Thailand issues PDPA guidelines on consent and personal data collection
On 7 September 2022, the Personal Data Protection Commission (“PDPC”) published the first two guidelines in accordance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA“) which fully came into force on 1 June 2022. The PDPC aims to provide clarity to the personal data controllers frameworks and details how related parties should apply and implement the guidelines correctly, thereby effectively enhancing personal data protection.
By virtue of section 16(3) of the PDPA, the PDPC has issued the guidelines as follows:
- the guideline for requesting consent from personal data subjects under the PDPA (“Requesting Consent Guideline“); and
- the guideline for notifying the objectives and specifics of personal data collection under the PDPA (“Notifying the Objectives and Specifics Guideline“).
The Requesting Consent Guideline and the Notifying the Objectives and Specifics Guideline are hereinafter collectively referred to as the “Guidelines“.
Key details under the Requesting Consent Guideline
Types and criteria for the requesting consent
In the event that there is a specific law or regulation or supervised authority which has specific designated forms or context of requesting consent, the data controllers shall implement in accordance with the compulsory standard form as determined by the regulatory authorities.
In the event that there is no specific law or regulations or supervised authority, the data controllers shall implement in compliance with the voluntary standard form under the Requesting Consent Guideline or they may prepare their own consent form.
Criteria for requesting consent
Unless exempted under sections 24 (lawful basis) and 26 (exemption of racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the PDPC) of the PDPA, the data controllers shall request consent from the data subjects for the collecting of the personal data as follows:
- consent must be requested prior to or at the time of the collection, use, and disclosure of the personal data;
- the data controllers must notify the objectives and specifics of the requesting consent prior to giving the consent;
- the consent request must state specific purpose, not the general purpose;
- the part of consent request must be separated clearly from the other parts and the information or forms are easy to understand and not misleading;
- the consent must be freely given, i.e., without fraud, defraud, intimidation, and misunderstanding; and
- the consent must not be conditional, data subjects cannot be forced to enter into the agreements or any services.
The guideline describes that the nature of the consent as required by law, known as the explicit consent, may be granted in the written form or electronic means unless it could not be conducted in such manner by its nature. The explicit consent, both requesting and giving, denotes that the date subject expressly consent to their statement. The consent can be in written form, in which the data controllers may require the data subject’s signatory for clarity and avoid ambiguity. The forms can be utilised as evidence in the future.
Apart from the written form, providing explicit consent could be performed in several ways, e.g., filling out forms via electronic systems, sending email, or using e-signature which can identify the data subjects and their intent.
The Requesting Consent Guideline further explains the details of withdrawing consent using the same method as requesting consent. When doing so, it shall not impose additional burdens, expenses, or procedures on the data subjects than when giving consent and must not result in ineffective services.
The Requesting Consent Guideline also specifies the practice of requesting consent from a minor, incompetent, or quasi-incompetent person. This is mostly the same as a normal person except additional consent requirements, such as age verification and easy-to-understand languages or methods, are added. In case of minors under the age of 10, consent shall be granted by their parental authority.
Key details under the Notifying the Objectives and Specifics Guideline
In general, notifying the objectives and specifics of personal data collection must be clear and can be fulfilled via different types of communication channels: oral, written, and electronic. Other details are specified in the Notifying the Objectives and Specifics Guideline, as follows:
Types and criteria for notifying the objectives and specifics of personal data collection
In the event that there is specific law or regulations or supervised authority that specifically designated rules, methods, or guidelines for notifying the objectives and specifics, that do not contradict the PDPA, the data controllers shall implement in accordance with such rules, methods, or guidelines, provided that the standards are not less than the Notifying the Objectives and Specifics Guideline.
In the event that there is no specific law or regulations or supervised authority which designated rules, methods, or guidelines for notifying the objectives in specific, the data controllers shall implement in compliance with the Notifying the Objectives and Specifics Guideline.
Principles for notifying objectives and specifics of collection of the personal data
- Fairness – in the collection, use, and disclosure of personal data, data controllers must consider the potential impacts on data subjects and declare them to data subjects prior to or at the time of the collection, as well as ensure that the language and context in the notification are clear and easy to understand.
- Purpose limitation – the notified objectives and specifics must be specific, explicit, legal and sufficient for the consideration of whether the data controllers can legally implement the data subjects’ personal or whether it exceeds the scope of the collection of personal data.
- Consent – if the exceptions for requesting consent specified in sections 24 or 26 of the PDPA are not met, consent will be required for the collection of personal data. The notified objectives must be clear enough for the data subjects to understand without any deception, intimidation, or misunderstanding.
- Legitimate interest – in case the data controllers claim that the collection of personal data is justified by a “legitimate interest”, it is important to note that the collection process should be extra cautious to protect benefits and avoid negative consequences for the data subjects.
Types of the collection of personal data
Personal data collection is classified into two types: (a) personal data collected directly from data subjects, and (b) personal data collected from other sources. The details of notifying objectives and specifics of each type will differ as follows:
For personal data collected directly from data subjects, the data controllers must notify the data subjects of the following prior to or at the time of the collection of personal data:
- objectives of the collection including the objectives under section 24 of the PDPA;
- the data subjects’ legal obligations or contract obligation as well as the potential impacts in event that the data subjects will not provide the data;
- the personal data to be collected;
- retention period of personal data. If it is not possible to specify the retention period, the expected data retention period according to the data retention standard shall be specified. When the retention period ends, the data controllers must immediately delete or destroy the personal data;
- the categories of persons or entities to whom the collected personal data may be disclosed;
- information, name, and details including address, as well as contact channels of the data controllers, representatives or data protection officers (DPO) (if any);
- details of sending or transferring personal data to the foreign country; and
- data subjects’ rights including the right to withdraw their consent (if they have given consent) and the right to file a complaint on non-compliance with the PDPA.
Furthermore, personal data cannot be collected from other sources, unless the data controllers notify the data subjects of the personal data collection without delay but no later than 30 days after collecting personal data from other sources. Data controllers will need to obtain consent from the data subjects unless exempted from requesting consent under sections 24 and 26 of the PDPA.
In terms of notifying the objectives and specifics, the data controllers shall notify the data subjects within 30 days from the date of the data collection. Where the personal data is used in order to contact the data subjects, the data controllers must notify at the time of the first contact. Also, the data controllers must notify prior to the disclosure of such personal data.
According to the Notifying the Objectives and Specifics Guideline, prior to collecting, using, and disclosing personal data which is collected from other sources and without data subjects’ consent and acknowledgement, the data controller should:
- conduct a Data Protection Impact Assessment (DPIA) to specify and assess the risks and potential damages from using or disclosing the personal data, or to consider whether it may affect the rights and freedom of data subjects;
- notify the objectives or specifics, which shall be done in format or context that the data subjects can easily understand;
- designate the retention period of personal data; and
- consider whether there is legal ground(s) to do so.
Notification of the objectives and specifics of personal data collection exemptions where personal data is collected from other sources
The data controllers may not notify the new objectives for the data collection to the data subjects according to section 21 or the objectives and specifics of personal data collected from other sources according to section 23 when requesting consent from the data subjects in the following cases:
- the data subjects have known all new objectives and specifics;
- the data controllers have proved that notifying the new objectives and specifics is either impossible or an impediment to using or disclosing personal data. Several factors will be considered when claiming this exemption, including the amount and quantity of collected, used, and disclosed personal data, the age of data subjects, and measures to prevent damage from using or disclosing personal data;
- the use or disclosure of information must be urgently required by the laws and the data controllers have conducted the appropriate measures to protect the data subjects’ interests; and
- personal data has been collected, used, or disclosed by data controllers in accordance with their duties, occupation, or profession.
The Guidelines provides clarity to the provisions of the PDPA and its implementation. The examples provided makes it easier for those involved in the processes to request consent or notify the objectives and specifics of personal data collection. As a result, in the long run, these will more than likely make it more efficient to protect data subjects.
This alert is for general information only and is not a substitute for legal advice.