The Thailand Personal Data Protection Commission (“PDPC”) has adopted new guidelines on the Personal Data Protection Act B.E. 2562 (“PDPA”) regarding notification to data subjects (“Notification Guidelines”). The new Notification Guidelines were posted on the Ministry of Digital Economy and Society (“MDES”)’s website on September 7, 2022. Although the Notification Guidelines do not have a binding effect on data controllers and data processors as these Notification Guidelines have not been published in the Thai Government Gazette, they do set forth significant implications on how to notify data subjects under the PDPA. You can see the original text of the “Guidelines for Notification of Purposes and Details of Collecting Personal Data from Data Subjects under the PDPA B.E. 2562” here.

The Notification Guidelines add to the requirement for notification to data subjects under the PDPA so that data controllers must notify the details of the processing of personal data properly in accordance with the PDPA. 

If a data controller is not subject to a specific law or supervisory authority which has its own notification format to follow, the Notification Guidelines require such data controller to provide notification of the following items indicated in the table below. Most of the items below are already specified in the PDPA as having to be informed to data subjects; however, item (ix) “The details of transferring the personal data to a foreign country” was previously not always required to be notified. According to Section 28 of the PDPA, such notification is only required when data controllers transfer personal data based on the consent of data subjects. If you transfer personal data to foreign countries and your privacy policy does not satisfy item (ix) required under these Notification Guidelines, it should be updated to cover all the items in the table below.

Notification Guidelines Requirements	PDPA Requirements
(i) Purposes of collection for use and disclosure of personal data, including the purposes according to Section 24	Section 23 (1)
(ii) Notification of cases where the data subject must provide personal data for compliance with a law or contract, or where it is necessary to provide personal data for the purpose of entering into a contract, including notification of the possible effect where the data subject does not provide such personal data	Section 23 (2)
(iii) The personal data to be collected	Section 23 (3)
(iv) The period for which the personal data will be retained	Section 23 (3)
(v) The categories of persons or entities to whom the collected personal data may be disclosed	Section 23 (4)
(vi) The information, name, address, and contact details of the data controller	Section 23 (5)
(vii) The information, name, address, and contact details of the representative of the data controller (if any)	Section 23 (5)
(viii) The information, name, address, and contact details of the data protection officer (DPO) (if any)	Section 41
(ix) The details of transferring personal data to foreign countries	Section 28 (2)
(xi) Rights of data subjects	Section 23 (6)

Notification to the data subjects must be made explicitly. This may be done in several ways. For example, by written, oral, text or electronic media such as SMS text, e-mail, electronic means such as URL link, QR Code or any other technical means, etc.

The Notification Guidelines also provide details of: (i) the principles for notifying the purposes to the data subjects, which further emphasizes the fairness and clarity of the notification to protect the interests of data subjects, as well as to prevent any direct impact against data subjects, and (ii) the exemption from the need to provide notification when collecting personal data from sources other than directly from the data subjects.

Authors:
Monchai Varatthan
Shota Sugiura
Pongsacha Chayapong (Sharth)
Marin Viriyapongpanich (Lin)