After the Personal Data Protection Act (“PDPA”) has been enforced for a while, the Personal Data Protection Commission (“PDPC”) was aware of the problematic issues arising from the interpretation of the law, as well as some ambiguous contents; therefore, several guidelines have been issued, for compliance with the PDPA in the same direction, for both the public and private sectors to follow. One of the guidelines issued is “The Guidelines for Requesting Consent from Data Subjects According to the Personal Data Protection Act B.E. 2562” (“Consent Guidelines”) which were issued by the PDPC on September 7, 2022, laying out in nitty-gritty details of consent request that data controllers must comply when collecting, using, and disclosing the personal data of the data subject. You can see the original text of the Consent Guidelines here.
The Consent Guidelines have clearly stated that – a consent request should be a last resort when data controllers shall adhere to collecting, using, or disclosing personal data in the case that other legal basis could be applied as an exception to requesting consent, namely, for the public interest, for the vital interest of data subject, for the performance of a contract, for the exercising of official authority vested, for the legitimate interest of the data controller, or for compliance with the law (Section 24) and the legal basis excepted from requesting consent for the collection of sensitive data in accordance with Section 26.
In failing to have those other legal grounds, data controllers shall not collect, use, or disclose personal data, unless the data subject has given consent. The core details and conditions of consent are as follows:
- Consent from data subjects is required prior to or at the time of the collection, use, or disclosure of personal data.
- The personal data controller must inform the purpose and details of the request for consent to data subjects prior to giving consent.
- The request for consent must be clearly separated from other statements, in a form or statement that is easily accessible and understandable, including using language that is easy to read and does not deceive or mislead data subjects.
- The request for consent would be legal only when data subjects give “freely given consent” without fraud, deception, intimidation, or misrepresentation.
- Consent must not be conditional or a mandatory condition to which data subjects must give consent before entering into a contract, including the service providing for the collection, use, or disclosure of personal data that is not necessary or not related to such contract entering, including the provisions of the service.
According to the Consent Guidelines, to the extent of the above principles, it elucidates further that consent must require a specific purpose, not a general purpose. Also, it is forbidden to specify the purpose of collecting, using, or disclosing personal data of various types within only the same consent request.
In addition, it has been stated in the Consent Guidelines that data controllers shall further notify data subjects of the following details when requesting consent.
(1) Information relating to the data controller
(2) Purposes of collection to use or disclose personal data
(3) Categories of personal data to be collected
(4) Right of data subjects to withdraw consent and detail of the method to withdraw
Consent Guidelines further explain that data controllers shall provide the methods, conditions, or form of withdrawal in a prominent place in requesting consent whether in writing or electronic. Withdrawal of consent shall not create a burden, cost, or procedure for data subjects more than giving consent and shall not cause the efficiency of service to deteriorate.
Pongsacha Chayapong (Sharth)
Marin Viriyapongpanich (Lin)