The Personal Data Protection Act B.E. 2562 (2019) (PDPA) imposes clear obligations on data controllers regarding the collection and use of personal data in Thailand. One of the key compliance requirements is the provision of a Privacy Notice, which must inform data subjects, in a transparent manner, of how their personal data will be processed.
A properly drafted Privacy Notice is not only a statutory requirement but also an important tool to foster trust and accountability in data processing activities. Below are the principal elements that businesses should consider when preparing such notices in compliance with the PDPA.
1. Timing of the Privacy Notice
The Privacy Notice must be provided before or at the time of data collection, irrespective of whether consent is the lawful basis for processing. The information should be presented in clear, concise, and accessible language. Delivery through electronic means, such as a website link or QR code, is acceptable provided that the information remains readily understandable.
2. Purpose of Collection and Legal Basis
The notice must specify the purposes for which the personal data is collected, as well as the relevant legal basis relied upon (e.g., consent, contractual necessity, or legal obligation). If data collection is mandatory to comply with legal or contractual requirements, this must be disclosed along with the consequences of refusal to provide such data.
3. Categories of Data and Retention Period
Organizations must describe the categories of personal data collected and provide information on the retention period. If the precise retention period cannot be determined, the notice must indicate the expected criteria used to establish such duration. It should also explain that data will be deleted, destroyed, or anonymized once the retention period has expired.
4. Disclosure of Recipients
The Privacy Notice must identify the recipients or categories of third parties with whom the personal data may be shared, such as service providers, affiliates, or government authorities. This disclosure should enable the data subject to understand the potential flow of their personal data.
5. Identity and Contact Information of the Data Controller, DPO, or DPR
The PDPA requires that the Privacy Notice provide the identity and contact details of the data controller. In addition:
- Where a Data Protection Officer (DPO) is appointed (as required for certain organizations engaged in large-scale or sensitive data processing), the contact details of the DPO must also be included.
- Where a foreign data controller is subject to the PDPA under Section 37, the contact information of its Data Protection Representative (DPR) in Thailand must be disclosed.
This ensures that data subjects and the regulator can effectively communicate with the responsible entity or its appointed representative.
6. Data Subject Rights
The Privacy Notice must clearly inform individuals of their statutory rights under the PDPA, including the rights to:
- Access and obtain a copy of their personal data
- Request rectification of inaccuracies
- Request erasure or anonymization
- Withdraw consent at any time
- Object to certain types of processing
- Request data portability (where applicable)
The notice should also provide instructions on how data subjects may exercise these rights.
7. Consent Management
Where processing is based on consent, the notice must state that consent is voluntary, specific, and freely given through an affirmative act. The right to withdraw consent at any time must be explicitly communicated, along with the method for withdrawal.
8. Optional: Cross-Border Transfers
While the PDPA imposes obligations on organizations transferring personal data outside of Thailand, details of such transfers are not expressly required to be included in the Privacy Notice, unless reliance on consent or specific explanation is necessary for transparency. Compliance with cross-border transfer rules should be addressed through internal governance and contractual safeguards.
Conclusion
A well-drafted Privacy Notice is fundamental to PDPA compliance. It should address the purposes of collection, legal bases, data categories, retention, disclosure, data subject rights, and crucially, the contact information of the data controller, and where applicable, the DPO or DPR. By doing so, organizations not only fulfill their legal obligations but also demonstrate a commitment to transparency and accountability in personal data management.
At Data Excellium, we assist leading organizations in preparing PDPA compliant Privacy Notices and act as a Data Protection Representative (DPR) for foreign companies. For further guidance, please contact us.