Tag: PDPC

on by

PDPC Notification on Security Standards for Personal Data Controllers Exempted from PDPA

The Office of Personal Data Protection Commission (PDPC) conducted a public hearing on the draft PDPC Notification Concerning the Security Standards for Personal Data under Responsibility of Data Controllers exempted from the enforcement of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) (“Notification”). This public hearing occurred from 17 October 2023 to 31 October 2023.

Under Section 4 of the PDPA, certain data controllers, including public authorities, the media, the House of Representatives, the Senate, the Parliament, the courts, and the credit bureau, are exempted from the enforcement of the PDPA. However, Section 4 paragraph 3 of the PDPA mandates that these exempted data controllers must implement security measures to protect personal data.

black android smartphone on top of white book

The draft Notification sets out the security measures that exempted data controllers must adhere to. These measures are similar to those prescribed in the PDPC’s Notification on Security Measures for the Protection of Personal Data B.E. 2565 (2022). The key measures include:

  1. Implementing organizational, technical, and physical measures to safeguard personal data, regardless of its form (physical or digital).
  2. Ensuring the confidentiality, integrity, and availability of personal data.
  3. Extending security measures to servers, software, or applications for storing or processing personal data.
  4. Implementing access control, identity proofing and authentication, need-to-know basis access, user access management, determination of user responsibilities, and personal data audit trails.
  5. Raising awareness about privacy and security among employees or users with access to personal data.
  6. Adopting pseudonymization or encryption measures to minimize the risk of unauthorized or unlawful processing of personal data.

The enforcement of these measures will be closely monitored once the draft Notification becomes enforced.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Personal Data Protection for NBTC license holders

The Notification on Protecting User Rights Regarding Personal Data, Rights to Privacy, and Freedom of Communication through Telecommunications Service (“Notification”) was approved by the National Telecommunications Commission. The Notification has been officially published in the Royal Gazette and became effective since September 4, 2023.

Key provisions of the Notification include:

Section 6 stipulates that license holders must obtain separate consent from users before using or disclosing their personal data for purposes other than operating the telecommunications business. License holders must clearly inform users about the scope and objectives of the business, the types of personal information that will be used or disclosed, and any third parties involved. Users must be provided with the option to confirm or revoke their consent. License holders must comply with the conditions specified in the notification and any additional requirements imposed by the NBTC. The language used must be clear and easily understandable, without misleading users about the purpose. Consent may be obtained in writing or through technological means. However, users’ consent or withdrawal should not interfere with their use of telecommunications services.

two person standing under lot of bullet cctv camera

Section 7 outlines the details regarding sensitive data, which includes race, ethnicity, political opinions, beliefs, sexual behavior, criminal record, health record, disabilities, union information, genetic data, biological data, and any other data specified in the Personal Data Protection Law that may affect users.

Section 10 addresses the notification requirements for collecting personal data. Generally, license holders must inform consumers during or before collecting their personal data. However, when collecting data from other sources, license holders must notify the data subject within 30 days from the collection date. License holders are not required to notify when the collection does not require consent under Sections 6 and 7.

Section 14 states that if a violation poses a high risk to individuals’ rights and freedoms, license holders must immediately notify the NBTC within 24 hours of recognizing the violation. The notification must include a remediation measure for affected users.

Section 20 mandates that license holders must publicly announce their policies to protect users’ rights to personal information, privacy, and freedom of communication through telecommunications. These policies must be in accordance with the notification and the personal data protection law and should be displayed on the license holders’ website, place of service, application form, and service agreement. Additionally, these policies must be approved by the NBTC.

Given these revisions, it is crucial for all license holders to update their practices to ensure compliance with the personal data protection policies. The protection of personal information is of utmost importance, particularly in the telecommunications industry.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Certified Courses and Training Program for DPO and Registered Instructor

The Office of the Personal Data Protection Committee (“Office”)  has launched an Announcement of the Office of the Personal Data Protection Committee (“Committee”) Re: Criteria for Certified Courses and Training Programs for the Data Protection Officer and Registered Instructor (“Announcement”) and its guidelines on 8 August 2023 in order to provide knowledge and understanding in both legal terms and practical proceedings, for the Data Protection Officer (“DPO”) and those who are registered instructors and training agencies in order comply with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“).

This Announcement sets guidelines for 2 main matters with the details as follows:

1.Certified courses and training programs

Agencies or institutions that would like the Office to certify their courses and training programs must apply for the same via an official email at course@pdpc.or.th. After consideration, the Committee will deliver its opinion to the Secretary-General of the Personal Data Protection Committee (“Secretary-General”) for its final consideration. Those who have been certified will be published to the public.

two person standing under lot of bullet cctv camera

2.Registered instructors

While the agencies or institutions are registered per item 1, any person who would like to register himself/herself to be a registered instructor can apply for the same via email at course@pdpc.or.th. If the applicant’s qualifications meet the requirements, the applicant must attend the seminar and take some exams organized by the Office. After that, the registration process will be completed, and his/her name will be announced to the public. The registration will be valid for one year and will need to be renewed by attending further seminars.

This Announcement has been effective as of the date of publication. Currently, there is no civil liability, administrative liability, or criminal penalty applied to the agencies or institutions in case of non-compliance with the PDPA and its guidelines. The Office aims to encourage the agencies or institutions to attend the training programs to understand the provisions of PDPA and then they can distribute their knowledge to the DPO.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Types of Business and Agency in which Certain Parts of the PDPA Shall not Be Applicable

Previously, on June 1st, 2022, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) came into force, imposing obligations on any person who collects, uses, or discloses personal data.  

A data controller is defined as a person or juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of personal data. Under the PDPA, the data controller shall be imposed with various obligations, for example, notifying of personal data collection, obtaining consent (if applicable), and having in place security measures, etc.

On July 11th, 2023, the cabinet approved the Draft Royal Decree Prescribing Types of Business and Agency in which certain parts of the PDPA shall not be applicable B.E. …. (the “Draft Royal Decree”). The Draft Royal Decree is intended to exempt certain obligations of the certain types of data controller, in order to ease their usual objectives or operations. Essentially, the key provisions of this Draft Royal Decree are, (1) certain obligations under the PDPA may be exempted where the collection of personal data is for the public interest, and such government agency is authorized by law; (2) consent for disclosure of personal data may not be required where the government agency is authorized to do so according to the law; and (3) the Draft Royal Decree reaffirm the data subject’s right to file a request to the Personal Data Protection Committee (“PDPC”) for interpretation of various matters.  

white caution cone on keyboard

According to the summary of the cabinet’s minutes by the government’s spokesperson, the certain government agencies may be exempted from the obligations under Part 2 ‘Personal Data Collection’ and Part 3 ‘Use or Disclosure of Personal Data’ of the PDPA to the extent that their processing of personal data is in accordance with the exemption’s conditions and purposes of personal data processing (prescribed under the Draft Royal Decree).  

That being said, we also noted that the summary of the Draft Royal Decree by the government spokesperson signifies that there has been a significant amendment from the previously published version (the Ministry of Digital Economy and Society’s Results of Public Hearing Group 2). In the previous version, it was also specified the cases where other types of data controllers (i.e., not government agencies) may be exempted from certain obligations. For example, where the data controller’s purposes for processing of personal data would be tampered by complying with the personal data collection notification requirements, then such data controller may be exempted from the said obligations.  

businesspeople talking

At this stage, the approved Draft Royal Decree shall soon be published in the Royal Gazette. Monitoring of this publication and enforcement of this Draft Royal Decree may be of the essence to all data controllers and/or data processors who are subjected to the PDPA’s obligations. As the exemption may be applicable to their cases as well.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

on by

Monitoring of Personal Data or the System that Requires an Appointment of DPO

Section 41 (2) of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) prescribed that the data controller and the data processor shall designate a data protection officer (“DPO”) if the activities of the data controller/processor in the processing of personal data require regular monitoring of personal data or the system, by reason of having a large number of personal data as prescribed and announced by the Personal Data Protection Committee (“PDPC”).  

Given that the PDPA has been in effect for a year, many organizations in Thailand are still unsure whether they are required to appoint a DPO or not. As a result, the PDPC is considering the Draft Notification of the PDPC re: data controllers and data processors who collect, use, or disclose personal data that requires regular monitoring of the personal data or the system due to a large scale of personal data that must appoint a DPO, B.E. …. (the “Draft Notification”). This Draft Notification was posted on the Law Portal on July 13th, 2023, for the public to consider and express their opinion (public hearing closes on July 27th, 2023).  

software engineer standing beside server racks

Under the Draft Notification, the PDPC intends to clarify 3 following criteria, (1) what constitutes a core activity; (2) what is meant by regular monitoring of personal data or the system; and (3) how to determine if a data controller or data processor is having a large number of personal data. The summary is as follows:  

1. Core Activities:

The core activities are defined under the Draft Notification as actions required to achieve the data controller’s or data processor’s business objectives or goals.  

2. Regular Monitoring of Personal Data or the System:

The Draft Notification deems that a data controller or data processor regularly monitors personal data or the system, if the core activities of the said data controller or data processor systematically or regularly track, monitor, or predict data subject’s behavior (i.e., profiles).  

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to require regular monitoring, example includes:

  • Processing of personal data relating to the holder of a membership card, electronic card, or any other card that allows the card service provider or any other person to review the card usage information.
  • Processing of personal data for the purpose of behavioral advertising.
  • Processing of personal data for security purposes.

3. A Large Number of Personal Data:

Further, the Draft Notification sets out the criterion in which the data controller or data processor shall determine if their processing of the personal data is considered to be on a large scale or not. The criteria are as follows: (1) the proportion of the number of data subjects and the amount of personal data; (2) the quantity and type of personal data; (3) retention period and permanence; and (4) territorial or geographical scale of personal data collection.  

black android smartphone on top of white book

Additionally, the Draft Notification also prescribed scenarios where the processing of personal data would automatically be deemed to be of a large scale, example includes:  

  • Processing personal data for the purpose of behavioral advertising through the use of search engines or social media.
  • Processing of personal data by a type 3 telecommunication business operator.

By reading this far, you probably have the idea of whether your organization would need to appoint a DPO or not, but please note that organizations whose DPO performs duties or tasks other than data protection must consider the scope of his/her duties or tasks and warrant to the PDPC office that his/her duties or tasks do not conflict with the DPO’s main duties under the PDPA. The Data Controller and Data Processor should read this Draft Notification carefully and monitor the development of this Draft Notification.

It is crucial for all data controllers and data processors to note that if subjected but fail to appoint the DPO as required by the PDPA, they may be subject to an administrative fine of up to 1 million Baht.  

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles