Impact of the Personal Data Protection Act B.E. 2562 (2019) on Business Operators

In this article we shall examine and discuss certain aspects of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) and the obligations it shall impose on Business Operators that collect and use Personal Data[1] of their customers, suppliers, contractors or their employees (collectively the “Data Owner(s)”).[2] It is also worth noting that a Royal Decree has postponed the enforcement of most sections in the PDPA by a year (until 31 May 2021).

Requesting Consent from a Data Owner of Personal Data

Under the PDPA, a Business Operator is permitted to collect, use and disclose received Personal Data, provided that the received information comes from lawful processing. This means that the Business Operator must have received consent from the Data Owner in the form of a legally compliant request for consent. To have a legally compliant request for consent, the following requirements must be met:

1. The request must be made expressly in writing or via an electronic system, unless a certain condition makes it impossible to seek the consent using such method.
2. The request for consent must be separated clearly from the other statements.
3. The request should be in an easily accessible and understandable form, hence such form should avoid complicated or confusing vocabulary.
4. The request must not deceive or mislead the Data Owner about the purpose for collecting their Personal Data.
5. The request for consent must also set out the following details:
   • The rights of the customer/ Data Owner (see below for more information on these rights).
   • What information shall be collected from the Data Owner.
   • How such Personal Data shall be used and disclosed.
   • The objectives/purpose of the Personal Data processing because the Customer/Data Owner the has right to know what his or her Personal Data will be used for and in what way.
   • How long the Personal Data shall be kept for;[3] and
   • Basic information about the Business Operator (including contact details and contact details of the Personal Data Protection Officer for the company).

When Is Consent Not Required from a Data Owner?

In some cases, a Business Operator is not required to obtain a request for consent from a Data Owner. The PDPA provides that a Data Controller[4] must not make a collection of Personal Data without obtaining the consent of the Data Owner, unless:

• It is for the purpose of achieving such objective(s) relating to the preparation of historical documents or chronicles for public benefit or to studies, research or statistics, to which appropriate safeguarding measures have been made available to protect the rights and liberties of the Data Owner, as notified and prescribed by the Committee set up under the PDPA.
• It is for the purpose of preventing or stopping danger to life, body or health of individuals.
• It is required for compliance with an agreement to which the Data Owner is a party or for use in the processing of a request of the Data Owner before the entry into such agreement.
• It is required for the performance of the duty to carry out a task(s) for public benefit of the Data Controller or the duty to exercise state powers granted to the Data Controller.
• It is required for the lawful benefit of the Data Controller or of any other individual or juristic person than the Data Controller, except where such benefit is less important than the fundamental rights to the Personal Data of the Data Owner.
• It is for compliance with the laws by the Data Controller.

Impact if Request for Consent Does Not Meet Legal Requirements?

If a request for consent is not legally compliant, then it shall not bind the Data Owner and the Business Operator shall not be permitted to process the Customer’s/ Data Owner’s Personal Data received thereby. It may also result in the Business Operator being subject to civil and criminal liability and an administrative fine.

Rights of the Data Owner and the Impact on Business Operators

There are eight (8) rights available to a Data Owner which must be informed to them in the request for consent, these are as follows:

1. The right to withdraw their consent.
2. The right to access their Personal Data.
3. The right to portability of their Personal Data.
4. The right to object to the processing of their Personal Data
5. The right to be forgotten.
6. The right to restrict the processing of their Personal Data.
7. The right to correct their Personal Data
8. The right to complain.

1. Right to Withdraw Consent

The Data Owner of Personal Data can withdraw their consent at any time and the Business Operator must inform the Data Owner of the consequences of their withdrawal.

2. Right to Access Personal Data

The Data Owner can ask the Business Operator to enable them to access their collected Personal Data. Moreover, the Data Owner can also request copies of their collected Personal Data. A Business Operator must provide the requested information as per the customer’s/ data owner’s request and without any conditions attached thereto. If a request cannot be refused then the Data Controller must provide such information within thirty (30) days counting from the date of their receipt of the request.

However, there are certain cases where a refusal to provide such information can be legally made by a Business Operator such as where access to such information is prohibited by law or where a court orders that access to such information is not permitted.

3. Right to Portability

A Data Owner can ask a Business Operator to transfer their Personal Data to another business operator. In such case, the Business Operator must do so except where the Personal Data is used to serve the public interest or where the Business Operator is compelled by a court order to keep such information or where the transfer of such Personal Data may violate the rights of others.

4. Right to Object

If a Business Operator receives Personal Data from an illegal practice (ex. without valid consent being given) or aims to use such information in a direct marketing way or to use it for research purposes then the Data Owner of such Personal Data can exercise their right to object thereto. If an objection is made by the Data Owner then the Business Operator must surrender their right to collect, use and disclose the Personal Data. In this case, a government authority can also compel the Business Operator to delete such information.

If the data owner has exercised the right of objection above, then the Data Controller cannot continue collecting, using or disclosing such Personal Data. Moreover, the Data Controller must act by separating it clearly from the other Personal Data immediately upon the Data Owner having notified the Data Controller of such objection.

If the Data Controller denies the objection for the reason as provided under this section then he/she/it shall enter their denial of such objection together with the reason in the official record.

5. Right to be Forgotten

In the request for consent, the period of retention must be specified, hence when such agreed period has expired, the Business Operator is obliged to delete the information from its database/systems/files. Moreover, the Business Operator must delete the Data Owner’s Personal Data when their consent is withdrawn or if they make an objection according to their right to object or if there is an illegal practice which has been found and reported.

The PDPA provides that the Data Owner has the right to request that the Data Controller take steps to erase or destroy the Personal Data or disable it from identifying the Data Owner in certain cases such as where it is no longer necessary to keep the Personal Data in accordance with the purpose(s) of the collection, use or disclosure.

6. The right to restrict the processing of their Personal Data

A Data Owner of Personal Data can exercise such right if it is found that the information was gathered using an illegal practice or the gathered Personal Data is no longer necessary for the purposes of the business operator or if a legitimate objection to processing is made. In addition, if the owner of such Personal Data has any doubts about the accuracy of such information then they have the right to submit a request to the Business Operator to inspect such information. During such inspection, the processing must be restricted. When a Business Operator receives a restriction request or the issue of accuracy occurs, the processing of such Personal Data must stop. If the Business Operator fails to stop possessing such Personal Data then the Business Operator may be forced to stop the processing by a governmental authority.

7. Right to Correct Personal Data

The Data Owner of Personal Data has a right to request the Business Operator (who possesses such data) to make it correct, up-to-date, complete and not misleading.

8. Right to Complain

A Data Owner has the right to complain in the case where a Data Controller or Data Processor, including an employee or contractor of the Data Controller or Data Processor, has violated or failed to comply with the PDPA or notifications issued under this Act.

Dharmniti Law Office Co., Ltd.

2/2 Bhakdi Building 2nd Floor, Wireless Road, Lumphini, Pathumwan, Bangkok 10330 Thailand

Tel: (66) 2680 9710

Fax: (66) 2680 9711

E-mail: ryan@dlo.co.th or pongkans@dlo.co.th

[1] Personal Data means the Data Owner’s personal information which can identify such person either directly or indirectly.

[2] This means the person/individual who owns the Personal Data, in many cases this will be the customer of a business but in other cases it can also be others such as the employees of a business.

[3] If such period of time cannot be specified clearly in the request for consent then a period of time that can be anticipated according to standards of collection should instead be specified.

[4] Data Controller’ means the individual or juristic person which has the power & duty to make a decision about collection, use or disclosure of Personal Data; for example in most commercial cases this shall be a ‘Business Operator’