On 14 November 2023, Personal Data Protection Committee (PDPC) in Thailand published a draft notification on collection of personal data of criminal records. This notification provides clarifications and prescribes further criteria for processing criminal record data under the Personal Data Protection Act (“PDPA”), which in general requires the criminal records to be carried out under relevant official authority of this law or under data protection measure implemented according to rules prescribed by PDPC.

2023年11月14日，泰國個人資料保護委員會（PDPC）發布關於收集犯個人資料的罪記錄通知草案。該通知提供澄清、並規定根據《個人資料保護法》(“PDPA”)處理犯罪記錄資料的進一步標準，該法一般要求犯罪記錄的處理必須在相關官方機構依法或根據PDPC規定的規則實施的資料保護措施。

The draft notification will have important implications for businesses’ recruitment and human resources activities in relation to people with criminal records.

該通知草案將對企業與有犯罪記錄的人相關的招聘和人力資源活動產生重要影響。

The main aspects of the draft notifications includes the following:

通知草案的主要內容包括：

Ø “Personal data regarding criminal record” and “criminal record data” denote personal data related to the investigations of criminal offenses, criminal prosecution, or criminal punishment that is official information or certified by relevant supervisory authority, regardless whether that action is connected to final judgment or not.

“有關犯罪紀錄的個人資料”及“犯罪紀錄資料”指與刑事犯罪調查、刑事起訴或刑事處罰有關、官方資訊或經相關監管機構認證的個人資料，不論該行為是否屬於犯罪行為，與最終判決有關於否。

Ø Under the draft notification, data controllers may process criminal record data for the purpose of recruitment process, checking the qualifications of personnel, and considering the suitability of a person for a position if the processing activities are required by law or when a data controller obtains explicit consent from the data subject. Furthermore, the necessity of processing criminal record data must be announced in the beginning of the recruitment process.

根據通知草案，如果法律要求或資料控制者需要處理犯罪記錄資料，資料控制者可以出於招聘過程、檢查人員資格並考慮人員是否適合職位的目的處理犯罪記錄資料獲得資料主體的明確同意。此外，必須在招聘過程開始時宣布處理犯罪記錄資料的必要性。

Ø Data controllers’ requests for explicit consent to collect data subject’s criminal record and must notify the data subject of the consequences of not providing consent or to towithdraw consent.

資料控制者在要求明確同意收集資料主體的犯罪記錄資料時，也必須告知資料主體不提供同意或撤回同意的後果。

Ø The draft notification sets the allowable retention period for criminal record data at a maximum of six months from the end of the processing activities specified above. After the retention period ends, the criminal record data must be deleted, destroyed, or anonymized using an appropriate method.

通知草案規定犯罪紀錄資料的允許保留期限為自上述處理活動結束後最多六個月。保存期限結束後，犯罪記錄資料必須採用適當方法刪除、銷毀或匿名化。

#criminalrecord #犯罪記錄 #personaldataprotection #personaldataprotectionact #personaldataprotectioninthailand #PDPA #個人資料保護 #個人資料保護法 #泰國個人資料保護 #thailaw #泰國法律 #泰國中文律師 #IBC法律金融會計事務所 #泰國律師 #泰國法律事務所 #泰國律師事務所 #泰國會計 #泰國審計 #泰國會計事務所 #泰國審計事務所 #法律顧問 #泰國會計師 #泰國華人律師事務所 #thaiaccountant #thailawyer #IBCFirm #ThaiLawFirm #ThaiAccountingFirm