Will Privacy Policies be Mandatory under the PDPA?Comments Off on Will Privacy Policies be Mandatory under the PDPA?
After Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) was passed into law, numerous provisions related to the collection, use, and disclosure of personal data will come into effect on May 27th, 2020.
This includes strict requirements for every natural or juristic person who has the power to decide about the collection, use, or disclosure of personal data. Such a data controller must, according to Section 23 PDPA, inform the data owner of the following:
- The purpose of the collection of personal data;
- The personal data to be collected;
- The period the personal data is kept;
- The expected data retention period;
- The persons to whom the collected personal data may be disclosed;
- Contact details of the data controller / data protection officer (if required);
- Rights of the data owner.
A privacy statement is not required if the person or type of use, collection or disclosure of personal data is exempted by Section 4 PDPA, e.g.:
- Persons who collect personal data for personal benefit/household activity;
- Mass media, fine arts, and literature (in accordance with professional ethics / public interest);
- The Parliament;
- Trial and adjudication at Courts.
As circumstances differ for each data controller, a specific Privacy Statement is recommended for the respective case. A standard template may be feasible for a simple website of a small business, but is not recommendable for larger operations, as the statement also must cover the collection, use, and disclosure of offline data (like data from CCTV, or hand files). A properly drafted privacy statement will help companies to comply with the law and avoid liability.
Typically, a hyperlink to the full text of the privacy statement should be provided at the company’s website and in its publications such as newsletters.
Feel free to contact us if you have questions about the privacy statement at [email protected].