Four decisions from the Expert Committee under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) indicate that there will no longer be any relaxation of PDPA enforcement.
The enforcement of Thailand’s seminal data protection law had been relaxed for more than a year when, on October 18, 2023, the Personal Data Protection Committee (PDPC) published the first decision made by the Expert Committee on the imposition of administrative measures against a company pursuant to authority granted to it under the Notification of the PDPC Re: Rules for the Consideration of the Imposition of Administrative Penalties by the Expert Committee B.E. 2565 (2022), which was one of the first subordinate regulations issued under the PDPA. Shortly thereafter, on October 19, October 25, and November 15, three additional Expert Committee decisions were published.
These three decisions made by the Expert Committee are summarized below.
October 18 Decision
The complainant in this case lodged a complaint with the Expert Committee alleging that an insurance company contacted him to offer the company’s products without his consent. The complaint further claimed that when the complainant requested the company to disclose how his personal data had been acquired and asked the company to stop contacting him through any channel, the company did not take any action on the requests.
The insurance company appeared to have obtained the personal data of the complainant from another source prior to the PDPA becoming fully effective (i.e., June 1, 2022). As the Expert Committee explained in its order, the company failed to comply with its obligations under the PDPA regarding the collection of personal data from another source, which requires consent as a legal basis; failed to comply with the grandfather provision by not publicizing opt-out procedures to enable the data subject to withdraw his consent easily; and did not grant the data subject the right to have his personal data rectified or deleted.
The Expert Committee ordered the insurance company to:
- Comply with its obligations under the PDPA regarding the collection of personal data from another source;
- Delete the personal data of the complainant;
- Take action to suppress damage, starting from the date of receiving the order;
- Stipulate measures to prevent the occurrence of similar cases; and
- Set forth and implement guidelines for complying with the provisions of the PDPA on the right of access, right to rectification, obligation to implement a monitoring system for the deletion of personal data, and so on.
The Expert Committee also ordered the company to report to the Office of the PDPC on the outcome of the actions taken in relation to the five items above within 30 days of receiving the order.
October 19 Decision
The complainant in this case lodged a complaint with the Expert Committee alleging that a mobile banking application service provider did not allow him to give his consent freely in the application. The complainant requested that the service provider amend its consent request format and that he be allowed to withdraw the consent he had previously given to the service provider and its affiliated companies for accessing the application.
By the time the case came before the Expert Committee, the service provider had already amended its consent request format to be compliant with the requirements of the PDPA. Accordingly, the complainant wanted to withdraw his complaint; moreover, the service provider had already proceeded with the requests of the complainant. Considering these facts, the Expert Committee decided to reject the complaint.
October 25 Decision
In this case, the complainant lodged a complaint with the Expert Committee stating that as the former employee of a data controller he was entitled to a transportation card benefit following his employment with the data controller. The data controller sent an email informing the complainant that he could be issued a transportation card via an electronic system, with the condition that he must first provide his personal data in order to access the transportation card issuance system. Subsequently, the complainant received another email from the data controller reporting that his transportation card benefit had been suspended, and that he had accepted this suspension when he gave consent to the processing of personal data as required by the data controller. This was contrary to the complainant’s understanding that the consent was for the issuance of a transportation card only, rather than for the suspension of his rights.
The Expert Committee ordered that:
- The data controller must amend its consent request form to be consistent with the purposes notified to the data subjects;
- The consent must be freely given by the data subject;
- The consent must not be conditional; and
- The data controller must not rely on such consent to suspend other rights of the complainant.
Also, the data controller must notify the Office of the PDPC of the outcome of remedial actions pursuant to the above order or take any action to suppress damage within 30 days from the date of receiving the order.
November 15 Decision
The complainant in this case lodged a complaint with the Expert Committee stating that his name and an image of his medical license were acquired by another person who pretended to be a licensed healthcare professional, which resulted in service recipients and the public being misled and the complainant suffering damage to his reputation. The Expert Committee, however, stated that the facts of the case and the information provided by the complaint did not verify that the accused is a data controller who violated or failed to comply with the PDPA, and therefore, the Expert Committee was unable to make a determination on the complaint. Considering these facts, the Expert Committee decided to reject the complaint.
Takeaways
These cases indicate an end to the relaxation of Thailand’s enforcement of its PDPA. As data subjects gain more awareness of their rights over their personal data, more complaints are likely to be lodged with the Expert Committee if data subjects suspect that their personal data is not handled or processed properly by data controllers or data processors. Since the PDPA has been fully effective for over a year, the Expert Committee may be prepared to start taking more serious actions in imposing administrative fines and penalties. Organizations should thus take extra care in ensuring that they stay in compliance with the PDPA.
Tilleke & Gibbins will continue to monitor the development of the PDPA and provide updates as they emerge. If you have questions about the PDPA or any other aspect of data compliance in Thailand, please contact any member of the Tilleke & Gibbins PDPA team, including Nopparat Lalitkomon at nopparat.l@tilleke.com, Gvavalin Mahakunkitchareon at gvavalin.m@tilleke.com, Thammapas Chanpanich at thammapas.c@tilleke.com, Wilin Somya at wilin.s@tilleke.com, and Punyavee Koaysomboon at punyavee.k@tilleke.com.