Countries around the world are hurrying to regulate the collection, processing and use of personal data. Privacy regulation presents a conundrum for most governments as they try to balance the rights of citizens with national security and business needs.

Navigation


India

The Philippines

Taiwan

Thailand

INDIA

The past three to four years have seen many jurisdictions implement specific laws and regulations for protection of personal data of their citizens. India does not have a comprehensive and exclusive data protection law in effect as yet. Currently, the legal regime governing data protection in India flows from the provisions of the Information Technology Act, 2000 (IT Act), and its allied rules. Several attempts have been made to introduce a comprehensive data protection regulation, but the regulation has never seen the light of the day.

data
Apurv Sardeshmukh
Partner at Legasis Partners in Mumbai
Tel: +91 22 6617 6500
Email: apurv.s@legasispartners.in

The advent of the EU’s General Data Protection Regulation (GDPR) and similar regulations elsewhere in the world have increased awareness about the rights of individuals in protecting their data. The past couple of years witnessed several companies being pulled up for data privacy violations in multiple jurisdictions and that only increased the clamour to enact regulations safeguarding personal data. The judgment by the Supreme Court in the KS Puttaswamy and Anr v Union of India and Ors case, recognizing the right to privacy as a fundamental right under article 21 of the Indian constitution, was the last straw and legislators were convinced that India required similar legislation along the lines of the GDPR, which protects data of individuals and gives them rights with respect to their data.

The Ministry of Electronics and Information Technology set up a nine-member committee of experts headed by Justice BN Srikrishna in July 2017, which submitted a report and a draft bill, known as the Personal Data Protection Bill, 2018, on 27 July 2018. This bill was subsequently revised slightly and introduced in the lower house of the Indian parliament as the Personal Data Protection Bill, 2019 (PDP bill). The PDP bill has since been referred to a select parliamentary committee and until it is cleared by both houses of parliament and brought into effect, the provisions of the IT Act and the rules will govern protection of personal data in India.

Existing regulations

As mentioned, until the PDP bill comes into effect, the provisions of the IT Act and, primarily the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (2011 rules), will be the regulations governing the protection of personal data in India.

The IT Act applies to the whole of India and to any offence or contravention under it committed by a person outside the country. The 2011 rules only apply to body corporates and persons located in India. This means that the 2011 rules do not apply to the processing of data in India regarding data subjects located overseas. Some of the rules do not apply to business-to-business relations, but only to the collection of individuals’ data by businesses.

The obligations under the 2011 rules are mainly with respect to protection of what is defined as sensitive personal data. Sensitive personal data or information of a person is said to be such personal information which consists of details relating to: (i) password; (ii) financial information such as a bank account, or credit or debit card, or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

The rules also regulate the manner in which personal information can be disclosed to third parties and transferred to other entities.

Personal data protection bill

The PDP bill applies to the processing of personal data by the state, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. Further, section 2 states that the PDP bill will apply to the processing of personal data by data fiduciaries and data processors, if such processing is in connection with any business/offering/service to data principals in India, or involving profiling of data principals in India.

The PDP Bill 2019, however, does not apply to the processing of anonymized data, although an exception has been carved out for anonymized data that may need to be shared with the government.

The PDP bill defines the concepts of “data principal” and “data fiduciary”. The natural person whose personal data are collected is referred to as the data principal. The entity that determines the purpose or means of processing this data is referred to as the data fiduciary.

Data fiduciaries include the state, corporate entities and individuals. The PDP bill also defines “data processor” as any entity that processes data on behalf of the data fiduciary. Processing has been defined expansively to include any operation or set of operations performed on personal data. The PDP bill has also introduced a “consent manager” – a data fiduciary who can assist a data principal to gain, withdraw, review and manage his/her consent through an accessible, transparent and interoperable platform.

Section 4 of the PDP bill states that personal data can be processed only for purposes that are clear, specific and lawful. The PDP bill further provides that any person processing personal data owes a duty to the data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal.

The PDP bill requires that consent of the data principal should be obtained prior to processing of the personal data, unless consent is not required under the provisions of the same. Data can be processed without consent for the performance of any function of the state authorized by law, for compliance with any order or judgment of any court or tribunal in India, to respond to any medical emergency involving a threat to life, or a severe threat to the health, of the data principal or any other individual, to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health, or undertake any measure to ensure safety of, or provide assistance to, any individual during any disaster or any breakdown of public order. It must be noted that, unlike other jurisdictions, the PDP bill does not allow processing of personal data for the fulfilment of an obligation under a lawful contract.

The 2018 bill required every data fiduciary to ensure that at least one serving copy of personal data of the data principal was stored on a server or data centre located in India. This has been modified under the PDP bill 2019. There is now no requirement of localization with respect to personal data. A requirement remains to store sensitive personal data in India, but such data may be transferred outside India for processing. The ambiguous concept of “serving copy” has also been removed. Further, the PDP bill provides the requirement of a category of personal data specified as critical personal data to be processed only in India. Some exceptions to transferring critical personal data outside India have also been specified.

The PDP bill has also created a new category of data fiduciaries defined as social media intermediaries. These are entities that primarily or solely connect users enabling them to create, modify, upload, share, disseminate or access information. Search engines, e-commerce entities, internet service providers, email and storage services, and online encyclopaedias are excluded from this definition. Social media intermediaries that have more than a specified number of users, and whose actions are likely to impact electoral democracy, security of the state, public order, sovereignty or integrity of India will be notified by the government of India as significant data fiduciaries.

The PDP bill also provides for exemptions on compliance in cases of processing of data for certain specific purposes. Exemptions from compliance with the provisions of the PDP bill are permitted in cases where the personal data are being processed for security of the state, prevention, detection, investigation and prosecution of contraventions of law, processing for the purpose of legal proceedings, research, archiving or statistical purposes, for domestic purposes, and for journalistic purposes.

The PDP bill has now been referred to a standing committee that may further revise the bill before presenting it to parliament. Hence, an effective data protection regulation in India still appears to be some time away. Until such time, the provisions of the IT Act and the 2011 rules will continue to remain in effect.

dataLegasis Partners
12A/09 13/F
Parinee Crescenzo,
G-Block BKC,
Bandra East, Mumbai 400051,
Tel: +91 22 3354 4000
Email: mumbai@legasispartners.com
www.legasispartners.com


THE PHILIPPINES

In 2012, the Philippines passed the Data Privacy Act (DPA), protecting individual personal data in information and communications systems in both the government and the private sector (Republic Act No. 10173). This comprehensive privacy law also established the National Privacy Commission (NPC) with enforcement, rule-making, advisory and quasi-judicial powers, and tasked it to implement the provisions of the act.

On 9 September 2016, the implementing rules and regulations (IRRs) came into force. The law is intended to bring the Philippines to the next level and ensure compliance with international standards of data protection.

data
Enrique Dela Cruz Jr
Senior Partner at DivinaLaw in Manila
Email: enrique.delacruz@divinalaw.com

Application. The Philippine DPA applies to the processing of all types of personal information, with certain exceptions including those that are considered “matters of public concern”. It covers any natural and juridical person involved in personal information processing within (or, in some instances, outside) the Philippines. Based on the DPA’s extraterritorial reach, the NPC launched its own investigation in April 2018 on the Cambridge Analytica scandal, involving the unauthorized sharing of personal information including that of about 1.2 million Filipinos.

The common notion is that if the personal information is publicly available, then the DPA is not applicable. The NPC has correctly opined that this is a misconception, and said that, “even if the data subject has provided his or her personal data in a publicly accessible platform, this does not mean he or she has given blanket consent for the use of his/her personal data for whatever purposes”. The NPC’s opinion is significant as it recognizes with caution the collapsing boundaries of private and public space in the social media age.

data
Ian Jerny De Leon
Junior Partner at DivinaLaw in Manila
Email: ian.deleon@divinalaw.com

Governing principles. The DPA adopts some of the principles under much earlier international privacy frameworks, particularly transparency, legitimate purpose and proportionality. In line with the law’s objective, processing of personal information is generally allowed provided there is at least one lawful basis for processing, for instance, the legitimate interest of the personal information controller (PIC).

In this regard, the NPC has already clarified that legitimate interest of the PIC, as a basis for processing, must consider the following three-part test: (1) the purpose test – the existence of a legitimate interest must be clearly established, including a determination of what the particular processing operation seeks to achieve; (2) the necessity test – the processing of personal information must be necessary for the purpose of the legitimate interest pursued by the PIC or third party to whom personal information is disclosed, where such purpose could not be reasonably fulfilled by other means; and (3) the balancing test – the fundamental rights and freedoms of data subjects must not be overridden by the legitimate interests of the PIC or third party, considering the likely impact of the processing on the data subjects. In contrast, processing of sensitive personal information is generally prohibited except if a lawful basis for processing exists (e.g., consent, law or physical necessity).

data
Jayr Ipac
Senior Associate at DivinaLaw in Manila
Email: jayr.ipac@divinalaw.com

Rights of data subjects.The DPA provided data subjects certain rights: (1) the right to be informed (among others, on the existence of automated decision-making and profiling); (2) the right to access; (3) the right to object (to the processing of personal data, including for direct marketing, automated processing or profiling); (4) the right to erasure or blocking (of personal data from the PIC’s filing system) on specified grounds; (5) the right to damages; (6) the right to file a complaint, subject to the requirement of exhaustion and timeliness; (7) the right to rectify; and (8) the right to data portability.

Obligations. Under the IRR, the PICs and the PIPs (personal information processors) are mandated to register their data processing systems with the NPC under the following conditions: (1) if sensitive personal information of at least 1,000 individuals is processed; (2) if the personal information controller or processor employs at least 250 people; (3) if less than 250 people are employed but the processing is not occasional; or (4) if less than 250 people are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject.

The IRR sets out the following required security measures for the protection of personal data:

  • Assign someone to function as data protection officer, compliance officer or any other officer accountable for ensuring compliance with applicable laws and regulations on data privacy and security;
  • Implement appropriate data protection policies that provide for organization, physical and technical security measures;
  • Maintain records that sufficiently describe the data processing system and identify the duties and responsibilities of those individuals who will have access to personal data;
  • Select, train and supervise employees, agents or representatives who will have access to personal data;
  • Develop, implement and review policies and procedures for the collection and processing of personal data, for data subjects to exercise their rights under the DPA, access management, system monitoring, protocols for security incidents or technical problems, and data retention;
  • Ensure through appropriate contractual agreements that PIPs shall also implement the security measures required by the law and the IRR;
  • Comply, where appropriate, with physical security guidelines set out in the IRR; and
  • Adopt and establish technical security measures such as, but not limited to: security policy for the processing of personal data; safeguards to protect the computer network; periodic evaluation of security measures’ effectiveness; and personal data encryption.

To monitor the compliance of PICs and PIPs with the law, summaries of documented security incidents and personal data breaches have to be reported by the PICs and PIPs to the NPC. In case of any data breach, the NPC and the affected data subject should be notified by the concerned PIC or PIP within 72 hours from the discovery of the personal data breach.

Compliance requirements

To help those engaged in personal data processing achieve DPA compliance, the NPC developed a five-step guide called “Five Pillars of Compliance”. The guide serves as a checklist and outlines the major data privacy responsibilities under the DPA and pertinent issuances of the NPC.

Appointment of a data protection officer (DPO). The appointment of a DPO is mandated by law and is considered as proof of the organization’s compliance efforts. The DPO is accountable for the organization’s compliance with the law’s requirements. His or her main role is to oversee the organization’s data protection programme and its implementation, including formulation of data protection policies, conduct of risk assessments, and management of personal data breach. He or she also serves as the contact person of the organization on data subjects and the NPC. The DPO must be independent, knowledgeable in data protection and have a good grasp of the processing systems being carried out by the organization.

Conduct of a privacy impact assessment (PIA). A PIA is a process of identifying and evaluating potential privacy risks posed by the processing of personal information. Ideally, the PIA should be conducted for all projects, programmes and activities involving personal information. The PIA should include, among others things: (1) a systematic description of the personal data flow and processing activities of the organization; (2) assessment of the organization’s adherence to the data privacy principles and implementation of security measures; (3) identification and evaluation of the attendant risks; and (4) proposal of measures that address them.

Create a privacy management programme (PMP). The PMP is a holistic approach to ensure that privacy and data protection are embedded in all programmes, activities, services and initiatives of the organization. It sets out the organization’s commitment to protect the personal information of its data subjects, and details the organization’s practices and procedures in processing and handling of such information. Implementing a PMP includes having privacy policies, procedures and protocols in place that help the organization comply with the requirements of the law.

Implement your privacy and data protection measures. The policies and measures set out in the PMP should be implemented. Apart from having a firm organizational commitment, to ensure execution of the PMP programme controls should be integrated into the organization’s day-to-day operations. Programme controls should include the following: (1) records of processing activities; (2) risk assessment tools; (3) registration; (4) policies and procedures; (5) data security; (6) capacity building; (7) breach management; (8) notification; (9) third-party management; and (10) communication. The organization should also periodically assess the effectiveness of programme controls.

Personal data breach management. In the event of a personal data breach, the organization should be prepared to respond promptly and effectively. The organization should have a policy setting out the procedures for breach management in place. The policy should cover prevention, incident response, investigation, mitigation of breach impact, compliance with notification requirements, and prevention of recurrence. It is essential that responsibilities for managing a breach be clearly defined and assigned, and that lessons learned are integrated into the organization’s procedures and practices.

data
DivinaLaw
8/F Pacific Star Bldg
Sen Gil Puyat Ave.
cor Makati Ave.,
Makati City Philippines
Tel: +632 8822 0808
Email: info@divinalaw.com
www.divinalaw.com


TAIWAN

The main statute in Taiwan governing data privacy is the Personal Data Protection Act (PDPA), which was last amended in December 2015 and took effect on 15 March 2016. The collection, processing and use of personal data in Taiwan is subject to the PDPA, the enforcement rules on the PDPA and related regulations and rulings issued by relevant authorities.

data
James Huang
Partner at Lee and Li in Taipei
Tel: +886 2 2763 8000 (ext. 2157)
Email: jameshuang@leeandli.com

The PDPA differentiates between government and non-government agencies, and adopts different rules for them acting as data controller for the collection, processing and use of personal data (although the term “controller” is not used in the PDPA). Non-government agencies include any person or entity that is not a Taiwanese government agency. Collection, processing and use of personal data of Taiwanese nationals by a foreign person or entity is also subject to the PDPA.

There is no independent supervisory authority under the framework of the PDPA. Before 25 July 2018, the Ministry of Justice was the major authority responsible for interpreting the PDPA, and currently such authority lies with the National Development Council (NDC). The competent authorities of different industries may also issue rulings and regulations applicable to the data controllers in the relevant industry.

Personal and sensitive data

Under the PDPA, personal data refers to a natural person’s name, date of birth, ID Card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, data concerning a person’s sex life, records of physical examination, criminal records, contact information, financial conditions, data concerning a person’s social activities and any other information that may be used to directly or indirectly identify a natural person.

data
Maggie Huang
Associate Partner at Lee and Li in Taipei
Tel: +886 2 2763 8000 (ext. 2205)
Email: maggiehuang@leeandli.com

The collection, processing or use of data pertaining to a natural person’s medical records, healthcare, genetics, sex life, physical examination and criminal records (sensitive data) is subject to higher standards (see below). However, the PDPA does not specifically provide for a separate set of rules for the sensitive data.

Requirements for collection, processing or use of personal data. For the purpose of this article, the authors will focus on the requirements for non-government agencies below. For a non-government agency to collect, process or use personal data, the following requirements must be met:

(1) There shall be a notification to the data subject containing all of the following information: (i) name of the collector/processor/ user; (ii) purpose of collection/ processing /use; (iii) type of the personal data being collected/processed/used; (iv) time period, area, target and way of the use of personal data; and (v) the rights of the data subject under article 3 of the PDPA (see below), how to exercise such rights, and the influence on the data subject’s rights and interests if the data subject chooses not to provide his/her personal data.

data
Andrew Mai
Associate at Lee and Li in Taipei
Tel: +886 2 2763 8000 (ext. 2215)
Email: andrewmai@leeandli.com

(2) For collection/processing of personal data, there shall be at least one of the following statutory grounds: (i) the collection/processing is specifically permitted by laws; (ii) the consent of the data subject has been obtained; (iii) the personal data of the data subject have become public due to disclosure by the data subject, or in a legitimate manner; (iv) a contractual or quasi-contractual relationship with the data subject, and appropriate security measures have been adopted for; (v) the collection/processing of the personal data is necessary for statistics gathering or academic research by an academic research institution for the public interest, provided that any information sufficient to identify the data subject has been removed; (vi) the collection/processing is necessary for furthering public interests; (vii) the personal data has been collected from a source that is generally accessible; or (viii) the collection/ processing is not harmful to the data subject.

(3) For use of personal data, it must be conducted within the scope of the specific purpose for which it was collected, unless any of the following conditions are met: (i) such additional use is pursuant to a specific provision set out under the law; (ii) it is necessary for promoting public interests; (iii) it is for preventing risk to life, body, freedom or property of the data subject; (iv) it is to prevent material harm to the rights or benefits of third parties; (v) it is necessary for statistics gathering or academic research by an academic research institution for the public interest, provided that any information sufficient to identify the data subject has been removed; (vi) the consent of the data subject has been obtained; or (vii) such additional use would benefit the data subject.

Requirements for collection, processing or use of sensitive data. Sensitive data may not be collected, processed or used, unless in any of the following situations:

  • Where it is specifically permitted by law;
  • When it is necessary for a government agency to perform its legal duties, or for a non-government agency to fulfil its legal obligation, and proper security measures are adopted prior or subsequent to such collection, processing or use;
  • When the personal data of the data subject have become public due to disclosure by the data subject, or in a legitimate manner;
  • Where it is necessary to perform statistics or other academic research, a government agency or an academic research institution may collect, process or use personal data for the purpose of medical treatment, public health or crime prevention, provided that any information sufficient to identify the data subject has been removed;
  • Where it is necessary to assist a government agency in performing its legal duties, or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing or use; or
  • Where the data subject has consented in writing, provided that the use of such data may not exceed the necessary scope of the specific purpose, or there is no other restriction under any other statute. Moreover, such consent must not be obtained against the data subject’s free will.

Rights of data subject

Pursuant to article 3 of the PDPA, the data subject has the following rights, which may not be waived or restricted contractually in advance: (1) the right to make an inquiry about and review his/her personal data; (2) the right to have a copy of his/her personal data; (3) the right to supplement or correct his/her personal data; (4) the right to stop the collection, processing or using of his/her personal data; and (5) the right to delete his/her personal data.

International transfer of personal data

Under article 21 of the PDPA, the competent authority has the right to prohibit or restrict international transfer of personal data in any of the following circumstances: (1) where major national interests are involved; (2) where an international treaty or agreement prohibits or restricts such transfer; (3) where the country to which the personal data are transferred does not provide sound legal protection of personal data, thereby affecting/jeopardizing the interests of the data subjects; or (4) where the transfer of personal data to a third country (territory) is to circumvent the restrictions under the PDPA.

In other words, the international transfer of personal data is generally permitted, but the competent authority may prohibit or restrict the same on a case by case basis. Also, the competent authorities of different industries may issue rulings and regulations applicable to international transfer of personal data by the data controllers in the relevant industry. For instance, Taiwan’s banking regulator has required that any outsourcing of operation by financial institutions that involves international transfer of personal data should meet certain requirements, and will be subject to its prior approval.

Recent developments

The government of Taiwan is aiming to amend the PDPA, possibly this year, to meet the standards of the EU’s General Data Protection Regulation (GDPR) and obtain an adequacy decision from the European Commission. The NDC had several rounds of discussion with the authority of the European Commission about necessary amendments to the PDPA. According to the NDC, the proposed amendments would mainly include: (i) setting up an independent regulatory agency so regulations on data protection across different industry sectors can be more consistent and comprehensive; and (ii) adding more requirements or restrictions on the international transfer of personal data.

Lee and Li - Taiwan Interpretation No. 770 and protection for minority shareholders

Lee and Li
8F, No. 555,
Sec 4, Zhongxiao E Rd,
Taipei, Taiwan
Tel: +886 2 2763 8000
Email: attorneys@leeandli.com
www.leeandli.com


THAILAND

Thailand promulgated its Personal Data Protection Act (2019) (PDPA) on 28 May 2019. The most significant provisions of the PDPA will become effective on 27 May 2020, in order to allow for preparation time for compliance with this act. These provisions include regulations on personal data protection, rights of data subjects, complaints, civil liabilities, and penalties.

Subordinated laws under the act are currently under preparation, including personal data protection criteria, and complaints and administrative liability. The issuance of all regulations and notifications under the PDPA must be completed within one year of the date this act enters into force, on 26 May 2021.

data
Panuwat Chalongkuamdee
Partner at Weerawong Chinnavat & Partners in Bangkok
Tel: +662 264 8000
Email: Panuwat.c@weerawongcp.com

Data protection authority. The PDPA establishes a Personal Data Protection Committee, with an expert committee and sub-committee under it. Pursuant to section 16 of the PDPA, the duties of the Personal Data Protection Committee include: determining measures or procedures for the protection of personal data; issuing notifications or regulations; announcing criteria for protection procedures as well as the protection of data that are transferred out of the country; and preparing a master plan to support and protect personal data.

Beyond the above-mentioned committee, the PDPA also establishes the Office of the Personal Data Protection Committee, a state agency that acts as the centre for academic services and protection of personal data with a supervisory board.

data
Thaya Uthayophas
Associate at Weerawong, Chinnavat & Partners in Bangkok
Tel: +662 264 8000
Email: Thaya.u@weerawongcp.com

Breaches of data protection. The PDPA provides for civil, criminal and administrative penalties for violations. Civil liability under the PDPA includes compensation for damages and punitive damages in an amount not exceeding twice the amount of actual damages. Criminal liability includes imprisonment of up to six months, or a fine of up to THB500,000 (US$16,000) or both, depending on the nature of the violation. Administrative liability includes an administrative fine of up to THB5 million depending on the nature of the violation. The Thai Civil Procedure Code also allows for class action lawsuits.

Exempt sectors and institutions. The PDPA regulates the collection, usage and disclosure of personal data by a data controller or a data processor in Thailand. However, the PDPA does not apply to: Personal benefit or households; operations of public authorities; data that are collected only for the activities of mass media, fine arts or literature; data under the duties and power of the house of representatives, the parliament or parliamentary committees; trials and adjudications of courts, and work operations of officers in legal proceedings and legal execution; data collected by a credit bureau company and its members; and data of the deceased.

Personal data formats. Pursuant to section 6 of the PDPA, personal data means any information related to an identifiable person, directly or indirectly, but not inclusive of deceased persons.

There are two types of personal data in the PDPA: General personal data (section 24) and sensitive data (section 26). General data must be collected from the data subject with its consent. Examples include addresses, telephone numbers, credit card information, etc.

Extraterritoriality. In the event that a data controller or a data processor is outside of Thailand, the PDPA covers the offering of goods or services to data subjects in Thailand, irrespective of whether the payment is made by the data subject and the monitoring of the data subject’s behaviour is done in Thailand.

Transfer of personal data to outside of Thailand. Pursuant to section 28 of the PDPA, in the event that the data controller sends or transfers the personal data to a foreign country, the data controller must comply with the rules on transfers as prescribed by the Personal Data Protection Committee (currently unspecified) and ensure that the destination country or international organization that receives such data has adequate data protection standards as determined by the committee (currently unspecified).

Covered uses of personal data. The PDPA provides a distinction between those who control personal data and those who provide personal data processing services to owners. Controllers’ and processors’ duties differ.

Section 37 of the PDPA provides the duties of the data controller, which include arranging security measures, arranging verification procedures, and providing notification of any violations of personal data to the Office of the Personal Data Protection Committee.

Section 40 of the PDPA provides the duties of a data processor, which include arranging security measures, notifying the data controller of any violations of personal data, and preparing and maintaining logs.

Legitimate grounds for processing. Pursuant to sections 24 and 27 of the PDPA, the data controller must not process personal data without the consent of the data subject, unless there is a lawful basis to do so on the following grounds: Research; vital interests; contract; public task/office authority; legitimate interest of the data controller (balanced with the rights of the data subject); and legal obligation.

Legitimate processing – types of personal data. The PDPA imposes more stringent rules for sensitive personal data. Pursuant to sections 26 and 27 of the PDPA, any processing of sensitive personal data is prohibited without the explicit consent (affirmed in a clear statement; not consent that is inferred from action) of the data subject. Exceptions include a lawful basis on the following grounds: Vital interests; legitimate activities; public data; legal claims; and legal obligations.

Minors. Pursuant to section 20 of the PDPA, the consent of those with parental responsibility over a minor is required if the minor’s act of giving consent is not an act in which the minor may be entitled to act alone, as prescribed by sections 22-24 of the Civil and Commercial Code. Such consent is also required in the case that the minor is below the age of 10.

Notification. Pursuant to section 23 of the PDPA, the controller shall inform the data subjects, prior to or at the time of the collection of personal data, of the following:

  • The purpose of the collection of personal data (i.e., utilization or disclosure);
  • Period of storage of personal data;
  • The identity of the data controller (contact details);
  • Reasons for the data subjects to disclose their personal data;
  • Identification of the recipients to whom the personal data may be disclosed;
  • Information that needs to be collected;
  • Rights of data subjects; and
  • Impact of not providing information.

Data accuracy. Pursuant to section 35 of the PDPA, the data controller must ensure that the personal data remains accurate, up to date, complete, and not misleading.

Amount and duration of data holding. There is no specific end date for retention, although the data controller has to put in place an examination system for erasure or destruction of personal data when the personal data is irrelevant or beyond the scope of the purpose for which it has been collected, pursuant to section 37(3) of the PDPA.

Finality principle. Under section 21 of the PDPA, the collection, use or disclosure of personal data shall not be conducted in a manner that is different from the purpose previously notified to the data subject unless the data subject has been informed of the new purpose, and consent has been obtained prior to the time of collection, use or disclosure.

Security obligations. Section 37 of the PDPA provides that the data controller shall provide and maintain appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of personal data.

Notification of data breach. Section 37(4) of the PDPA requires the data controller to notify the Office of the Personal Data Protection Committee of any personal data breach within 72 hours of having become aware of it.

Data protection officer. The data controller or processor must also appoint a data protection officer (currently undefined in the act) if the activities of the data controller or processor require dealing with a large amount (currently unspecified) of personal data.

According to section 42 of the PDPA, the duties of a data protection officer include advising and verifying both the data controller’s and data processor’s compliance with the PDPA, as well as co-ordinating with the Office of the Personal Data Protection Committee where there are problems with respect to the collection, use or disclosure of personal data.

Record keeping. Section 39 states that the data controller shall maintain the following records: (1) the collected personal data; (2) the purpose of the collection of the personal data; (3) details of the data controller; (4) the retention period of the personal data; (5) rights and methods to access the personal data; (6) the use or disclosure of personal data exempted from the consent requirement; (7) the rejection of requests or objections; and (8) explanations of the appropriate security measures to prevent breaches of personal data.

Access. Pursuant to section 30 of the PDPA, the data subject is entitled to request access to and obtain copy of the personal data related to him or her, which is under the responsibility of the data controller. The request can be rejected only where it is permitted by law or pursuant to a court order.

data
Weerawong Chinavat & Partners
22nd Floor, Mercury Tower
540 Ploenchit Road
Lumpini, Pathumwan
Bangkok 10330
Tel: +662 264 8000
Email: info@weerawongcp.com
www.weerawongcp.com