Thailand’s Personal Data Protection Committee (PDPC) has issued a regulation establishing procedures for filing and processing data subjects’ complaints under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The Regulation Re: Complaint Filing, Rejection, Termination, Consideration, and the Period for the Consideration of the Complaint B.E. 2565 (2022) was issued in July 2022 and took effect on July 12, 2022.
The PDPA entitles data subjects to file complaints against data controllers, data processors, and employees or service providers of either whose operations fail to comply with the PDPA. This article lays out the various requirements and procedures for the filing and processing of such a complaint.
Complaint Submission
The body designated by the PDPA to be responsible for handling complaints and imposing administrative penalties is called the “Expert Committee.” Data subjects who would like to make a complaint can submit it to the Expert Committee directly at the Office of PDPC, send it to the office by post, or submit the complaint electronically.
The written or electronic complaint must use clear, plain, polite, and appropriate language, and must not give an impression of being directly or indirectly extorting or intimidating. The complaint must include at least the following information:
- Name, address, and telephone number or email address of the complainant (or an authorized representative), together with identification card, passport, or other official identification document (plus a power of attorney if submitted by a representative);
- Details and facts of the noncompliance with or violation of the PDPA;
- Details of resulting damages or impact;
- Supporting evidence (e.g., documentary evidence, physical evidence, witness statements); and
- Action desired of the offender.
The complaint must include a statement certifying its veracity, and must be signed by the complainant or the authorized representative.
Complaint Consideration
When a complaint is submitted, the receiving official will verify that the complaint is complete and then issue a receipt to the complainant. The official will then conduct a preliminary examination of the complaint within 15 days before proposing it to the Expert Committee through the secretary-general of the PDPC for consideration. In their examination, the committee aims to determine:
- whether the act indicated in the complaint constitutes noncompliance with or violation of the PDPA;
- whether there are grounds for filing the complaint, and whether the complaint is substantive and reasonable;
- whether the complaint is within the scope of the Expert Committee’s authority; and
- whether the duties and power for considering the complaint are subject to any other law or authority.
The Expert Committee may reject a complaint—for example, if it does not relate to noncompliance with or violation of the PDPA, if it has complete information or supporting documents, if it duplicates a previously settled complaint, and so on. If the Expert Committee considers the complaint negotiable, it may ask the complainant and the offender to consider doing so.
In general, the Expert Committee will finish its consideration of the complaint within 90 days of its first meeting. With the approval of the PDPC, this period may be extended twice, for up to 60 days each time.
Outcomes
After concluding its examination, the Expert Committee will notify the complainant of the outcome as well as the relevant reasoning. If the complaint is rejected or dismissed because it falls within the authority of another law or authority, the complainant may submit the complaint to that authority, which will then deem the complaint’s date of receipt as being the date on which the Expert Committee received the complaint.
If the complaint is not negotiable, or is negotiable but the parties fail reach the settlement, the Expert Committee will consider the complaint and may impose administrative penalties on the data controller or processor in accordance with the PDPA.