top of page
Writer's pictureAdmin

New Guidelines for Personal Data Protection in Thailand 泰國個人資料保護法的新準則

The Thai government published four notifications (“Notifications”) on 20 June 2022 which are supplementary to Personal Data Protection Act 2019 (“PDPA”) in Thailand. The Notifications consist of legal definition, rules, criteria and conditions relating to PDPA, including penalties for non-compliance of PDPA. Below are four key points of the Notifications:

泰國政府於2022年6月20日發布四個針對對泰國 2019年《個人資料保護法》(“PDPA”)的補充通知(“通知”)。這些通知為 PDPA 相關的法律定義、規則、標準和條件,包括對不遵守 PDPA 的處罰。以下是這些通知的四個要點:


1. Entities exempted from maintaining Data Controller record (Effective on 21 June 2022):

無須保留數據控制者記錄的企業(於2022年6月21日生效):

Ø Small and medium-sized enterprises

中小企業

Ø Community enterprise

社區企業

Ø Social enterprise or social enterprise group

社會企業或社會企業集團

Ø Co-operative or agricultural group

合作社或農業團體

Ø Foundation, association, religious organization, or non-profit organization

基金會、協會、宗教組織或非營利組織

Ø Business household

商戶

An exempted entity must not be an entity that is required to maintain computer traffic data according to the Computer Crime Act.

豁免實體不得為根據《電腦犯罪法》需要維護電腦數據流量的實體。


2. Security and safety measures for Data Controller (Effective on 21 June 2022)

數據控制者的安全措施 (於2022年6月21日生效)

The measures must at least follow 3 key principles:

此措施必須至少遵守3個關鍵原則:

Ø Confidentiality of personal data

個人資料的保密性

Ø Integrity of personal data

個人資料的完整性

Ø Availability of personal data

個人資料的可用性


In this announcement, the personal data controller is obliged to provide appropriate security measures. Its main purpose is to prevent the loss, access, use, alteration, unauthorized or abusive disclosure of personal data, where care must be taken in accordance with the minimum standards set by the Committee. The personal data protection notice is to make the protection of personal data more appropriate in the initial period of law enforcement.

本公告說明個人資料控制者有義務提供適當的安全措施。主要目的是防止個人資料的丟失、接觸、使用、更改、未經授權或濫用揭露,必須按照委員會制定的最低標準謹慎行事。個人資料保護通知是為了使個人資料的保護在執法初期更加恰當。


The measures should be reviewed and updated from time to time to follow the PDPA.

應不時審查和更新這些措施以遵守 PDPA。


3. Rules and methods for maintaining records of personal data processing activities (“ROPA”) (Effective on 180 days from the announcement of Government Gazette)

維護個人資料處理活動記錄的規則和方法(“ROPA”)(自政府公報公告起 180 天生效)

The records must at least consist of the following information:

記錄必須至少包含以下資訊:

Ø Name and information of a Data Processor;

數據處理者的名稱和資訊;

Ø Name and information of a Data Controller for whom the Data Processor is acting on behalf of;

作為代表行事的數據控制者的名稱和資訊;

Ø Name, information, contact details of a Data Protection Officer (DPO) and method for contacting the DPO;

數據保護官 (DPO) 的姓名、資訊、聯繫方式以及聯繫DPO的方法;

Ø Type and purpose of the collection of the personal data that a Data Processor operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a data controller;

數據處理者根據或代表數據控制者下達的命令收集、使用或披露個人資料時,收集個人資料的類型和目的;

Ø Details of a person or an enterprise that the personal data transferred to in case where the personal data will be sent or transferred abroad;

個人資料將被發送或轉移到國外的情況下,個人資料轉移到的個人或企業的詳細資訊;

Ø Details of the security measures under section 40, paragraph one (2) of the PDPA.

根據《個人資料保護法》第40條第1 (2) 款規定的安全措施詳細資訊。


The data processor is required to prepare and maintain a written record of the personal data processing activities in accordance with PDPA. This can be made in writing or electronic format. The records of such personal data processing activities shall be easily accessible and shall be able to be displayed to the Office of the Personal Data Protection Commission or other relevant authorities for quick review when the agency those requests.

數據處理者必須按照個人資料保護法規定準備和維護個人數據處理活動的書面記錄,可以以書面或電子方式進行。此類個人數據處理活動的記錄應易於接觸,並應能夠在該機構提出要求時顯示給個人數據保護委員會辦公室或其他相關機構以供快速審查。


4. Rules for imposing administrative penalties (Effective on 21 June 2022)

行政處罰規定(於2022年6月21日生效)

Violations of the PDPA are punishable by administrative fine up to THB 5 million. Below are rules and procedures for the Personal Data Protection Committee to carry out its administrative powers:

違反PDPA將被處以行政罰款最高500萬泰銖。以下是個人資料保護委員會行使行政權力的規則和程序:

Ø The methods to issue notification for the execution of administrative orders on an urgent basis;

行政命令緊急執行通知方式;

Ø Significant points in determining the administrative penalty, such as details and severity of the circumstances of the violations, size of the business, level of damage, compensation;

決定行政處罰的關鍵因素,如違法情節的細節和嚴重程度、業務規模、損害程度、賠償;

Ø Considerations to be taken in issuing an order to impose an administrative fine for severe and non-severe non-compliance;

發布命令對嚴重和非嚴重違規行為處以行政罰款的考慮因素;

Ø Authorization to appoint the administrative sanction officers;

授權任命行政處分人員;

Ø Authorization to seize or freeze including auction the properties of a Data Controller who fails to settle the fine within the prescribed time.

授權扣押或凍結包括拍賣未在規定時間內支付罰款的數據控制者的財產。


84 views0 comments

Recent Posts

See All

Requirements for Digital Assets Governance Business and Exchange Rules are Updated in Thailand 泰國更新數位資產業務治理要求和交易所規則

泰國數位資產業務經營者的董事、授權人員和經理必須具有相關行業3-5年的工作經驗,包括在金融機構、貨幣或資本市場、與數位資產業務相關的管理職位、或學術或專業人士的工作經驗像是會計、金融、經濟、法律或資訊科技等領域的專家。此外,他們還必須具有1年數位資產特定工作經驗,例如區塊鏈和智慧

Comments


bottom of page