, but please note that organizations whose DPO performs duties or tasks other than data protection must consider the scope of his/her duties or tasks and warrant to the PDPC office that his/her duties or tasks do not conflict with the DPO’s main duties under the PDPA. The Data Controller and Data Processor should read this Draft Notification carefully and monitor the development of this Draft Notification.

It is crucial for all data controllers and data processors to note that if subjected but fail to appoint the DPO as required by the PDPA, they may be subject to an administrative fine of up to 1 million Baht.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Unlawful Debt Collection and Violation of Personal Data Protection

There is a case study extracted from the case between the plaintiff, which is an ordinary person, and the defendants and its parent company by an offense of the violation under the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) and Debt Collection Act B.E. 2558 (2015) (“DCA”).

According to the plaint, the financial institution filed a court case against the plaintiff’s debt outstanding payment roughly 15 – 20 years ago and obtained a court decision to enforce the mortgage and all of the plaintiff’s assets, which were auctioned off and beforehand assigned to creditors. Currently, a group of people claiming to represent that the defendants phoned the plaintiff using a call center process for debt collection, causing disruption. Plus, the plaintiff has never given written consent regarding the phone number that has been used by a call center for any debt collection. While the defendants claimed that such a phone number has been acquired from the electronic reply letter with the plaintiff’s consent given to the Bank of Thailand (“BOT”), the plaintiff stated that it was registered after the debt was extinct. According to the PDPA, which requires consent – if not having other legal bases – from the data subject before using, collecting, or disclosing personal data, it is reasonable to assume that the phone number was collected as personal data without the plaintiff’s consent.

As a result, Plaintiff submitted the following request to the court against the defendants in relation to PDPA and DCA as follows:

  1. Request that the court orders the defendants to reveal the acquisition of personal data on the basis of the plaintiff’s rights as a data subject as per Section 30 of the PDPA, which grants the data subject the right to request access to and disclosure of personal data. Thus, the plaintiff has the right to request the court to order the defendants to reveal personal data obtained without consent.
    • Request that the court orders the defendants to collectively pay 25 Satangs in compensation for the unlawful use of a phone number, which is general personal data that can identify the data subject under the PDPA.
    • Request that the court orders the defendants and all representatives to erase all plaintiff’s personal data from the system according to the data subject’s right to object to the collection, use, or disclosure of personal data at any time under Section 32 of PDPA.
    • Request that the court orders the defendants to collectively pay 25 Satangs in compensation for violating the DCA, according to debt collection by frequent unnecessary and annoying calls where the action is not related to the purpose of the DCA, which aims to regulate debt collection in an appropriate manner, to protect privacy rights, and to impair the reputation, false information, and trouble causing to others.
woman wearing hooded pullover hoodie facing tablet computer

In conclusion, many people are currently suffering as an effect of debt collecting via a call center process. As a result, the plaintiff intends for this case to serve as an example of illegal debt collection and personal data violation as he requests such an amount of compensation. Currently, the court accepted the case on 28 April 2023 in which the result of the court’s order will be granted after witness hearing proceeding. For another option, the plaintiff can also file a complaint with the Personal Data Protection Committee (“PDPC”) for consideration and order for the administrative penalty against the defendants.

Author: Panisa Suwanmatajarn, Managing Partner.

on by

NBTC Uplifted Personal Data Protection for Telco Users

Since the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has been in effect for more than a year, several authorities, including the National Broadcasting and Telecommunications Commission (“NBTC”), have attempted to establish and implement policies in order to comply with the PDPA. Previously, there has been a Notification of the National Telecommunications Commission on Protecting User Rights Regarding Personal Data, Privacy, and Freedom of Communication through Telecommunications Service that became effective on 16 August B.E.2549 (2006) (“Original Notification”) ruling measures to protect user rights through telecommunications service. However, in order to (1) protect the rights of telecommunications service users while operating in parallel with the use of personal data, (2) modernize and improve the user rights protection measures, and (3)  fully and accurately comply with and implement the PDPA, the NBTC considers amending the Original Notification by drafting the Notification of the National Telecommunications Commission on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”). This Notification was approved at meeting no. 13/2566 on 14 June 2023 and will be published in the Royal Gazette and shall be effective on the following announcement date, in which the Original Notification shall be replaced.

security logo

Examples of the main key contents that have been amended are as follows:

  1. Some terms and definitions have been amended, such as “Personal data of user “Service Provider” “User” and “Collection”.
  2. Although the Original Notification has included the consent matter, this Notification has additionally specified more details, such as (1) the service provider’s obligation to specify the purpose of collecting or processing personal data prior to or at the time of obtaining consent, (2) the consent must be given in writing or electronic means, and (3) the consent request must be made in a clear sentence, not misunderstood, and separate from the main agreement.
  3. In addition to the sensitive personal data such as (1) disabilities and (2) hereditary characteristic that has been specified in the Original Notification, this Notification has included Section 26 of PDPA in order to determine the sensitive personal data matter.
  4. Personal data relating to the use and provision of services for the previous 90 days must be retained. This can be extended to two years on a reasonable basis, such as legitimate interest.
  5. In addition to the written method specified in the Original Notification for exercising the rights under PDPA, the Notification has determined that the user, as a data subject, is able to exercise the same through electronic means. If the service provider fails to comply with the request to exercise rights within 15 days, the user may notify NBTC in writing, demanding the service provider to do so. Please note that the authentication and verification mechanism for the user must be conducted by the service provider prior to exercising the aforementioned right.
  6. The provisions requiring service providers to inform NBTC of a data breach incident within 72 hours, in accordance with the PDPA, have been added.
  7. The service providers (licensee) must prepare a proper measurement to protect users’ rights regarding personal data, the right to privacy, and freedom of communication through telecommunications with the minimum requirements in accordance with this Notification and PDPA in Thai language and other languages in which the license holder operates marketing and send the same to the Secretary of NBTC for further consideration and verification according to NBTC criteria.
  8. The cross-border transfer of data matter under Sections 28 and 29 of PDPA has been added, to which the service provider must comply.
software engineer standing beside server racks

The NBTC further declared that all of these revisions had been adjusted to the present digital economic period, which includes every business engaged in communication, and that this Notification will provide consumers with assurances about the protection of their personal data as well as efficient and fair service. The license holders must acknowledge this Notification in order to prepare for compliance, as personal data protection is a critical issue at the moment, and the failure to comply with this Notification may result in the suspension or revocation of the NBTC licenses.

Author: Panisa Suwanmatajarn, Managing Partner.

on by

Types of Digital Platform Services that are to notify the Electronic Transactions Development Agency

The EU’s Digital Markets Act and Digital Services Act aim to regulate large digital platforms and online services in the EU setting out obligations for gatekeeper platforms to ensure fair and open digital markets. This includes requirements around interoperability, data access, user choice, and many others. As for Thailand, the Royal Decree on Supervision of Digital Platform Operation Requiring a Notification B.E. 2565 (2022) (“Royal Decree”), which was published in the Royal Gazette on 23 December 2022 requires large digital platform service providers to notify the Electronic Transactions Development Agency (ETDA) and comply with certain obligations.

black android smartphone on top of white book

Under the Royal Decree, a large digital platform or specific digital platform is a platform that may cause a risk to financial and commercial stability, credibility, and acceptance in electronic information systems, or damage to the public. As a result, EDTA is considering this matter and drafting an Announcement of the Electronic Transaction Commission Concerning Criteria for Assessing the Level of Impact for the Business Operation of Digital Platform Services (“Announcement“) by virtue of Section 18 (2) of the Royal Decree on Supervision of Digital Platform Services Operation Requiring a Notification, so that digital platform operators can recognize whether their platforms are classified as a specific digital platform. 

The criteria for assessing the impact level of the specific digital platform services according to the Announcement are as follows:

  • Digital platform service, whose transaction value on the platform exceeds one hundred million baht per year.
  • Digital platform service, which its business operator is not applied for commercial registration by the Department of Business Development (“DBD”) and the number of sellers or service providers on that platform who conduct its business in Thailand exceeds one-third of all sellers or service provider on that platform.
  • Digital platform service, which its business operator is not applied for commercial registration by DBD, and the number of users in Thailand (customers, sellers, and service providers in the digital platform are collectively referred to as “Users”) is more than five percent, but not exceed ten percent of the number of people in Thailand.
  • Digital platform service, in which the user can independently perform any act that may cause e ffect the public in the form of the following statements or actions:
  • Illegal statements or acts
  • Any statement or action that may cause negative effects on fundamental human rights, human dignity, respect for privacy and family life, personal data protection, freedom of speech, media independence, discrimination, and consumer protection.
  • Any statement or action that causes negative effects on the rights of the child causing mental illness, impairing the reputation, and unlawful exploit for the user or others.
  • Any statement or action that may cause negative effects on gender or sexual violence includes statements or actions for provoking, violence, hatred, prejudice, and contumely.

on by

Public Entities Required to Designate a Data Protection Officer

Section 41 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) requires public entities listed by the Personal Data Protection Committee (“PDPC”) to designate a Data Protection Officer (“DPO”). Currently, PDPC has drafted “Announcement of the Personal Data Protection Committee Concerning the Data Controller and the Data Processor Who Are Public Entities that Must Designate a Data Protection Officer B.E. ….” (“Announcement”). This Announcement will list the public entities that are required to designate DPO. It is likely that the public entities that process personal data on a large scale or collect sizable numbers of sensitive personal data will be listed under this Annoucement. This Announcement is, however, still undergoing public hearings in which anyone interested can share opinion or provide feedback via the Law Portal provided by the Office of the Council of State and the Digital Government Development Agency.

security logo

According to Section 3 of the PDPA, in the event that there is any specific law governing the protection of personal data in any specific manner, business or entity, the provisions of such law shall be applied. Furthermore, in Thailand, there is a law known as the Official Information Act B.E. 2540 (1997) (“OIC“), which its provisions govern the public entities for the matter related to the collection, disclosure, and security of personal information. Where the said personal information under OIC is considered personal data under PDPA but is only kept by the public entities, as a result, although it can be assumed that personal information is partly governed by the OIC,  the PDPA shall be applied in addition to the rights of data subjects and the relevant penalties, regardless of whether it is repetitious with the same matter in OIC according to Section 3 of PDPA as it aims to ensure the same level of personal data protection for Data Controllers and Data Processors in both public entities and private entities.

software engineer standing beside server racks

In conclusion, the public entities should consider whether the DPO is required based on this Announcement. Plus, such public entities should also consider the PDPA as it might be an additional requirement which they must comply. At the same time, an individual or a private entity also should be aware of this Announcement in order to directly contact the DPO of such public entities regarding personal data protection matters, as the DPO will be the entity’s contact center for personal data protection matters of those entities who may collect, use, or disclose your personal data.

Author: Ms. Panisa Suwanmatajarn, Managing Partner.