There is no specific law on data protection for the private sector in Thailand at present. The data protection under the Official Information Act B.E. 2540 applies only to information or data in the possession of the government authorities.
However, there is a draft law on "Data Protection" which addresses the data and information handling of the private sector (the "Bill") which is currently under the consideration of the Council of State.
The Bill shall apply to the processing of Personal Data by the Personal Data Processor, which is an individual person, organisation or government authority with a business or commercial purpose responsible for processing Personal Data.
The Bill defines "Personal Data" as any information or data relating to an identified natural person or can identify a natural person by reference to the facts, data or any other materials about that natural person. The information or data may be in the form of documents, files, reports, books, charts, portraits, photos, films, recorded images or sounds that may be kept or stored in computer machines or in any other means that can be used to make the recorded information or data seen. The Personal Data shall also include facts about or behaviours of the deceased.
The general principle of the Bill is to give persons, called Data Subject under the Bill, the right to control the processing (collection and dissemination) of their personal information. Under the Bill, Data Subject shall include the heir or spouse of that person (in the event that the Data Subject dies) and the person that has duties relating to the Personal Data of that person as prescribed by the ministerial regulation.
Thus under the Bill, no data processing may be done unless the Personal Data Processor receives permission from the Data Subject. In addition, the processing of the Personal Data shall be used exclusively for the purpose under which the Data Subject agreed to give their Personal Data.
Forwarding or Transferring of Personal Data
The Personal Data Processor is not allowed to forward or transfer the Personal Data in their possession to a third party unless the Data Subject has given their written consent.
This written consent requirement applies to transferring or forwarding of Personal Data overseas unless it is required for a legal proceeding or for the benefit of the Data Subject. The Personal Data Processor is required to notify the Data Subject after the Data Subject has been forwarded or transferred.
The Personal Data Processor also has to give a written notice to the Data Subject in case the Personal Data will be used for any other objective. The Data Subject has to give their written approval. However, in case of necessity to life, body or health of a person, the Personal Data Processor can use the Personal Data without prior consent from the Data Subject, provided that the Data Processor shall notify the Data Subject soon after processing.
Disclosure of Personal Data
Disclosure of Personal Data under the possession or control of the Personal Data Processor to other persons without prior written consent from the Data Subject is prohibited except in the following cases:
(1) The government officials request its disclosure to prevent violation or breach of law and for the purpose of investigation, inquiry, and civil or criminal action;
(2) The competent courts or government officials or government agencies request the Personal Data;
(3) The disclosure of the Personal Data is vital because it shall prevent or stop danger to the life or health of a person;
(4) At the request of other agencies with the power to receive them under the provisions of the law;
(5) For study and research and there is nothing showing or implying that the disclosed data belongs to the Data Subject;
(6) It is evident that the data disclosure shall be useful to the Data Subject and it is not possible to obtain prior consent from the Data Subject; and
(7) To give medical treatment to the Data Subject who at such time is unable to give consent.
The Personal Data Processor is required to inform the Data Subject of all data he had disclosed.
A person receiving the Personal Data disclosed as mentioned above shall not use or disclose such Personal Data for other purposes.
The Personal Data Processor shall record the disclosure of Personal Data as mentioned above for the purpose of verification by the Data Subject and competent officials.
The Personal Data Processor is required to appoint a representative to monitor, control and proceed with the Processing of Personal Data. Such representative is referred to as the "Registrar" under the Bill. The Registrar has a duty to update and keep the Personal Data under security control to prevent the Personal Data from being lost, altered or disclosed, which may cause harm to the Data Subject. In addition, the Registrar is required to provide the Personal Data Protection Commission with a processing report at least once a year.
The Bill imposes both imprisonments and fines for various offences such as:
(i) A person who does any acts and things with the Personal Data in order to give himself or other persons unlawful benefits or cause damage to other persons shall be imprisoned for not more than three years or fined not more than Baht 60,000 (approximately US$ 1,875) or both.
(ii) If the Personal Data Protection Registrar fails to keep the collected Personal Data at its place of business to be checked by the Data Subject, the Personal Data Protection Registrar shall be fined not more than Baht 10,000 (approximately US$ 312.50).
(iii) Where it is suspected that any act relating to the Personal Data may cause damage to the Data Subject or related persons, and the Personal Data Protection Registrar fails to comply with any order of the Personal Data Protection Commission, such as failing to provide proof or delay in providing proof without reasonable cause, the Personal Data Protection Registrar may be subject to imprisonment for not more than three years or a fine of not more than Baht 60,000 (approximately US$ 1,875) or both.
If juristic persons are found guilty of an offence under the Bill, their representatives shall be punished for and on their behalf unless it is proven that these representatives were not involved with the commission of those offences by the juristic persons.
The Bill may have a significant impact on the way organisations conduct business. Organisations have to evaluate and assess if they have to adopt measures, including appointing a "Registrar", to comply with the provisions of the Bill. Organisations may also need to change some of their business procedures.
For further information, please contact:
Anurag Ramant ( firstname.lastname@example.org )
Wanchai Raksirivorakul ( email@example.com )