IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
On 7 September 2022, the Personal Data Protection Committee of Thailand (the “Data Protection Committee”) released Guidelines for Obtaining Consent from Data Subjects (the “Guidelines”). These Guidelines must be read together with Thailand’s Personal Data Protection Act (the “PDPA”) to understand consent requirements under Thailand’s data protection framework.
Under Thailand’s data protection framework, the data subject’s consent is considered a primary lawful basis for processing personal data. The data subject’s consent must be obtained prior to or at the time of the collection, use and disclosure of personal data unless any other legal basis is relied upon.
Data controllers may be required to use a prescribed consent form for obtaining the data subject’s consent specified by a regulatory body under an enforceable law to which the controller is subject to. However, where no such form is prescribed under any applicable law, data controllers must ensure that the consent of data subjects is as per the requirements of the PDPA and the Guidelines issued by the Data Protection Committee.
The following sections will help you understand consent legal requirements in Thailand and ensure compliance:
The data subject’s consent must be freely given. This means the data subject must be able to freely, independently, and voluntarily give consent without any threat, fraud, deception, coercion, intimidation, or misrepresentation on the part of the data controller.
Data controllers should not make consent requests part of contractual arrangements or terms and conditions of a service - the request for consent must be clearly distinguishable from any other matters.
Under the PDPA, the data subject’s consent cannot be implied. For obtaining consent, data subjects may be asked to perform actions such as clicking on an unchecked consent checkbox, pressing a mobile phone button twice in a row to show confirmation intent, or swiping across the screen to grant consent only where there is a conspicuous notification that such actions constitute an agreement or consent to the collection, use or disclosure of personal data.
The request for consent to a data subject may be made in a written statement or via electronic means unless that is not possible due to the nature of the request. Consent may also be obtained verbally in limited circumstances.
For obtaining consent from data subjects, data controllers should use means by which the data subject can be identified and their express intent can be demonstrated. Electronic means such as emails or electronic documents may be used in conjunction with other evidence according to the electronic transaction law. This includes giving consent using a password, digital signature, electronic signature in form, or biometrics (such as iris, fingerprints, faces, voices, or any other identifier that can be verified).
While obtaining consent from data subjects, data subjects must be informed of the following information:
The data subject’s consent must be granular with respect to its processing purposes. This means the data subject must be able to provide separate consent for separate processing purposes rather than consenting to a bundle of processing purposes.
Moreover, personal data may be processed only for a purpose that has been communicated to the data subject. If the controller wishes to process data for a purpose different than what was originally communicated to the data subject, it must obtain fresh consent from the data subject unless an exception applies.
The data subject must be able to withdraw their consent at any time and as easily as they provided their consent. The controller must ensure that the consent withdrawal mechanism is easily accessible, prominent and visible to the data subject, and it does not require data subjects to undertake any additional steps for withdrawing consent.
On consent withdrawal, the controller must stop the data processing for which consent was relied upon. In addition, the consent withdrawal should not impact the quality of the website service offered to the data subject. The data subject must be informed of any consequences of consent withdrawal.
In the case of personal data belonging to a minor of 10 years or less than 10 years of age, consent must be obtained from their holders of parental authority. Consent must also be obtained from holders of parental authority for minors who are between 10 and 20 years of age and are not sui juris by marriage or have no capacity as a sui juris person under Section 27 of the Civil Commercial Code.
However, the controller must obtain consent directly from the minor in any of the following instances:
Data controllers are required to communicate with minors in easily understandable and intelligible language, employ appropriate measures for age verification and identification of minors and parental authorities, and maintain appropriate records.
Any collection of sensitive personal data, that is data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data which may affect the data subject in such manner as prescribed by the Data Protection Committee, should be performed with the ‘explicit’ consent of the data subject, unless any other legal exception or ground is relied upon by the data controller for such collection as per Section 26 of the PDPA.
The legal grounds that permit the collection of sensitive personal data under the PDPA are generally stricter than those for the processing of other personal data. Under international jurisprudence, explicit consent refers to an express statement of consent made by the data subject.
Request a DEMO today to understand how Securiti can help you comply with Thailand’s consent requirements and other data privacy laws and regulations.
Maria Khan is a IAPP Certified Information Privacy Professional (CIPP/Europe) and a Certified Information Privacy Manager (CIPM). She earned her LL.M from the University of Michigan Law School, where she received the Michigan Grotius Fellowship, a fully-funded award. Additionally, Maria holds a B.A-LL.B (Hons.) from Pakistan.
Passionate about data privacy, AI governance, and business and human rights, Maria facilitates organizations in evaluating data privacy compliance risks and offers privacy-compliant solutions. She plays a key role in supporting regulatory intelligence within products/software and aiding organizations in meeting compliance efforts. Maria possesses a substantial understanding of global data privacy obligations, particularly in relation to AI governance, consent management, user transparency, digital marketing, cross-border data transfers, and AI risk assessments.
Get all the latest information, law updates and more delivered to your inbox
July 14, 2023
Quebec's data protection authority, the Commission d'accès à l'information (CAI), recently published a consultation on the collection of consent in relation to personal data...
April 9, 2023
Australia does not have any specific regulatory guidance on cookie consent requirements. However, the Australian Privacy Act of 1988 specifies certain notification and consent...
November 23, 2022
On 9 November 2022, the Office for the Protection of Personal Data for the Slovak Republic (ÚOOÚ) published updated guidance on the use of...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128