-
Articles
Consent or Exception; which way is better under the Thai Personal Data Protection Act?
The Thai Personal Data Protection Act BE 2562 (2019) (“PDPA”) sets out the general legal framework governing activities on how a business is required to collect, use and disclose personal data. Although the PDPA has been in full effect since 1June 2022, over a year, there is still uncertainty as to how certain requirements apply. In particular, the most important question is the legal basis to lawfully collect, use and disclose personal data under the PDPA. According to Section 19 of the PDPA, a Data Controller shall not be able to collect, use and disclose personal data unless a data subject grants their consent before or at the time of such collection, except where the PDPA or other applicable laws allow a Data Controller to do so without the data subject’s consent.
It is common practice under Thai legal norm, that any exceptions must be strictly applied, which should mean that the consent should be a Data Controller’s main focus. In such regard, a Thai business should obtain a “data subject’s consent” for all activities to the fullest extent possible. However, pursuant to a case study published on the Ministry of the Digital Economy and Society’s website, such interpretation may no longer be the case. The Thai Personal Data Protection Committee, by way of its ad hoc sub-committee, responded to a question raised to it, stating that when a Data Controller relies on the request of consent, if a data subject refuses to give consent, the Data Controller can no longer rely on any exception of consent under the PDPA, and thus will not be able to collect personal data for the said purpose.
Consequently, although the said response has no legal binding effect, it nevertheless implies that a Data Controller must not rely on consent when it can rely on the exceptions of the consent. It is thus good practice for a business to consider how it chooses, between requesting a data subject’s consent and relying on exception of consent, for each activity. Exceptions to collect, use or disclose personal data without a data subject’s consent provided under the PDPA should be carefully considered and are summarised for easy reference, as follows:
Personal Data (that is not under the category of Sensitive Personal Data)
|
PDPA |
Exception |
|---|---|
|
Section 24(1) |
Where it is for preparation of historical documents in order to archive for public interest, or for a purpose relating to research or statistics (‘Research’). |
|
Section 24(2) |
Where it is for preventing or suppressing danger to a person’s life, body or health (‘Vital Interests’). |
|
Section 24(3) |
Where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (‘Contract’). |
|
Section 24(4) |
Where it is necessary for the performance of a task carried out in public interest by the Data Controller (‘Public Task’). |
|
Section 24(5) |
Where it is necessary for the legitimate interests of the Data Controller or another person (either individual or juristic person) who is not a Data Controller, except where such interests are overridden by the fundamental rights of the data subject (‘Legitimate Interests’). |
|
Section 24(6) |
Where it is for the Data Controller’s compliance with law (‘Legal Obligation’). |
Sensitive Personal Data
|
PDPA |
Exception |
|---|---|
|
Section 26(1) |
Where it is to prevent or suppress a danger to the life, body or health of a person, where the data subject is incapable of giving consent for whatever reason. |
|
Section 26(2) |
Where it is carried out in the course of legitimate activities with appropriate safeguards put in place by the foundations, associations or any other non-profit bodies with political, religious, philosophical or trade union purposes, for their members, former members or persons having regular contact with them in connection with their purposes; without disclosing the personal information outside of such foundations, associations or non-profit bodies. |
|
Section 26(3) |
Where it is information that is disclosed to the public with the explicit consent of the data subject. |
|
Section 26(4) |
Where it is necessary for the establishment, compliance or exercise of legal claims, or defence of legal claims. |
|
Section 26(5) |
Where it is necessary for compliance with a law to achieve purposes in respect of specific matters described in the PDPA. |
This is intended merely to provide a regulatory overview and not to be comprehensive; it is NOT a provision of legal advice. Should you have any questions on this or on other areas of law, please contact the following:
Chanakarn Boonyasith
Partner
Pitchabsorn Whangruammit
Associate (Attorney-at-Law)
Authors
Related Knowledge
-
-
An International Initiative to Address Frictions in the Flow of Data Relating to Cross-border Payments
Finance Law
Data Protection
Web3 / Metaverse
-
-
Vietnam: Key Updates on Artificial Intelligence (AI) and AI Systems
Asia
Data Protection
-
-
A Sea Change in Malaysia’s Data Protection Framework (Part 3)
Asia
Data Protection
- Wan May LEONG
- Tomonobu MURATA
- Wai Kin LEO and others
-
-
Application of Article 30-4 of the Copyright Act to Machine Learning
Articles
-
-
A Sea Change in Malaysia’s Data Protection Framework (Part 2)
Asia
Data Protection
- Wan May LEONG
- Tomonobu MURATA
- Wai Kin LEO and others
-
-
Legal Regulations and Outlook on Cross - Border Sharing of Medical and Health Data: A Japanese Legal Perspective
Articles
Chanakarn has particular in-depth expertise in the practical side of the legislative system of labour & employment law and personal data protection law. For the Labour & Employment practice, she engages in both advisory work and litigation, as well as drafting and reviewing legal documents, negotiating settlements, interviewing employees (particularly those accused of wrongdoing), managing whistleblowing hotlines and processes, providing trainings and various types of employment law advice, and representing clients in numerous court cases and in hearings before the labour authorities. For the Personal Data Protection practice, she assists her clients through the entire process, from providing training, analysing how clients handle personal data transactions, summarising clients’ data flow, providing legal advice, and drafting necessary legal documents for her clients. Chanakarn’s strategy is to provide detailed, accurate advice and flexible solutions, adapted to meet her clients’ needs. She excels in simplifying complex matters and equipping her clients to make the right decisions. She receives consistently strong feedback from her clients regarding the quality of her work. She has been ranked for labour and employment practice in Chambers Asia Pacific 2022 and 2023.