IDC Names Securiti a Worldwide Leader in Data PrivacyView
On 7 September 2022, the Personal Data Protection Committee of Thailand (the “Data Protection Committee”) released Guidelines for Obtaining Consent from Data Subjects (the “Guidelines”). These Guidelines must be read together with Thailand’s Personal Data Protection Act (the “PDPA”) to understand consent requirements under Thailand’s data protection framework.
Under Thailand’s data protection framework, the data subject’s consent is considered a primary lawful basis for processing personal data. The data subject’s consent must be obtained prior to or at the time of the collection, use and disclosure of personal data unless any other legal basis is relied upon.
Data controllers may be required to use a prescribed consent form for obtaining the data subject’s consent specified by a regulatory body under an enforceable law to which the controller is subject to. However, where no such form is prescribed under any applicable law, data controllers must ensure that the consent of data subjects is as per the requirements of the PDPA and the Guidelines issued by the Data Protection Committee.
The following sections will help you understand consent legal requirements in Thailand and ensure compliance:
The data subject’s consent must be freely given. This means the data subject must be able to freely, independently, and voluntarily give consent without any threat, fraud, deception, coercion, intimidation, or misrepresentation on the part of the data controller.
Data controllers should not make consent requests part of contractual arrangements or terms and conditions of a service - the request for consent must be clearly distinguishable from any other matters.
Under the PDPA, the data subject’s consent cannot be implied. For obtaining consent, data subjects may be asked to perform actions such as clicking on an unchecked consent checkbox, pressing a mobile phone button twice in a row to show confirmation intent, or swiping across the screen to grant consent only where there is a conspicuous notification that such actions constitute an agreement or consent to the collection, use or disclosure of personal data.
The request for consent to a data subject may be made in a written statement or via electronic means unless that is not possible due to the nature of the request. Consent may also be obtained verbally in limited circumstances.
For obtaining consent from data subjects, data controllers should use means by which the data subject can be identified and their express intent can be demonstrated. Electronic means such as emails or electronic documents may be used in conjunction with other evidence according to the electronic transaction law. This includes giving consent using a password, digital signature, electronic signature in form, or biometrics (such as iris, fingerprints, faces, voices, or any other identifier that can be verified).
While obtaining consent from data subjects, data subjects must be informed of the following information:
The data subject’s consent must be granular with respect to its processing purposes. This means the data subject must be able to provide separate consent for separate processing purposes rather than consenting to a bundle of processing purposes.
Moreover, personal data may be processed only for a purpose that has been communicated to the data subject. If the controller wishes to process data for a purpose different than what was originally communicated to the data subject, it must obtain fresh consent from the data subject unless an exception applies.
The data subject must be able to withdraw their consent at any time and as easily as they provided their consent. The controller must ensure that the consent withdrawal mechanism is easily accessible, prominent and visible to the data subject, and it does not require data subjects to undertake any additional steps for withdrawing consent.
On consent withdrawal, the controller must stop the data processing for which consent was relied upon. In addition, the consent withdrawal should not impact the quality of the website service offered to the data subject. The data subject must be informed of any consequences of consent withdrawal.
In the case of personal data belonging to a minor of 10 years or less than 10 years of age, consent must be obtained from their holders of parental authority. Consent must also be obtained from holders of parental authority for minors who are between 10 and 20 years of age and are not sui juris by marriage or have no capacity as a sui juris person under Section 27 of the Civil Commercial Code.
However, the controller must obtain consent directly from the minor in any of the following instances:
Data controllers are required to communicate with minors in easily understandable and intelligible language, employ appropriate measures for age verification and identification of minors and parental authorities, and maintain appropriate records.
Any collection of sensitive personal data, that is data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data which may affect the data subject in such manner as prescribed by the Data Protection Committee, should be performed with the ‘explicit’ consent of the data subject, unless any other legal exception or ground is relied upon by the data controller for such collection as per Section 26 of the PDPA.
The legal grounds that permit the collection of sensitive personal data under the PDPA are generally stricter than those for the processing of other personal data. Under international jurisprudence, explicit consent refers to an express statement of consent made by the data subject.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128