In the middle of November 2023, the Personal Data Protection Committee of Thailand (PDPC) issued a draft notice titled “(draft) Notice of PDPC re criteria concerning personal data protection measures for the collection of personal data relating to a criminal record which is not carried out under the control of authorized official authority under the law” (“Draft Notice”) for a public hearing from 14 – 28 November 2023.

Companies doing business in Thailand may ask applicants/employees to provide their personal data related to the criminal records (including the information on rewards and punishments) during the recruitment process, including the submission of resumes, conducting interviews, and execution of the employment contracts. Since the criminal records constitute sensitive personal data under Article 26 of the Personal Data Protection Act (B.E. 2562, hereinafter referred to as "PDPA") and require special attention when handling them, the processing of the personal data on criminal records should be conducted appropriately and in accordance with this Draft Notice.

The principal details of the Draft Notice are as follows:

1. Definition

Under this Draft Notice, “Personal Data Relating to a Criminal Record” means personal data regarding a criminal investigation, criminal procedure, or criminal liability, which is official information or certified by a government agency having legal authority concerning said action, regardless of whether the action has been finalized or not. This means that only official documents and their copies need to be handled as “Personal Data Relating to a Criminal Record”. So, criminal record information included in a resume submitted by the job applicant (self-declared information) does not constitute “Personal Data Relating to a Criminal Record” because it is not “official information” or “certified by a government agency”.

2.Scope of Application

The notice is applied to the collection of Personal Data Relating to a Criminal Record which is not carried out under the control of an authorized official authority under the law in accordance with Section 26 paragraph 3 of the PDPA.

3. Legal grounds for the collection

A data controller will be able to collect Personal Data Relating to a Criminal Record for the purpose of (i) considering employing a person, (ii) verifying qualifications and prohibited characteristics, or (iii) assessing the suitability of a person for employment in any position only when

(1) there is a provision of law that requires verification of a criminal record, or verification of qualifications, or prohibited characteristics regarding acting criminal offense or criminal liability; or

(2) obtain explicit consent from a data subject.

4. Notification of Criminal Record

4-1. In cases where the collection of Personal Data Relating to a Criminal Record is essential and necessary for the role of the person’s job or position, a data controller must notify data subjects regarding the necessity of collecting Personal Data Relating to a Criminal Record for the process of announcement or publication of application, recruitment, or nomination of a person for consideration to be employed or appointed to such position.

4-2. In the case of requesting consent for collecting Personal Data Relating to a Criminal Record from the data subject, a data controller must notify data subjects of the consequences of not giving consent or withdrawing consent when requesting such consent.

5.Retention and Disposal

5-1. A data controller must not retain Personal Data Relating to a Criminal Record for more than  6 months from the date that consideration of employment, verification of qualifications and prohibited characteristics, or an assessment of the suitability of a person for employment in any position is complete in relation to the purpose(s) and necessity of processing such data, unless there is a provision of any laws that specifically stipulates a necessity under the personal data protection law to keep such information.

5-2. A data controller must erase, destroy, or anonymize such personal data to become anonymous data that cannot identify the data subject in a proper manner when the retention period terminates, or when such personal data is no longer necessary to be retained in relation to the purposes for which it was processed.

Authors:
Monchai Varatthan
Shota Sugiura
Marin Viriyapongpanich (Lin)