On 7 September 2022, the Personal Data Protection Committee of Thailand (the “Data Protection Committee”) released Guidelines for Obtaining Consent from Data Subjects (the “Guidelines”). These Guidelines must be read together with Thailand’s Personal Data Protection Act (the “PDPA”) to understand consent requirements under Thailand’s data protection framework.
Under Thailand’s data protection framework, the data subject’s consent is considered a primary lawful basis for processing personal data. The data subject’s consent must be obtained prior to or at the time of the collection, use and disclosure of personal data unless any other legal basis is relied upon.
Data controllers may be required to use a prescribed consent form for obtaining the data subject’s consent specified by a regulatory body under an enforceable law to which the controller is subject to. However, where no such form is prescribed under any applicable law, data controllers must ensure that the consent of data subjects is as per the requirements of the PDPA and the Guidelines issued by the Data Protection Committee.
The following sections will help you understand consent legal requirements in Thailand and ensure compliance:
Freely Given Consent
The data subject’s consent must be freely given. This means the data subject must be able to freely, independently, and voluntarily give consent without any threat, fraud, deception, coercion, intimidation, or misrepresentation on the part of the data controller.
Data controllers should not make consent requests part of contractual arrangements or terms and conditions of a service - the request for consent must be clearly distinguishable from any other matters.
- Securiti’s Consent Management Solution allows you to create consent forms with unchecked consent by default to obtain freely given consent from website users.
Affirmative Action
Under the PDPA, the data subject’s consent cannot be implied. For obtaining consent, data subjects may be asked to perform actions such as clicking on an unchecked consent checkbox, pressing a mobile phone button twice in a row to show confirmation intent, or swiping across the screen to grant consent only where there is a conspicuous notification that such actions constitute an agreement or consent to the collection, use or disclosure of personal data.
The request for consent to a data subject may be made in a written statement or via electronic means unless that is not possible due to the nature of the request. Consent may also be obtained verbally in limited circumstances.
For obtaining consent from data subjects, data controllers should use means by which the data subject can be identified and their express intent can be demonstrated. Electronic means such as emails or electronic documents may be used in conjunction with other evidence according to the electronic transaction law. This includes giving consent using a password, digital signature, electronic signature in form, or biometrics (such as iris, fingerprints, faces, voices, or any other identifier that can be verified).
- Securiti’s Cookie Consent Solution automatically scans cookies and similar tracking technologies and allows you to create opt-in cookie consent banners with equally prominent accept and reject fields.
While obtaining consent from data subjects, data subjects must be informed of the following information:
- The information about the data controller,
- The specific purpose of the collection, use, or disclosure of personal data,
- The types of personal data to be collected, used, or disclosed, and
- The right of the data subject to withdraw consent and the mechanism of doing so.
- Securiti’s Cookie Consent Solution allows you to implement cookie consent banners and configure text on consent banners and preference centers to ensure informed consent.
Specific Consent
The data subject’s consent must be granular with respect to its processing purposes. This means the data subject must be able to provide separate consent for separate processing purposes rather than consenting to a bundle of processing purposes.
Moreover, personal data may be processed only for a purpose that has been communicated to the data subject. If the controller wishes to process data for a purpose different than what was originally communicated to the data subject, it must obtain fresh consent from the data subject unless an exception applies.
- Securiti’s Preference Center within Consent Management allows users to opt-in and opt-out of granular consent purposes and processing purposes.
Consent Withdrawal
The data subject must be able to withdraw their consent at any time and as easily as they provided their consent. The controller must ensure that the consent withdrawal mechanism is easily accessible, prominent and visible to the data subject, and it does not require data subjects to undertake any additional steps for withdrawing consent.
On consent withdrawal, the controller must stop the data processing for which consent was relied upon. In addition, the consent withdrawal should not impact the quality of the website service offered to the data subject. The data subject must be informed of any consequences of consent withdrawal.
- Securiti’s selective consent management allows data subjects to quickly revoke from and resubscribe to their consent preferences via the consent preference center.
Consent for Data Belonging to Minors
In the case of personal data belonging to a minor of 10 years or less than 10 years of age, consent must be obtained from their holders of parental authority. Consent must also be obtained from holders of parental authority for minors who are between 10 and 20 years of age and are not sui juris by marriage or have no capacity as a sui juris person under Section 27 of the Civil Commercial Code.
However, the controller must obtain consent directly from the minor in any of the following instances:
- where the minor is sui juris (independent and legally competent to manage their affairs) by marriage, or by way of legal capacity of carrying out a business or entering into a services contract as an employee;
- where the minor is performing an act by virtue of which they acquire a right or are freed from a duty;
- where the minor is performing a strictly personal act; or
- where the minor is performing an act which is suitable to their condition in life, and required for their reasonable needs.
Data controllers are required to communicate with minors in easily understandable and intelligible language, employ appropriate measures for age verification and identification of minors and parental authorities, and maintain appropriate records.
- Securiti’s Consent Management allows you to obtain minors’ consent, set preference centers for minors’ consent, and maintain updated consent records to help you demonstrate compliance.
Consent for Sensitive Personal Data
Any collection of sensitive personal data, that is data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data which may affect the data subject in such manner as prescribed by the Data Protection Committee, should be performed with the ‘explicit’ consent of the data subject, unless any other legal exception or ground is relied upon by the data controller for such collection as per Section 26 of the PDPA.
The legal grounds that permit the collection of sensitive personal data under the PDPA are generally stricter than those for the processing of other personal data. Under international jurisprudence, explicit consent refers to an express statement of consent made by the data subject.
- Securiti’s Consent Management allows you to create consent forms that facilitate the capturing of explicit consent from data subjects and establishes and maintains updated and comprehensive consent audit trails by recording the exact text of the agreement and data categories to which the data subject consents.
Request a DEMO today to understand how Securiti can help you comply with Thailand’s consent requirements and other data privacy laws and regulations.
