PDPC Notification on Security Standards for Personal Data Controllers Exempted from PDPA

The Office of Personal Data Protection Commission (PDPC) conducted a public hearing on the draft PDPC Notification Concerning the Security Standards for Personal Data under Responsibility of Data Controllers exempted from the enforcement of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) (“Notification”). This public hearing occurred from 17 October 2023 to 31 October 2023.

Under Section 4 of the PDPA, certain data controllers, including public authorities, the media, the House of Representatives, the Senate, the Parliament, the courts, and the credit bureau, are exempted from the enforcement of the PDPA. However, Section 4 paragraph 3 of the PDPA mandates that these exempted data controllers must implement security measures to protect personal data.

black android smartphone on top of white book

The draft Notification sets out the security measures that exempted data controllers must adhere to. These measures are similar to those prescribed in the PDPC’s Notification on Security Measures for the Protection of Personal Data B.E. 2565 (2022). The key measures include:

  1. Implementing organizational, technical, and physical measures to safeguard personal data, regardless of its form (physical or digital).
  2. Ensuring the confidentiality, integrity, and availability of personal data.
  3. Extending security measures to servers, software, or applications for storing or processing personal data.
  4. Implementing access control, identity proofing and authentication, need-to-know basis access, user access management, determination of user responsibilities, and personal data audit trails.
  5. Raising awareness about privacy and security among employees or users with access to personal data.
  6. Adopting pseudonymization or encryption measures to minimize the risk of unauthorized or unlawful processing of personal data.

The enforcement of these measures will be closely monitored once the draft Notification becomes enforced.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Personal Data Protection for NBTC license holders

The Notification on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”) was approved by the National Telecommunications Commission. The Notification has been officially published in the Royal Gazette and became effective since September 4, 2023.

Key provisions of the Notification include:

Section 6 stipulates that license holders must obtain separate consent from users before using or disclosing their personal data for purposes other than operating the telecommunications business. License holders must clearly inform users about the scope and objectives of the business, the types of personal information that will be used or disclosed, and any third parties involved. Users must be provided with the option to confirm or revoke their consent. License holders must comply with the conditions specified in the notification and any additional requirements imposed by the NBTC. The language used must be clear and easily understandable, without misleading users about the purpose. Consent may be obtained in writing or through technological means. However, users’ consent or withdrawal should not interfere with their use of telecommunications services.

two person standing under lot of bullet cctv camera

Section 7 outlines the details regarding sensitive data, which includes race, ethnicity, political opinions, beliefs, sexual behavior, criminal record, health record, disabilities, union information, genetic data, biological data, and any other data specified in the Personal Data Protection Law that may affect users.

Section 10 addresses the notification requirements for collecting personal data. Generally, license holders must inform consumers during or before collecting their personal data. However, when collecting data from other sources, license holders must notify the data subject within 30 days from the collection date. License holders are not required to notify when the collection does not require consent under Sections 6 and 7.

Section 14 states that if a violation poses a high risk to individuals’ rights and freedoms, license holders must immediately notify the NBTC within 24 hours of recognizing the violation. The notification must include a remediation measure for affected users.

Section 20 mandates that license holders must publicly announce their policies to protect users’ rights to personal information, privacy, and freedom of communication through telecommunications. These policies must be in accordance with the notification and the personal data protection law and should be displayed on the license holders’ website, place of service, application form, and service agreement. Additionally, these policies must be approved by the NBTC.

Given these revisions, it is crucial for all license holders to update their practices to ensure compliance with the personal data protection policies. The protection of personal information is of utmost importance, particularly in the telecommunications industry.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Certified Courses and Training Program for DPO and Registered Instructor

The Office of the Personal Data Protection Committee (“Office”)  has launched an Announcement of the Office of the Personal Data Protection Committee (“Committee”) Re: Criteria for Certified Courses and Training Programs for the Data Protection Officer and Registered Instructor (“Announcement”) and its guidelines on 8 August 2023 in order to provide knowledge and understanding in both legal terms and practical proceedings, for the Data Protection Officer (“DPO”) and those who are registered instructors and training agencies in order comply with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“).

This Announcement sets guidelines for 2 main matters with the details as follows:

1.Certified courses and training programs

Agencies or institutions that would like the Office to certify their courses and training programs must apply for the same via an official email at course@pdpc.or.th. After consideration, the Committee will deliver its opinion to the Secretary-General of the Personal Data Protection Committee (“Secretary-General”) for its final consideration. Those who have been certified will be published to the public.

two person standing under lot of bullet cctv camera

2.Registered instructors

While the agencies or institutions are registered per item 1, any person who would like to register himself/herself to be a registered instructor can apply for the same via email at course@pdpc.or.th. If the applicant’s qualifications meet the requirements, the applicant must attend the seminar and take some exams organized by the Office. After that, the registration process will be completed, and his/her name will be announced to the public. The registration will be valid for one year and will need to be renewed by attending further seminars.

This Announcement has been effective as of the date of publication. Currently, there is no civil liability, administrative liability, or criminal penalty applied to the agencies or institutions in case of non-compliance with the PDPA and its guidelines. The Office aims to encourage the agencies or institutions to attend the training programs to understand the provisions of PDPA and then they can distribute their knowledge to the DPO.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Types of Business and Agency in which Certain Parts of the PDPA Shall not Be Applicable

Previously, on June 1st, 2022, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) came into force, imposing obligations on any person who collects, uses, or discloses personal data.  

A data controller is defined as a person or juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of personal data. Under the PDPA, the data controller shall be imposed with various obligations, for example, notifying of personal data collection, obtaining consent (if applicable), and having in place security measures, etc.

On July 11th, 2023, the cabinet approved the Draft Royal Decree Prescribing Types of Business and Agency in which certain parts of the PDPA shall not be applicable B.E. …. (the “Draft Royal Decree”). The Draft Royal Decree is intended to exempt certain obligations of the certain types of data controller, in order to ease their usual objectives or operations. Essentially, the key provisions of this Draft Royal Decree are, (1) certain obligations under the PDPA may be exempted where the collection of personal data is for the public interest, and such government agency is authorized by law; (2) consent for disclosure of personal data may not be required where the government agency is authorized to do so according to the law; and (3) the Draft Royal Decree reaffirm the data subject’s right to file a request to the Personal Data Protection Committee (“PDPC”) for interpretation of various matters.  

white caution cone on keyboard

According to the summary of the cabinet’s minutes by the government’s spokesperson, the certain government agencies may be exempted from the obligations under Part 2 ‘Personal Data Collection’ and Part 3 ‘Use or Disclosure of Personal Data’ of the PDPA to the extent that their processing of personal data is in accordance with the exemption’s conditions and purposes of personal data processing (prescribed under the Draft Royal Decree).  

That being said, we also noted that the summary of the Draft Royal Decree by the government spokesperson signifies that there has been a significant amendment from the previously published version (the Ministry of Digital Economy and Society’s Results of Public Hearing Group 2). In the previous version, it was also specified the cases where other types of data controllers (i.e., not government agencies) may be exempted from certain obligations. For example, where the data controller’s purposes for processing of personal data would be tampered by complying with the personal data collection notification requirements, then such data controller may be exempted from the said obligations.  

businesspeople talking

At this stage, the approved Draft Royal Decree shall soon be published in the Royal Gazette. Monitoring of this publication and enforcement of this Draft Royal Decree may be of the essence to all data controllers and/or data processors who are subjected to the PDPA’s obligations. As the exemption may be applicable to their cases as well.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Monitoring of Personal Data or the System that Requires an Appointment of DPO

Section 41 (2) of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) prescribed that the data controller and the data processor shall designate a data protection officer (“DPO”) if the activities of the data controller/processor in the processing of personal data require regular monitoring of personal data or the system, by reason of having a large number of personal data as prescribed and announced by the Personal Data Protection Committee (“PDPC”).  

Given that the PDPA has been in effect for a year, many organizations in Thailand are still unsure whether they are required to appoint a DPO or not. As a result, the PDPC is considering the Draft Notification of the PDPC re: data controllers and data processors who collect, use, or disclose personal data that requires regular monitoring of the personal data or the system due to a large scale of personal data that must appoint a DPO, B.E. …. (the “Draft Notification”). This Draft Notification was posted on the Law Portal on July 13th, 2023, for the public to consider and express their opinion (public hearing closes on July 27th, 2023).  

software engineer standing beside server racks

Under the Draft Notification, the PDPC intends to clarify 3 following criteria, (1) what constitutes a core activity; (2) what is meant by regular monitoring of personal data or the system; and (3) how to determine if a data controller or data processor is having a large number of personal data. The summary is as follows:  

1. Core Activities:

The core activities are defined under the Draft Notification as actions required to achieve the data controller’s or data processor’s business objectives or goals.  

2. Regular Monitoring of Personal Data or the System:

The Draft Notification deems that a data controller or data processor regularly monitors personal data or the system, if the core activities of the said data controller or data processor systematically or regularly track, monitor, or predict data subject’s behavior (i.e., profiles).  

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to require regular monitoring, example includes:

  • Processing of personal data relating to the holder of a membership card, electronic card, or any other card that allows the card service provider or any other person to review the card usage information.
  • Processing of personal data for the purpose of behavioral advertising.
  • Processing of personal data for security purposes.

3. A Large Number of Personal Data:

Further, the Draft Notification sets out the criterion in which the data controller or data processor shall determine if their processing of the personal data is considered to be on a large scale or not. The criteria are as follows: (1) the proportion of the number of data subjects and the amount of personal data; (2) the quantity and type of personal data; (3) retention period and permanence; and (4) territorial or geographical scale of personal data collection.  

black android smartphone on top of white book

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to be of a large scale, example includes:  

  • Processing personal data for the purpose of behavioral advertising through the use of search engines or social media.
  • Processing of personal data by a type 3 telecommunication business operator.

By reading this far, you probably have the idea of whether your organization would need to appoint a DPO or not, but please note that organizations whose DPO performs duties or tasks other than data protection must consider the scope of his/her duties or tasks and warrant to the PDPC office that his/her duties or tasks do not conflict with the DPO’s main duties under the PDPA. The Data Controller and Data Processor should read this Draft Notification carefully and monitor the development of this Draft Notification.

It is crucial for all data controllers and data processors to note that if subjected but fail to appoint the DPO as required by the PDPA, they may be subject to an administrative fine of up to 1 million Baht.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

Unlawful Debt Collection and Violation of Personal Data Protection

There is a case study extracted from the case between the plaintiff, which is an ordinary person, and the defendants and its parent company by an offense of the violation under the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) and Debt Collection Act B.E. 2558 (2015) (“DCA”).

According to the plaint, the financial institution filed a court case against the plaintiff’s debt outstanding payment roughly 15 – 20 years ago and obtained a court decision to enforce the mortgage and all of the plaintiff’s assets, which were auctioned off and beforehand assigned to creditors. Currently, a group of people claiming to represent that the defendants phoned the plaintiff using a call center process for debt collection, causing disruption. Plus, the plaintiff has never given written consent regarding the phone number that has been used by a call center for any debt collection. While the defendants claimed that such a phone number has been acquired from the electronic reply letter with the plaintiff’s consent given to the Bank of Thailand (“BOT”), the plaintiff stated that it was registered after the debt was extinct. According to the PDPA, which requires consent – if not having other legal bases – from the data subject before using, collecting, or disclosing personal data, it is reasonable to assume that the phone number was collected as personal data without the plaintiff’s consent.

As a result, Plaintiff submitted the following request to the court against the defendants in relation to PDPA and DCA as follows:

  1. Request that the court orders the defendants to reveal the acquisition of personal data on the basis of the plaintiff’s rights as a data subject as per Section 30 of the PDPA, which grants the data subject the right to request access to and disclosure of personal data. Thus, the plaintiff has the right to request the court to order the defendants to reveal personal data obtained without consent.
    • Request that the court orders the defendants to collectively pay 25 Satangs in compensation for the unlawful use of a phone number, which is general personal data that can identify the data subject under the PDPA.
    • Request that the court orders the defendants and all representatives to erase all plaintiff’s personal data from the system according to the data subject’s right to object to the collection, use, or disclosure of personal data at any time under Section 32 of PDPA.
    • Request that the court orders the defendants to collectively pay 25 Satangs in compensation for violating the DCA, according to debt collection by frequent unnecessary and annoying calls where the action is not related to the purpose of the DCA, which aims to regulate debt collection in an appropriate manner, to protect privacy rights, and to impair the reputation, false information, and trouble causing to others.
woman wearing hooded pullover hoodie facing tablet computer

In conclusion, many people are currently suffering as an effect of debt collecting via a call center process. As a result, the plaintiff intends for this case to serve as an example of illegal debt collection and personal data violation as he requests such an amount of compensation. Currently, the court accepted the case on 28 April 2023 in which the result of the court’s order will be granted after witness hearing proceeding. For another option, the plaintiff can also file a complaint with the Personal Data Protection Committee (“PDPC”) for consideration and order for the administrative penalty against the defendants.

Author: Panisa Suwanmatajarn, Managing Partner.

NBTC Uplifted Personal Data Protection for Telco Users

Since the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has been in effect for more than a year, several authorities, including the National Broadcasting and Telecommunications Commission (“NBTC”), have attempted to establish and implement policies in order to comply with the PDPA. Previously, there has been a Notification of the National Telecommunications Commission on Protecting User Rights Regarding Personal Data, Privacy, and Freedom of Communication through Telecommunications Service that became effective on 16 August B.E.2549 (2006) (“Original Notification”) ruling measures to protect user rights through telecommunications service. However, in order to (1) protect the rights of telecommunications service users while operating in parallel with the use of personal data, (2) modernize and improve the user rights protection measures, and (3)  fully and accurately comply with and implement the PDPA, the NBTC considers amending the Original Notification by drafting the Notification of the National Telecommunications Commission on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”). This Notification was approved at meeting no. 13/2566 on 14 June 2023 and will be published in the Royal Gazette and shall be effective on the following announcement date, in which the Original Notification shall be replaced.

security logo

Examples of the main key contents that have been amended are as follows:

  1. Some terms and definitions have been amended, such as “Personal data of user “Service Provider” “User” and “Collection”.
  2. Although the Original Notification has included the consent matter, this Notification has additionally specified more details, such as (1) the service provider’s obligation to specify the purpose of collecting or processing personal data prior to or at the time of obtaining consent, (2) the consent must be given in writing or electronic means, and (3) the consent request must be made in a clear sentence, not misunderstood, and separate from the main agreement.
  3. In addition to the sensitive personal data such as (1) disabilities and (2) hereditary characteristic that has been specified in the Original Notification, this Notification has included Section 26 of PDPA in order to determine the sensitive personal data matter.
  4. Personal data relating to the use and provision of services for the previous 90 days must be retained. This can be extended to two years on a reasonable basis, such as legitimate interest.
  5. In addition to the written method specified in the Original Notification for exercising the rights under PDPA, the Notification has determined that the user, as a data subject, is able to exercise the same through electronic means. If the service provider fails to comply with the request to exercise rights within 15 days, the user may notify NBTC in writing, demanding the service provider to do so. Please note that the authentication and verification mechanism for the user must be conducted by the service provider prior to exercising the aforementioned right.
  6. The provisions requiring service providers to inform NBTC of a data breach incident within 72 hours, in accordance with the PDPA, have been added.
  7. The service providers (licensee) must prepare a proper measurement to protect users’ rights regarding personal data, the right to privacy, and freedom of communication through telecommunications with the minimum requirements in accordance with this Notification and PDPA in Thai language and other languages in which the license holder operates marketing and send the same to the Secretary of NBTC for further consideration and verification according to NBTC criteria.
  8. The cross-border transfer of data matter under Sections 28 and 29 of PDPA has been added, to which the service provider must comply.
software engineer standing beside server racks

The NBTC further declared that all of these revisions had been adjusted to the present digital economic period, which includes every business engaged in communication, and that this Notification will provide consumers with assurances about the protection of their personal data as well as efficient and fair service. The license holders must acknowledge this Notification in order to prepare for compliance, as personal data protection is a critical issue at the moment, and the failure to comply with this Notification may result in the suspension or revocation of the NBTC licenses.

Author: Panisa Suwanmatajarn, Managing Partner.

Public Entities Required to Designate a Data Protection Officer

Section 41 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) requires public entities listed by the Personal Data Protection Committee (“PDPC”) to designate a Data Protection Officer (“DPO”). Currently, PDPC has drafted “Announcement of the Personal Data Protection Committee Concerning the Data Controller and the Data Processor Who Are Public Entities that Must Designate a Data Protection Officer B.E. ….” (“Announcement”). This Announcement will list the public entities that are required to designate DPO. It is likely that the public entities that process personal data on a large scale or collect sizable numbers of sensitive personal data will be listed under this Annoucement. This Announcement is, however, still undergoing public hearings in which anyone interested can share opinion or provide feedback via the Law Portal provided by the Office of the Council of State and the Digital Government Development Agency.

security logo

According to Section 3 of the PDPA, in the event that there is any specific law governing the protection of personal data in any specific manner, business or entity, the provisions of such law shall be applied. Furthermore, in Thailand, there is a law known as the Official Information Act B.E. 2540 (1997) (“OIC“), which its provisions govern the public entities for the matter related to the collection, disclosure, and security of personal information. Where the said personal information under OIC is considered personal data under PDPA but is only kept by the public entities, as a result, although it can be assumed that personal information is partly governed by the OIC,  the PDPA shall be applied in addition to the rights of data subjects and the relevant penalties, regardless of whether it is repetitious with the same matter in OIC according to Section 3 of PDPA as it aims to ensure the same level of personal data protection for Data Controllers and Data Processors in both public entities and private entities.

software engineer standing beside server racks

In conclusion, the public entities should consider whether the DPO is required based on this Announcement. Plus, such public entities should also consider the PDPA as it might be an additional requirement which they must comply. At the same time, an individual or a private entity also should be aware of this Announcement in order to directly contact the DPO of such public entities regarding personal data protection matters, as the DPO will be the entity’s contact center for personal data protection matters of those entities who may collect, use, or disclose your personal data.

Author: Ms. Panisa Suwanmatajarn, Managing Partner.

PDPC’s Guideline for Data Controller and Data Processor

The Personal Data Protection Committee (“PDPC“) has announced the Guidelines for Data Controller and Data Processor

Re: Case studies extracted from this discussion on the enforcement of the Personal Data Protection Act, B.E. 2562 (2019) (“PDPA“) includes sample actions of each specific case as a scenario for all relevant parties under PDPA, including the Data Controller, Data Processor, Data Subject, and other relevant persons to consider and apply. This guideline also aims to put in place effective remedial measures for Data Subjects whose personal data and rights must be protected as well as to prevent any data breach by the PDPA, with the samples of scenarios as follows:

  • Does the bank need to obtain consent from minors aged 7 to 20 in order to collect and/or use their facial recognition for mobile banking transactions? As we all know, face recognition is classified as sensitive personal data in a type of biometric data in which its data arises from the use of technics or technology related to the physical or behavioral dominance of the person under Section 26 of the PDPA, in which consent is required only if other legal bases such as Contract, and Legal Obligation cannot be applied. Furthermore, the procedure for obtaining minor consent must be in accordance with PDPA sections 19 and 20.
  • Is consent required when a bank introduces new products to a minor for marketing purposes? If this is the case, can minors freely consent on their own behalf? Since the collection of personal data for marketing purposes is not considered an activity under the legal basis of a contract for opening a bank account, and if such personal data was not collected for the purpose under Sections 24(1) – 24(6) of PDPA, such as Vital interest and Legal obligation then the consent of the minor must be obtained, and the consent of the holder of parental responsibility over the child may also be required as the case by case according to Section 20 of PDPA. 
software engineer standing beside server racks
  • If the limited company operates its trading and service business and enters into an agreement with an individual business partner. Furthermore, that company would like to collect personal data such as the name, phone number, and other information of a business partner’s employee in order to contact him/her directly for matters related to operating in accordance with an agreement. In this case, the Data Controller cannot apply the legal basis of “Contract” to such an employee, but the legal basis of “Legitimate interest” might be applied if the data processing does not override the fundamental rights of the said employee, as a Data Subject.
  • What are the advantages and disadvantages of appointing an outsourced Data Protection Officer (“DPO”)? Is it necessary for the company to set up a separate department to handle this specific task? The Data Controller might appoint the DPO depending on its suitability and necessity of the Data Controller complying and responsible with the duty as mentioned in Section 42 of the PDPA. Furthermore, DPO cannot be dismissed or terminated due to his/her performing duty under PDPA, plus, DPO should be a person who can report directly to executives of the Data Controller or Data Processor. As a result, it is the internal matter of the company to select the DPO as they deemed appropriate.

In conclusion, to assist the government agencies and private companies in answering all concerns and questions regarding PDPA compliance, the PDPC has assigned the Sub-Committee to gather all such questions and concerns and propose the same, along with the recommended answer, to the PDPC for further consideration, and later provide those correct answers and consultations to the government agencies and private companies. In the future, all of those inquiries may be published as sample scenarios, just as they were in this guideline.

Author: Panisa Suwanmatajarn, Managing Partner.

Thailand PDPA – DPO Qualifications

The Personal Data Protection Act B.E. 2562 (2019) (“PDPA“), which became effective on 1 June 2022, specifies the rules and restrictions that Data Controller and Data Processor must adhere to. One important rule and regulation regarding the Data Protection Officer (“DPO“) is specified in Section 41 of PDPA that “The Data Controller and the Data Processor shall designate a data protection officer…” Therefore, many organizations might wonder, what is a DPO? What is its responsibility? And what qualifications are required to become one?

A DPO is a person who is responsible for the data protection of all personal data collected, used and disclosed by a legal entity, whether it is internal personal data or third-party personal data collected by the legal entity. Section 42 of the PDPA specifies the duties of the DPO as follows:

  1. Providing advice to the Data Controller and Data Processor, as well as all employees and service providers of those parties involved in the data processing, in order to ensure PDPA compliance, such as providing them with PDPA information and training sessions, particularly to those who directly operate with data processing, in order to ensure adherence to the legal entity’s privacy policy and follow the rules and regulations pertaining to the personal data protection.
  2. Monitoring the operation and the performance of the parties mentioned in item 1 regarding personal data collection, use and disclosure to be in accordance with the PDPA.
  3. Coordinating with the regulator, the Personal Data Protection Committee (“PDPC”) on any issues that arise in relation to item 2 such as a data breach.
  4. Maintaining the confidentiality of personal data known and acquired while performing the duties.

There are no officially announced sub-regulations governing DPO qualification; the PDPA only specifies the duties of the DPO as mentioned above. As a result, the following is only a guideline by Thailand Data Protection Guidelines regarding this such matter, which Data Controller and Data Processor should consider.

person marking check on opened book
  1. Having background knowledge of the PDPA and other applicable laws
  2. Understanding of technologies, IT, and data security measures. The DPO may need to fully understand this matter because the IT system and technological capabilities may be involved in personal data collection, use, disclosure and processing in order to perform its obligations in terms of technology under the PDPA.
  3. DPO should not be a person who directly benefits from collecting personal data, and DPO shall not be able to audit its own actions involving the collection, use or disclosure of personal data. As a result, the duties of the DPO and those who process personal data should not overlap.
  4. Good communication and collaboration skills with internals, externals and regulators because the DPO must collaborate with all departments within the organization and the PDPC pertaining to PDPA matters. Furthermore, the DPO should be the person who has direct access to the executives because many aspects of PDPA compliance may need to be taken urgently.
  5. DPO is not required to be an employee of the legal entity for which he or she works.

After the designation of a DPO by legal entities, the Data Controller and the Data Processor are also required by Section 41 paragraph 5 of the PDPA to inform the PDPC and Data Subject of the information, i.e. DPO’s information, contact address and contact channels. Plus, Any Data Controllers and Data Processors who are in the same affiliated business or group of undertakings and designate the same jointly DPO must also provide a list of all Data Controllers and/or Data Processors with whom such DPO works for. For the contact channel for informing the said information, it can be sent to PDPC via an email and telephone number as specified in the Announcement of the Office of the Personal Data Protection Committee Concerning Electronic Channels for Contacting the Office of Personal Data Protection Committee B.E. 2562 (2019) For an obligation to inform the Data Subject of the DPO’s information as mentioned above, this can be included in the privacy notice or privacy policy published by the Data Controller and Data Processor, as the same matter is also required by Section 23 (5) of the PDPA. Despite the fact that no sub-regulation regarding DPO qualifications has been announced, all Data Controllers, Data Processors, DPOs and other relevant parties should keep an eye on these upcoming regulations in order to comply with the PDPA and designate an appropriate DPO for your legal entity because DPO shall play an important role and directly affect your legal entity’s compliance with PDPA.

Author: Panisa Suwanmatajarn, Managing Partner.