After Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) was passed into law, numerous provisions related to the collection, use, and disclosure of personal data will come into effect on May 27th, 2020.
This includes strict requirements for every natural or juristic person who has the power to decide about the collection, use, or disclosure of personal data. Such a data controller must, according to Section 23 PDPA, inform the data owner of the following:
A privacy statement is not required if the person or type of use, collection or disclosure of personal data is exempted by Section 4 PDPA, e.g.:
As circumstances differ for each data controller, a specific Privacy Statement is recommended for the respective case. A standard template may be feasible for a simple website of a small business, but is not recommendable for larger operations, as the statement also must cover the collection, use, and disclosure of offline data (like data from CCTV, or hand files). A properly drafted privacy statement will help companies to comply with the law and avoid liability.
Typically, a hyperlink to the full text of the privacy statement should be provided at the company’s website and in its publications such as newsletters.
Feel free to contact us if you have questions about the privacy statement at [email protected].