Grant Thornton Tax and legal update: New Guidelines Issued on Personal Data Protection
On 20 June 2022, the government published four notifications (“Notifications”), which are supplementary to the Thailand’s Personal Data Protection Act 2019 (“PDPA”).
The Notifications set out the legal definition, rules, criteria, and conditions for several key terms relating to the PDPA including penalties for non-compliance to PDPA. Provided below are the significant points of the Notifications:
1. Type of entities exempted from maintaining the data controller record (Effective Date 21 June 2022)
Section 39 of the PDP requires the data controller to maintain records as specified under this section. This Notification prescribes 6 types of small organization that are exempted from the duty to maintain records under this section as follows:
- Small and medium-sized enterprises (SMEs)
- Community enterprise
- Social enterprise or social enterprise group
- Co-operative or agricultural group
- Foundation, association, religious organization, or non-profit organization; and
- Business household or similar
The exempted organization must not be an entity that is required to maintain computer traffic data according to the Computer Crime Act.
2. Security and safety measures for the data controller (Effective Date 21 June 2022)
This Notification aims to provide the minimum requirements for the data controller to efficiently maintain the appropriate security and safety measures.
The minimum standard for security and safety measures must adhere to 3 key principles specified by this Notification being:
- Confidentiality of personal data;
- Integrity of personal data; and
- Availability of personal data
There are several provisions that must be contained in the security and safety measures, i.e., conditions for collecting personal data in electronic form, user authentication or identity verification for accessing personal data based on need-to-know basis and principle of least privilege.
Furthermore, the security and safety measures shall be reviewed and updated from time to time to ensure compliance with PDPA.
3. Rules and methods for maintaining records of personal data processing activities (“ROPA”) (Effective Date 180 days from the announcement of Government Gazette)
The data processor is obligated to prepare and maintain ROPA, whether in writing or electronically, in accordance with the PDPA. The records must at least consist of the following information:
- Name and information of the data processor or their representative (if any);
- Name and information of the data controller for whom the data processor is acting on behalf of;
- Name, information, contact details of the data protection officer (DPO) and method for contacting the DPO;
- Category/type and purpose of the collection of the personal data that the data processor operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a data controller;
- Details of person or organization that the personal data transferred to in case where the personal data will be sent or transferred abroad;
- Details of the security measures under section 40, paragraph one (2) of the PDPA.
4. Rules for imposing administrative penalties (Effective Date 21 June 2022)
Violations of the PDPA are punishable by administrative fine (up to THB 5 million) and the Personal Data Protection Committee (“PDPC”) is authorized by law to impose administrative fines. This Notification sets forth the rules and procedures for the PDPC to abide by in carrying out its administrative powers:
- The methods to issue notification for the execution of administrative orders on an urgent basis;
- Key factors in determining the administrative penalty g., details and severity of the circumstances of the violations, size of the business, level of damage, compensation;
- Considerations to be taken in issuing an order to impose an administrative fine for severe and non-severe non-compliance;
- Authorization to appoint the administrative sanction officers;
- Authorization to seize or freeze including auction the asset of the data controller who fails to settle the fine within the time prescribed.
What businesses need to be aware of:
- Determine whether your company is required to maintain the data controller records.
- Review your current data controller records and ROPA.
- Ensure that the appropriate security and safety measures are in place for the company.
- Appointment of the authorized person(s) to manage compliance and respond to instances of non-compliance.