Thailand’s Personal Data Protection Committee (PDPC) has released separate guidelines for data controllers to follow in obtaining data subjects’ consent and notifying data subjects of required information (i.e., regarding collection, use, or disclosure of their personal data). By following the guidelines, data controllers can mitigate the risk of violating the Personal Data Protection Act B.E. 2562 (2019) (PDPA).
The Guidelines on Obtaining Consent from the Data Subject according to the PDPA and the Guidelines on Notification of Purposes and Details upon the Collection of Personal Data from the Data Subject according to the PDPA were issued on September 7, 2022.
Consent Guidelines
The PDPC’s guidelines on obtaining consent list the requirements for consent to be considered valid. These requirements include stipulations on timing of requests, elements that need to be included in requests, and the nature of requests.
For instance, consent must be obtained before or at the time of obtaining personal data, and data subjects must be informed of both the purposes and details of the personal data handling, among other specific requirements. In turn, there must be a clear affirmative act of the data subject in giving consent.
Obtaining consent from minors is subject to more stringent requirements, and data controllers should implement appropriate identification and age-verification measures when collecting personal data about minors. The guidelines give two sets of requirements, depending on the age of the minor—between 10 and 20, and under 10. In general, with the older age group, parental consent is not required in all circumstances, while for the younger age group, parental consent is compulsory for giving consent on behalf of the minor.
For a person deemed to be “incompetent” or “quasi-incompetent,” consent must always be given by the legal guardian.
Notification Guidelines
The guidelines on notifying data subjects when collecting personal data set forth the two key principles of fairness and purpose limitation.
The fairness principle reflects the requirement to use language and terms that are clear and easy-to-understand while also notifying the data subject of adequate purposes, consequences, and other relevant information about data processing prior to or upon collection. The guidelines further clarify that the notification should include the legal basis which the data controller relies on when processing the personal data, and details on any cross-border transfer of personal data.
The purpose limitation principle is demonstrated when the notification, which is generally called a privacy policy, is clear, specific, and lawful.
The guidelines are flexible as to the format of the privacy policy, which can be written or verbal, and delivered via a variety of physical, telecommunications, or electronic means. The use of a prominent hyperlink to the policy is also acceptable.
When collecting personal data from sources other than the data subjects themselves, a data protection impact assessment should be made—particularly when a data subject is not aware or did not give consent, or when data controllers use new technology when processing a large volume of personal data.
Form of Consent Requests and Privacy Policies
If a data controller is subject to other specific laws under sectoral regulators (e.g., Bank of Thailand, Office of the Securities and Exchange Commission, Office of Insurance Commission, etc.), that data controller must adopt the standard forms prescribed by the relevant law. If there is no prescribed standard form, data controllers can rely on the standard forms recommended by industry associations when they comply with the stipulations in the PDPC guidelines.
For further information, please contact:
Athistha (Nop) Chitranukroh, Partner, Tilleke & Gibbins
nop.c@tilleke.com