Legal Insight / Data Controller and Data Processor under the Personal Data Protection Act B.E. 2562 (2019) (Translated in English)
This is the translation of “ผู้ควบคุมข้อมูลส่วนบุคคล และ ผู้ประมวลผลข้อมูลส่วนบุคคลตามพระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562” posted on 2020.04.14
Personal Data Protection Act B.E. 2562 (the “Act”) was published in the Royal Gazette on May 27, 2019. This Act covers the protection of natural person’s Personal Data that is collected, used, or disclosed by a Data Controller or a Data Processor which is in the Kingdom of Thailand, as well as, a Data Controller or a Data Processor that is outside the country but operates regarding the collection, use, or disclosure of Personal Data of a person who is in the Kingdom of Thailand.
Chapters of Personal Data Protection, Rights of the data subject, and the others apart from Chapters 1 and 4 of this Act are going to be fully enforced on May 27, 2020. This Personal Data Protection Act includes provisions of Personal Data Protection, rights of the data subject, duties of a Data Controller and a Data Processor, Civil liability, Administrative penalties, and Criminal liability, i.e., fine, imprisonment, or both.
What is Personal Data
Personal Data, according to Section 6 of this Act, means “any information relating to an individual person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.” In other words, any information that a receiver can identify the data subject, regardless of whether it is direct information or the indirect information which can identify a data subject when it is combined with other information, e.g., personal email, photos, mobile number, etc.
Apart from Personal Data above, Sensitive Data is another type of Personal Data which the collection is prohibited without the explicit consent by a data subject. Sensitive Data is illustrated in Section 26 “Any collection of Personal Data pertaining to racial, ethnic
origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal
records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner…”
Data Collection with consent is permitted
Consent is a crucial point of this Act. Section 19 of the Act prescribes, “The Data Controller shall not collect, use, or disclose Personal Data unless the data subject has given consent prior to or at the time of such collection, use, or disclosure… Paragraph 2, A request for consent shall be explicitly made in a written statement, or via electronic means. Paragraph 3, Such request for consent shall be presented in a manner which is distinguishable from the other matters, in an easily accessible and intelligible form and statements…”.
Additionally, a Data Controller must inform the data subject of purposes of the collection, use, and disclosure of Personal Data such as a company collects its employees’ personal data for an employee record. Therefore, any action involved with such Personal Data must be done with the consent from a data subject and within the limitation of the given consent. Particularly, collection and a request for consent of Sensitive Data must be made with carefulness. A Data Controller must inform the data subject of the purpose of such collection and must not collect the data more than that is necessary and without explicit consent.
Meanwhile, this Act gives certain exceptions that a Data Controller is permitted to collect, use, or disclose Personal Data without consent only for the following purposes:
- To keep Historical archives, research or statistic;
- To prevent or suppress a danger to a Person’s life, body, or health (Vital Interest);
- To carry out a task in relation to a contract between a Data Subject and a Data Controller;
- To carry out a task in the public interest;
- To carry out legitimate interest of a Data Controller; or
- To comply with a law of a Data Controller (Legal Obligation).
In such processing, a Data Controller must record such use or disclosure of the data collection as listed in Section 39.
A Data Controller and a Data Processor
A Data Controller, according to Section 6 of the Act, means “a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.” In other words, a Data Controller is a person whose duty is to collect, use, and disclose the Personal Data regarding the purpose previously notified a data subject. Also, a Data Controller has the power to decide regarding the collection, use, and disclosure of the Personal Data while he/she is directly responsible for a data subject. For example, a company collects Personal Data for marketing or creating a user account for a data subject, or a person collects Personal Data for making goods delivery, and so on.
A Data Processor, according to Section 6 of the Act, means “a Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data according to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.” In other words, a Data Processor is a person who operates a task in relation to the collection, use, and disclosure of the Personal Data only when receives the order from a Personal Data Controller, not allowed to operate such task by their own decision. A Personal Data Processor can be a juristic person who is hired by a Personal Data Controller to perform such task. When a Personal Data Processor carries out such the task more than the extent or without the order from a Personal Data Controller, the Personal Data Processor will be regarded as a Personal Data Controller. Examples of a Personal Data Processor: a research company that receives Personal Data from a Data Controller to conduct marketing research or an express company that receives Personal Data from a Data Controller for shipping.
Duties of the Personal Data Controller and the Personal Data Processor
Duties of the Personal Data Controller under sections 37, 39, and 41 of the Act are as follows,
- To provide appropriate security measures: The Data Controller shall determine measures to prevent the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to maintain the appropriate security and safety efficiently. It shall also be following the minimum standard specified and announced by the Committee;
- To provide protection measures: The Data Controller, providing Personal Data to a third party, shall determine measures to prevent unauthorized or unlawful use or disclosure by such third party;
- To establish or manage the examination system for erasure or destruction of the Personal Data: The Data Controller shall have the examination measure in order to erase or destroy the Personal Data when the retention period ends, or when the Personal Data is irrelevant or beyond the purpose necessary for which it has been collected, or when the data subject has request to do so, or when the data subject withdraws consent;
- To notify the breach: The Data Controller shall notify the Office of any Personal Data breach within 72 hours after having become aware of it;
- To designate the representative: The Data Controller shall appoint, in writing, a representative of the Data Controller who must be in the Kingdom of Thailand and be authorized to act on behalf of the Data Controller without any limitation of liability concerning the collection, use or disclosure of the Personal Data according to the purposes of the Data Controller;
- To prepare the list in accordance with section 39 of the Act. (if any): The Data Controller must make the records to enable the data subject and the Office to check upon, which can be either in written or electronic form:
- List of collected Personal Data;
- Purposes of the collection of Personal Data in each category;
- Details of the Data Controller;
- Retention period of the Personal Data;
- Rights and methods for access to the Personal Data, including the conditions regarding the person having the right to access the Personal Data and the conditions to access such Personal Data;
- Use or disclosure of such Personal Data which is exempted from consent requirement;
- Rejection of request or Objection of the Data Subject; and
- Explanation of the appropriate security measures of such Personal Data.
Meanwhile, this provision is not applied to a small organization with qualifications determined by the Committee in the future.
- To designate the Data Protection Officer in accordance with section 41 (if any): The Data Controller and the Data Processor must appoint a Data Protection Officer if the Data Controller and Data Processor is a public authority, the core activities of the Data Controller or the Data Processor concerning the operations which require regular monitoring of the Personal Data or the system in the large scale. Then, the Data Protection Officer has the following duties,
- To keep confidentiality of such the Personal Data;
- To provide advice relating such Personal Data to a Data Controller or the Data Processor, including the concerned employees;
- To investigate the performance of the Personal Data Controller or the Personal Data Processor in compliance with this Act; and
- To coordinate and cooperate with the Office.
This Act also provides protective provisions for the Data Protection Officer that “The Data Controller or the Data Processor shall not dismiss or terminate the Data Protection Officer’s employment by the reason that the Data Protection Officer performs his or her duties under this Act.”
Duties of the Personal Data Processor under section 40 of the Act are as follows:-
- To carry out activities related to the collection, use, or disclosure of person ordered by the Data Controller only: the Data Processor shall comply with the Data Controller’s order except such the order is against the laws. When a Personal Data Processor operates the task more than the extent or without the order from a Personal Data Controller, the Personal Data Processor will be regarded as a Personal Data Controller itself;
- To determine appropriate security measures: The Data Processor shall determine measures for preventing unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of Personal Data, and notify the Data Controller of the Personal Data breach that occurred;
- To prepare and maintain records of Personal Data processing activities: The Data Processor shall keep records in accordance with rules as determined by the Committee in the future. This duty is not similar to that of the Data Controller in Section 39; and
- To designate the Data Protection Officer (similar to the duty of the Data Controller) (if any): the Data Processor must appoint a Data Protection Officer in the same circumstance with that of the Personal Data Controller.
Personal Data Protection Act B.E. 2562 is an effort to protect the Personal Data of Thai citizens, which significantly impacts the business operation of every organization. Therefore, all business operators should consider whether such data processing system is already provided in their organization or not. Those who fail to comply with the Act shall compensate the data subject for Civil Liability, i.e., compensation damages and punitive damages, which may be twice the time of compensation damage, for penalties in the Criminal liability, imprisonment not exceeding one year or fine not exceeding 1,000,000 THB or both, as well as, for administrative penalties, a fine up to 5,000,000 THB.
At present, the Office of the Personal Data Protection Commission (PDPC) plans to issue additional measures for Personal Data Protection in the future. Entrepreneurs should learn and catch up to this Act while preparing their organizations the necessary systems, e.g., data collection system, consent from a data subject, officers, etc. to be ready for the upcoming change as well as to protect the right of the data subject with standard and safety.
Translated by Kanyakorn Sakulpram