Episode 1 – The Legal Basis for Collecting & Processing Personal Data
Watch this brief, concise and easy-to-follow 4 minutes video to give yourself a proper and informed understanding on Thailand’s Personal Data Protection Act (“PDPA”) – the first comprehensive personal data protection law in the country’s history, the regulatory framework in place and what this means for the organizations conducting businesses in Thailand.
As June 2021 approaches, many companies in Thailand are focusing on and racing towards the implementation of compliance mechanisms in advance of the adoption of the PDPA, Thailand’s new and all-encompassing data protection legislation.
The PDPA will significantly impact businesses that handle personal data and it sets out heavy fines and penalties which will be imposed on organizations that mishandle the clients’ personal data.
Ng Woan Na (Regional Legal Adviser, China Desk) discusses how organizations in Thailand can adapt their practices and stay in compliance with this new piece of legislation while collecting, processing, transferring and disclosing the personal data of their clients to third parties. She provides an insightful and accessible jargon-free overview on the legal standards that organizations in Thailand need to abide by when dealing with personal data and how to ensure proactive and preventative compliance measures for the purpose of avoiding heavy fines and penalties.
The Thai government has, after a lengthy process of drafting, public consultations and revisions, finally published the Personal Data Protection Act (also known as the PDPA) in the Royal Gazette in May 2019.
And for that, we are very happy to hear that this piece of new legislation which was largely inspired by the European Union’s General Data Protection Regulation (also known as the EU GDPR) is set to come fully into force on 1 June this year.
It represents Thailand’s first comprehensive regulatory framework for the protection of personal data and it will certainly, to a great extent, build trust amongst businesses and foreign investors, as they will be more comfortable to transact through online transactions and have much stronger ways of taking action where they may have encountered fraud.
Even so, we understand that this piece of new legislation has left many with some serious questions about what exactly Thailand’s new data protection law means for them in a practical sense.
The most pressing issue for most businesses affected by Thailand’s PDPA is that business entities must ensure that they have a clear legal basis when it comes to collecting and processing personal data, especially where it involves collecting, processing, transferring and disclosing the personal information of clients to third parties.
Much as with the EU GDPR and other similar regulations, “consent” has been regarded as the most typical legal basis and has been talked about the most, and for very good reasons. It is usually seen as the most straight-forward and uncomplicated method of legally collecting and processing personal data.
However, if we carefully read through the Thai PDPA provisions, we would realize that consent is not the only legal basis which businesses can rely upon. Based on our advisory experience, many businesses have tended to overlook the fact that there are other lawful grounds which they may be able to rely on.
For example, where processing of personal data is necessary for the performance of contractual obligations – a simple practical example include where consumers (such as you and I) sign up for Lazada e-commerce services, we will need to agree to a list of terms and conditions which will ultimately form the contractual terms; and for Lazada’s performance of services, we are expected to provide details such as, delivery address and bank account details for payment purposes. So in such instances, Lazada does not need to obtain our consent in sharing personal information to third parties such as, the courier service provider and banking institutions. Instead they may be able to rely on the legal basis of contractual necessity and obligations.
Basically, consent should not be the first resort when it comes to establishing legal basis. It should be the last.
Simply because consent can be withdrawn and revoked at any given time by the owner of the personal data; and the Thai PDPA imposes a number of requirements on how consent is to be obtained from individuals and businesses, so as to ensure that they are well-informed, and that consent is freely given. For example, consent requests must now be separated from other matters and be presented in a clear manner. This means consent requests can no longer be in small print; customers have to be clearly told about what permission they are giving when it comes to collection of their personal data and they must indicate that they understand the significance of doing so.
The outcome of noncompliance towards the PDPA provisions should not be taken lightly. It involves heavy fines and penalties of up to 5 million Thai Baht and as well as other potential civil and criminal liabilities and not to mention that it would squander the faith and trust which existing and potential customers may have placed in you.
So when we consider all of this, and to ensure that you are fully prepared for when the new Act comes fully into force, there are some key recommendations and steps which we strongly recommend businesses to handle personal data do. Firstly, to review the types of personal data which are really required of and are necessary as part of running a business. And following the review, try to identify, perhaps through consultations with professionals, the suitable legal basis when it comes to processing personal data. The review process should also focus on identifying potential risks involved in processing personal data – which would ultimately allow you to formulate control measures suitable for the collecting and processing of the personal data of your clients or customers.