After the Personal Data Protection Committee of Thailand (PDPC) issued a draft notice regarding the collection of personal data relating to a criminal record in order to conduct a public hearing of such draft notice last year, on 8 January this year, the official “Notice of PDPC re criteria concerning protection measures for the collection of personal data relating to a criminal record” (the “Notice”) was announced and published in the Royal Gazette. The Notice will be enforced on 7 April 2024. 

Please find the full notice in Thai here.

Companies doing business in Thailand may ask applicants/employees to provide their personal data related to the criminal records (including the information on rewards and punishments) during the recruitment process, including the submission of resumes, conducting interviews, and execution of the employment contracts. Since the criminal records constitute sensitive personal data under Article 26 of the Personal Data Protection Act (B.E. 2562, hereinafter referred to as "PDPA") and require special attention when handling them, the processing of the personal data on criminal records should be conducted appropriately and in accordance with this Notice.

The principal details of the Notice are as follows:

　1.Definition

Under this Draft Notice, “Personal Data Relating to a Criminal Record” means personal data regarding a criminal investigation, criminal procedure, or criminal liability, which is official information or certified by a government agency having legal authority concerning said action, regardless of whether the action has been finalized or not. This means that only official documents and their copies need to be handled as “Personal Data Relating to a Criminal Record”. So, criminal record information included in a resume submitted by the job applicant (self-declared information) does not constitute “Personal Data Relating to a Criminal Record” because it is not “official information” or “certified by a government agency”.

　2.Scope of Application

The notice is applied to the collection of Personal Data Relating to a Criminal Record which is not carried out under the control of an authorized official authority under the law in accordance with Section 26 paragraph 3 of the PDPA.

　3.Legal grounds and Purposes for the collection

A data controller will be able to collect Personal Data Relating to a Criminal Record only when
(1) there is a provision of law that requires verification of a criminal record, or verification of qualifications, or prohibited characteristics regarding acting criminal offense or criminal liability; or
(2) obtain explicit consent from a data subject.

In this regard, the above collection of Personal Data Relating to a Criminal Record shall be done for the following purposes.
(I) for considering employing a person, or verifying qualifications and prohibited characteristics, or assessing the suitability of a person for employment in any position.
(II) for verifying qualifications and prohibited characteristics to authorize, issue license, approve, register, enroll, receive notification, certify, endorse, give comments, consider, consider appeals, complain or petition, carry out, pay, provide a benefit or other services to a person by a government agency or a data controller vested to exercise official authority on behalf of government agencies.
(III) for verifying qualifications and prohibited characteristics to authorize, approve, certify, endorse, give comments, consider, consider appeals, complain or petition, carry out, pay, provide a benefit or other services to a person by a data controller other than the data controller specified in (II) above.

　4.Notification of Criminal Record

4-1. In cases where the collection of Personal Data Relating to a Criminal Record is essential and necessary for the purposes specified in 3. Legal grounds and Purposes for the collection, a data controller must notify data subjects regarding the necessity of collecting Personal Data Relating to a Criminal Record at the stage of announcement or publication of application, recruitment, nomination, or receiving a request for such action.

4-2. In the case of requesting consent for collecting Personal Data Relating to a Criminal Record from the data subject, a data controller must notify data subjects of the consequences of not giving consent or withdrawing consent when requesting such consent.

　5.Security Measures

To control the collection use and disclosure of personal data in accordance with this Notice to the extent of necessary legitimate purposes, the data controller shall (i) put in place appropriate organizational measures and technical measures including necessary physical measures and (ii) provide security measures under Section 37(1) of PDPA that are suitable for risk to rights and freedom of person.

　6.Retention and Disposal

6-1. In the event that there is no specific provision of any laws and there is no necessity under the personal data protection law to collect Personal Data Relating to a Criminal Record for the purposes in 3. Legal grounds and Purposes for the collection, a data controller must not retain Personal Data Relating to a Criminal Record for more than  6 months from the date that performance of such purposes is complete, unless otherwise explicit consent from the data subject.

6-2. A data controller must erase, destroy, or anonymize such personal data to become anonymous data that cannot identify the data subject in a proper manner when the retention period terminates, or when such personal data is no longer necessary to be retained in relation to the purposes for which it was processed.

Authors:

Monchai Varatthan
Shota Sugiura
Marin Viriyapongpanich (Lin)