Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) entered into force in full on June 1, 2022. The PDPA, which contains similarities to the EU’s General Data Protection Regulation (GDPR) introduces obligations and restrictions relating to the collection, use, and disclosure of personal data in Thailand. While the new law applies to franchisors and franchisees in the same way that it applies to other businesses, there are a number of issues that are of specific importance in franchise businesses.
As franchisors and franchisees have the power and duty to make decisions concerning the collection, use, and disclosure of customers’ and employees’ personal data in the course of their operations, they are considered “data controllers” under the PDPA. The Trade Competition Commission of Thailand, via its Notification on the Guidelines for the Consideration of Unfair Trade Practices in Franchise Businesses issued under the Trade Competition Act B.E. 2560 (2017), defines a franchise relationship as one which, among others, involves an element of control by the franchisor over the business operations of the franchisee. It follows then that in some situations, franchisees’ collection, use, and disclosure of personal data will be according to the instructions of their franchisors. In such circumstances, a franchisee will be considered a “data processor” under the PDPA.
Whether acting as data controllers or data processors, franchisors and franchisees must nonetheless comply with the requirements of the PDPA in the course of their operations. To ensure their activities are in compliance with the law, franchise businesses should consider five major actions:
1. Auditing existing data collection and retention practices
Whether operating online or via a brick and mortar shop, it is increasingly common for franchise businesses to store and process customers’ personal data. This may include the storage and transmission of credit card information for auto-billing systems, or the collection of customers’ names, addresses, birthdays, and shopping preferences for loyalty programs. From the use of facial recognition technology and other biometric identifiers to access coworking spaces, to the collection of health and genetic data by fitness centers, the collection and use of sensitive personal data is now commonplace as businesses strive to improve customer experiences through personalization.
Under the PDPA, the collection of such sensitive personal data requires explicit consent from the data subjects. Franchisors and franchisees must evaluate their existing data collection practices to identify compliance gaps. For example, apart from consent requirements, the PDPA requires the collection of personal data to be limited to the extent necessary in relation to the lawful purposes of the data controller. Data controllers are also required to ensure that any personal data collected remains accurate, up-to-date, and complete, and that it is not misleading.
The PDPA allows businesses to continue using personal data collected prior to June 1, 2022, for the original purposes of its collection. However, the businesses must also provide and publish a consent withdrawal method for data subjects to opt out from the data controller’s continued collection and use of their personal data.
2. Developing PDPA-compliant policies and systems
Compliance with the PDPA goes beyond appointment of data protection officers and use of privacy notices and consent forms. Apart from putting in place a PDPA-compliant privacy policy, it is also vital for franchisors and franchisees to review existing arrangements with third-party service providers in Thailand, including any outsourced service providers, suppliers, and advertising agencies. This serves to ensure that any data processing activities carried out by third parties that may collect, use, and disclose customers’ personal data pursuant to the franchisor’s or franchisee’s instructions are in compliance with the PDPA.
As data controllers, franchise businesses are required by the PDPA to establish proper internal systems to delete or destroy collected personal data upon the end of the retention period or when the personal data collected is no longer relevant or exceeds the scope of necessity, or when requested by the data subject. Franchise businesses must also establish a system to notify and handle data breach incidents. Under the PDPA, data controllers must notify the Personal Data Protection Committee of data breach incidents without delay, with a statutory notification window of 72 hours from the time of becoming aware of the incident. In the event of a data breach incident that has a high risk of affecting the personal rights and liberties of data subjects, a franchise business as a data controller must also notify affected customers of the incident and the remedial measures taken to address it.
The PDPA also requires data controllers and data processors to adopt appropriate security measures to prevent loss of and unauthorized or unlawful access to personal data. In this regard, franchise businesses may wish to consider investing in relevant software and technology to facilitate compliance with the PDPA. However, it is important that the use of any third party software and technology not conflict with restrictions in existing master franchise agreements.
3. Ensuring compliance by franchisors based overseas
Master franchisees often have a contractual duty to keep their franchisors informed of significant legal developments impacting the franchise business in the franchise territory. Master franchisees and their overseas franchisors should note that due to the extraterritorial application of the PDPA, overseas franchisors will similarly need to comply with the PDPA in their provision of goods or services to data subjects, and in their activities related to the monitoring of the behavior of data subjects based in Thailand.
Furthermore, the PDPA requires data controllers based outside of Thailand, such as overseas franchisors, to appoint and authorize a representative physically based in Thailand to act on their behalf in relation to all matters concerning the collection, use, and disclosure of personal data under the PDPA.
The PDPA also imposes restrictions on transfers of personal data outside of Thailand. When transferring personal data overseas, the PDPA requires the relevant destination country or organization that receives the personal data, such as of the foreign franchisor’s country of residence, to have sufficient personal data protection standards, and for the transfer to be conducted in accordance with any relevant rules that may be prescribed by the Personal Data Protection Committee established under the PDPA.
4. Updating franchise agreements and franchise operations manuals
Franchisors should also review and update their existing franchise agreements to account for compliance with the PDPA. In addition to standard clauses requiring a franchisee to ensure compliance with applicable personal data protection laws such as the PDPA, franchisors should consider including robust provisions on franchisees’ data processing obligations, security audit requirements, and compliance training obligations in their franchise agreements. Further, while it is already standard practice for franchisors to require their franchisees to obtain various types of insurance policies, such as general liability insurance, workers’ compensation insurance, and property insurance, with the increased risk in cybersecurity threats and the risks they pose to customers’ personal data, franchisors should also now consider requiring franchisees to obtain cybersecurity insurance.
Franchise operation manuals should also be updated so that they are aligned with the obligations imposed under the PDPA. For example, under the PDPA, data subjects, such as consumers and employees of franchise businesses, have various rights in relation to the collection, use, and disclosure of their personal data. This includes, among others, the right to access their personal data, the right to require their personal data to be provided in a commonly used electronic form or to be sent to another data controller (also known as the right to data portability), and the right to correct or delete their personal data.
5. Conducting compliance training for employees and other stakeholders within the organization
Compliance training is crucial to ensure that all relevant stakeholders in the franchisor’s and franchisee’s organizations understand the implications of the PDPA on the franchise business. This is also of particular importance for foreign franchisors that are subject to the GDPR, which requires data controllers to be able to demonstrate compliance with the accountability principle under the GDPR.
Franchisors and franchisees should conduct PDPA compliance training for their employees in Thailand so that the employees understand what they can and cannot do with customer information. For example, franchises operating in the education sector, such as preschools, day care centers and language schools, should train teachers and administrative staff on the handling of minors’ personal data. The PDPA imposes different obligations on data controllers in relation to consent requirements for collection of minors’ personal data. While parental consent is necessary for minors below 10 years old, parental consent may not be required for matters in which a minor between 10 and 20 years old is deemed competent to provide consent—in which case the minor’s consent alone is sufficient. The adoption of technology in provision of services, such as the use of CCTVs and parent-teacher communication applications where photographs and videos of children’s activities are shared and tracked, further elevates the importance of PDPA-compliant training among teaching faculty.
Noncompliance with the PDPA can expose franchise businesses to significant monetary and reputational risks. Under the PDPA, franchisors and franchisees acting in their capacity as data controllers are subject to administrative fines of up to THB 5 million (approximately USD 145,500), as well as criminal fines of up to THB 1 million (approximately USD 29,100). Thai courts are also empowered to award punitive damages, as well as impose imprisonment for up to one year. Similarly, franchisees acting as data processors can also be subject to administrative fines of up to THB 5 million (approximately USD 145,500). Hence, franchisors and franchisees must be aware of their obligations under the PDPA and take steps to ensure that their data collection, use, and disclosure practices are aligned with the demands under the new law.
For further information, please contact:
Sher Hann Chua, Tilleke & Gibbins
sherhann.c@tilleke.com