ABLI-FPF Convergences Series - Status of Consent for Processing Personal Data (Thailand report)

ABLI-FPF Convergences Series - Status of Consent for Processing Personal Data (Thailand report)

Author: Dominic Paulger, Policy Manager (APAC), Future of Privacy Forum

Asian Business Law Institute and Future of Privacy Forum

August 2022

This report provides a detailed overview of relevant laws and regulations in Thailand on

• notice and consent requirements for processing personal data;
• alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

Table of Contents

1. INTRODUCTION 

2. ROLE OF THE PERSONAL DATA PROTECTION COMMISSION (“PDPC”) .

    2.1. Subordinate regulations to the PDPA

           a. First public consultation on Draft Sub-regulations
           b. Second public consultation on Draft Sub-regulations

    2.2. PDPC Guidelines

3. SECTORAL LAWS AND REGULATIONS

4. CONSENT AND PRIVACY SELF-MANAGEMENT IN PDPA

5. CONDITIONS FOR CONSENT 

    5.1. Definition and forms of consent

           a. PDPA
           b. PDPA Guidelines
           c. Draft Sub-regulations

    5.2. Withdrawal of consent

    5.3. Bundled consent

6. CONSENT FOR SPECIAL CATEGORIES OR USES OF DATA

    6.1. PDPA

    6.2. Draft Sub-regulations

    6.3. Children

    6.4. Cookies, Internet of Things, online tracking

    6.5. Direct marketing

    6.6. Biometric and genetic data

    6.7. Financial information

    6.8. Pseudonymized data

    6.9. Location data

7. CONSENT FOR CROSS-BORDER DATA TRANSFERS

8. TRANSPARENCY AND NOTICE

    8.1. PDPA

    8.2. Draft Sub-regulations

           a. Notification of the purpose of processing
           b. Notification of data collection 
           c. Notification of disclosure
           d. Change in the purpose of processing
           e. Change in the purpose of processing for scientific, historical, or statistical purposes 
           f. Proposed exemptions from notification requirements

9. SANCTIONS AND ENFORCEMENT

    9.1. Criminal liability

    9.2. Administrative liability

10. COLLECTING, USING, AND DISCLOSING DATA WITHOUT CONSENT SUBJECT TO A RISK IMPACT ASSESSMENT

11. COLLECTING, USING, AND DISCLOSING DATA WITHOUT CONSENT IN OTHER CIRCUMSTANCES DEFINED BY LAW

      11.1. Collecting, using, and disclosing personal data without consent.

      11.2. Collecting, using, and disclosing sensitive personal data without consent

      11.3. Transferring personal data across borders without consent

      11.4. Exemptions from the scope of the PDPA