On September 7, 2022, Thailand’s Personal Data Protection Committee (“PDPC”) has issued separate guidelines for data controller to follow when obtaining data subject’s consent and notifying data of required information. This includes collection, use, and disclosure of their person data. The name of such guidelines is Guidelines on Obtaining Consent from the Data Subject according to the PDPA, and the Guidelines on Notification of Purposes and Details upon the Collection of Personal Data from the Data Subject according to the PDPA. The issue of the guideline is to help data controllers to avoid violating Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).
在2022年9月7日,泰國個人資料保護委員會 (“PDPC”) 發布單獨的指南方針,供數據控制者在獲得數據主體的同意和通知數據主體所需資訊時遵循,其中包括收集、使用和披露其個人資訊。此類指南的名稱是根據 PDPA 獲得數據主體同意的指南和根據 PDPA 向數據主體收集個人資料的目的和細節通知指南。該指南的目的是幫助數據控制者避免違反《佛曆2562年 (西元2019年) 個人資料保護法》。
Consent Guidelines
同意指南
The requirement for obtaining a consent from of data subject should include time requirement, nature of the requests, and elements needs to be added in request.[1]
獲得數據主體同意的要求應包括時間要求、請求的性質以及請求中需要附加的要素。
Please be noted that obtaining consent from minors needs more requirements. Data controllers should perform suitable identification and measure the age when collecting minors’ personal data. For minors age between 10 to 20, parental consents are not required; however, for minors under 10, parental consent is required. Furthermore, if such data subject is deemed to be “incompetent” or “quasi-incompetent”, data controller should receive consent from their legal guardians. Prior to obtaining such information, consent should be obtained, and the data subject must be informed of the purpose and details of the handling of personal data, including other specific requirements. It will also require confirmation of the explicit consent of the data subject.
請注意,獲得未成年人的同意需要更多的要求。數據控制者在收集未成年人的個人資料時應進行適當的識別和年齡測量。10至20歲的未成年人無需父母同意;但是針對10 歲以下的未成年人,需要父母的同意。此外,如果數據主體被視為“無能力”或“禁治産者”,數據控制者應徵得法定監護人的同意。在獲取此類資訊之前應徵得同意,並且必須告知數據主體處理個人資料的目的和細節,包括其他具體要求,且需要確認數據主體明確同意。
Notification Guidelines
通知指南
Guidelines for notifying data subjects when collecting personal data must be based on core principles of fairness and limiting purposes. The language and term in the notification should be clear and easy-to-understand when notifying, addressing adequate purpose, consequences, and with relevant information about data processing prior to or when collecting data.
收集個人資料時通知數據主體的指南必須基於公平和限制目的的核心原則。通知數據主體適當的目的、後果以及在收集數據之前或收集數據時有關數據處理的相關資訊時,通知書信的語言和術語應清晰易懂。
In addition, such notification should include legal basis for such data controller replies on when processing personal data, and details on any cross-border transfer of personal data. Moreover, the privacy policy format for data notification is flexible, and can be delivered by physical mail or electronic methods. If the source of personal data is not from a data subject, data protection evaluation should be made.
此外,此通知應包括數據控制者在處理個人資料時所遵循的法律依據,以及任何個人資料跨境傳輸的詳細資訊。此外,資訊通知的隱私政策格式不受限,可以通過實體郵件或電子方式傳遞。另外,如果個人資料的來源不是來自數據主體,應進行資料保護評估。
Form of Consent Request and Privacy Teams
同意請求和隱私團隊的形式
If a data controller is subject to other specified laws under sectoral regulators, the data controller must adopt a standard form prescribed by relevant law. If there is no prescribed standard form, the data controller can use the standard forms recommended by industry associations.
如果數據控制者受行業監管機構規定的其他特定法律的約束,數據控制者必須採用相關法律規定的標準格式。如果沒有規定的標準表格,數據控制者可以使用行業協會推薦的標準表格。
[1] Section 19 of Personal Data Protection Act B.E. 2562 (2019).
#PDPA #personaldataprotectionact #thaipersondataprotection #PDPC #PersonalDataProtectionCommittee #thailaw #泰國法律 #泰國個資法 #泰國個人資料保護 #個人資料保護委員會 #泰國中文律師 #IBC法律金融會計事務所 #泰國律師 #泰國法律事務所 #泰國律師事務所 #泰國會計 #泰國審計 #泰國會計事務所 #泰國審計事務所 #法律顧問 #泰國會計師 #泰國華人律師事務所 #thaiaccountant #thailawyer #thailaw #泰國稅務 #IBCFirm #ThaiLawFirm #ThaiAccountingFirm #thaiauditfirm
Comments