Personal Data Protection Act

According to the Personal Data Protection Act B.E. 2562 (2019), the collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of the Data Controller.

 

Section 24 indicates that, The Data Controller shall not collect Personal Data without the consent of the data subject, unless:

(1) it is for the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject's rights and freedoms are put in place and in accordance with the notification as prescribed by the Committee;

(2) it is for preventing or suppressing a danger to a Person’s life, body or health;

(3) it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;

(4) it is necessary for the performance of a task carried out in the public interest by the Data Controller, or it is necessary for the exercising of official authority vested in the Data Controller;

(5) it is necessary for legitimate interests of the Data Controller or any other Persons or juristic persons other than the Data Controller, except where such interests are overridden by the fundamental rights of the data subject of his or her Personal Data; 

(6) it is necessary for compliance with a law to which the Data Controller is subjected.

 

Section 26 states that, Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Committee, is prohibited, without the explicit consent from the data subject, except where: it is to prevent or suppress a danger to life, body or health of the Person, where the data subject is incapable of giving consent by whatever reason;  it is carried out in the course of legitimate activities with appropriate safeguards by  the foundations, associations or any other not-for-profit bodies with a political, religious, philosophical, or trade union purposes for their members, former members of the bodies, or persons having regular contact with such foundations, associations or not-for-profit bodies in connection with their purposes, without disclosing the Personal Data outside of such foundations, associations or not-for-profit bodies.

 

Use or Disclosure of Personal Data

The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it is the Personal Data which is collected without requirement of consent under section 24 or section 26. The Person or juristic person who obtains Personal Data as a result of the disclosure one shall not use or disclose such Personal Data for any purpose other than the purpose previously notified to the Data Controller in the request to obtain such Personal Data.

 

Rights of the data subject

The data subject is entitled to request access to and obtain a copy of the Personal Data related to him or her, which is under the responsibility of the Data Controller, or to request the disclosure of the acquisition of  the Personal Data obtained without his or her consent. The Data Controller shall perform as requested in paragraph one. The request can be rejected only where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.

 

The data subject shall have the right to request the Data Controller to erase or destroy the Personal Data, or anonymize the Personal Data to become the anonymous data which cannot identify the data subject, where the following ground applies:

(1) the Personal Data is no longer necessary in relation to the purposes for which it was collected, used or disclosed;

(2) the data subject withdraws consent on which the collection, use, or disclosure is based on, and where the Data Controller has no legal ground for such collection, use, or disclosure;

(3) the data subject objects to the collection, use, or disclosure of the Personal Data, and the Data Controller cannot reject to such request, or where the data subject exercise his or her right to object; 

(4) the Personal Data has been unlawfully collected,  used, or disclosed under this Chapter.

Paragraph one shall not apply to the extent that such Personal Data retention is necessary for the purpose of freedom of expression, the purpose under section 24 (1) or (4) or section 26(5) (a) or (b), the purpose of establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose for compliance with the law.

Where the Data Controller has made the Personal Data  disclose to public and is requested to erase or destroy the Personal Data, or make the Personal Data become the anonymous data which cannot identify the data subject pursuant to paragraph one, the Data Controller shall be responsible for the course of action, both the implementation of technology and the expenses to fulfill the request, and inform other Data Controllers in order to obtain their responses regarding the action to be taken to fulfill such request. 

In the event that the Data Controller does not take action in accordance with paragraph one or three, the data subject shall have the right to complain to the expert committee to order the Data Controller to take such action.

The Committee may announce the rules for the erasure or destruction of Personal Data, or anonymization of the Personal Data to become the anonymous data which cannot identify the data subject pursuant to paragraph one.

 

The Data Controller shall have the following duties:

(1) provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety. It shall also be in accordance with the minimum standard specified and announced by the Committee;

(2)  in the circumstance where the Personal Data is to be provided to other Persons or legal persons, apart from the Data Controller, the Data Controller shall take action to prevent such person from using or disclosing such Personal Data unlawfully or without authorization;

(3) put in place the examination system for erasure or destruction of the Personal Data when the retention period ends, or when the Personal Data is irrelevant or beyond the purpose necessary for which it has been collected, or when the data subject has request to do so, or when the data subject withdraws consent, except where the retention of such Personal Data is for the purpose of freedom of expression, the purpose under section 24 (1) or (4) or section 26 (5) (a) or (b) , the purpose of the establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose of compliance with the law. The provision in section 33 paragraph five shall be used to govern the erasure or destruction of Personal Data mutatis mutandis; 

(4) notify the Office of any Personal Data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of the Persons. If the Personal Data breach is likely to result in a high risk to the rights and freedoms of the Persons, the Data Controller shall also notify the Personal Data breach and the remedial measures to the data subject without delay. The notification and the exemption to the notification shall be made in accordance with the rules and procedures set forth by the Committee; 

(5) in the event of being the Data Controller pursuant to section 5 paragraph two, the Data Controller shall designate in writing a representative of the Data Controller who must be in the Kingdom of Thailand and be authorized to act on behalf of the Data Controller without any limitation of liability with respect to the collection, use or disclosure of the Personal Data according to the purposes of the Data Controller.

Welcome to the Thai Research Archives. We use cookies to improve the efficiency of our website and analyse visits to our web-pages. By continuing to access our website you are consenting to our Privacy Policy, Terms and Conditions, and to receive our cookies. You can change your cookie settings at any time. Find out more in our Cookie Policy.