Thailand Law Library

by Thailand Lawyer

The data subject is entitled to request access to and obtain a copy of the Personal Data related to him or her, which is under the responsibility of the Data Controller, or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent.

The Data Controller shall perform as requested in paragraph one. The request can be rejected only where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.

In the case that the Data Controller rejects the requests in paragraph one, the Data Controller shall record its rejection together with supporting reasons in the record as prescribed in Section 39.

When the data subject makes a request as in paragraph one, and such request cannot be rejected based on the reasons in paragraph two, the Data Controller shall fulfill the request without delay, but shall not exceed thirty days from the date of receiving such request.

The Committee may prescribe rules for the access to and request to obtain a copy of the Personal Data in paragraph one, including the extension of the period under paragraph four, or other rules as appropriate.

The data subject shall have the right to receive the Personal Data concerning him or her from the Data Controller. The Data Controller shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. The data subject is also entitled to:

1. request the Data Controller to send or transfer the Personal Data in such formats to other Data Controllers if it can be done by the automatic means;
2. request to directly obtain the Personal Data in such formats that the Data Controller sends or transfers to other Data Controllers, unless it is impossible to do so because of the technical circumstances.

The Personal Data in paragraph one must be the Personal Data that the data subject has given consent for the collection, use, or disclosure of such Personal Data according to the rules under this Act, or the Personal Data that is exempted from consent requirements under Section 24(3), or any other Personal Data referred to under Section 24 as prescribed by the Committee.

The exercise of rights of the data subject in paragraph one shall not apply to the sending or transferring of Personal Data by the Data Controller which is the performance of a task carried out in the public interest, or for compliance with law, or such exercise of rights shall not violate the rights and freedoms of others. In the event that the Data Controller rejects the request by such reasons, the Data Controller shall make a record of such rejection of the request together with reasons in the record as prescribed in Section 39.

The data subject has the right to object the collection, use, or disclosure of the Personal Data concerning him or her, at any time, in the following circumstances:

1. Where the Personal Data is collected with the exemption to consent requirements under Section 24(4) or (5), unless the Data Controller can prove that:
   1. (a) the collection, use, or disclosure of such Personal Data can be demonstrated by the Data Controller that there is a compelling legitimate ground;
   2. (b) the collection, use, or disclosure of such Personal Data is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims;
2. the collection, use, or disclosure of such Personal Data is for the purpose of direct marketing; or
3. the collection, use, or disclosure of the Personal Data for the purpose of scientific, historical or statistic research, unless it is necessary to performance of a task carried out for reasons of public interest by the Data Controller.

In the event that the data subject exercises his or her right to object in paragraph one, the Data Controller shall no longer be able to collect, use, or disclose such Personal Data. And the Data Controller shall immediately distinguish such personal data clearly from the other matters at the time when the data subject gives the notice of objection to the Data Controller.

In the event that the Data Controller rejects the objection by the reasons in (1)(a) or (b) or (3), the Data Controller shall record such rejection of objection request together with reasons in the record as prescribed in Section 39.

The data subject shall have the right to request the Data Controller to erase or destroy the Personal Data, or anonymize the Personal Data to become the anonymous data which cannot identify the data subject, where the following ground applies:

1. the Personal Data is no longer necessary in relation to the purposes for which it was collected, used or disclosed;
2. the data subject withdraws consent on which the collection, use, or disclosure is based on, and where the Data Controller has no legal ground for such collection, use, or disclosure;
3. the data subject objects to the collection, use, or disclosure of the Personal Data referred in Section 32(1), and the Data Controller cannot reject such request as referred in Section 32(1)(a) or (b), or where the data subject exercises his or her right to object as referred in Section 32(2); or
4. the Personal Data have been unlawfully collected, used, or disclosed under this Chapter.

Paragraph one shall not apply to the extent that such Personal Data retention is necessary for the purpose of freedom of expression, the purpose under Section 24(1) or (4) or Section 26(5)(a) or (b), the purpose of establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose for compliance with the law.

Where the Data Controller has made the Personal Data public and is requested to erase or destroy the Personal Data, or make the Personal Data become the anonymous data which cannot identify the data subject pursuant to paragraph one, the Data Controller shall be responsible for the course of action, both the implementation of technology and the expenses to fulfil the request, and inform other Data Controllers in order to obtain their responses regarding the action to be taken to fulfil such request.

In the event that the Data Controller does not take action in accordance with paragraph one or three, the data subject shall have the right to complain to the expert committee to order the Data Controller to take such action.

The Committee may announce the rules for the erasure or destruction of Personal Data, or anonymization of the Personal Data to become the anonymous data which cannot identify the data subject pursuant to paragraph one.

The data subject shall have the right to request the Data Controller to restrict the use of the Personal Data, where the following applies:

1. when the Data Controller is pending examination process in accordance with the data subject's request pursuant to Section 36;
2. when it is the Personal Data which shall be erased or destroyed pursuant to Section 33(4), but the data subject requests the restriction of the use of such Personal Data instead;
3. when it is no longer necessary to retain such Personal Data for the purposes of such collection, but the data subject has necessity to request for further retention for the purposes of the establishment, compliance or exercise of legal claims, or defense of legal claims;
4. when the Data Controller is pending verification with regard to Section 32(1), or pending examination with regard to Section 32(3) in order to reject the objection request made by the data subject in accordance to Section 32 paragraph three.

In the event that the Data Controller does not take action in accordance with paragraph one, the data subject shall have the right to complain to the expert committee to order the Data Controller to take such action.

The Committee may prescribe and announce rules regarding the suspension of use in accordance with paragraph one.

The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.

In the case where the data subject requests the Data Controller to act in compliance with Section 35, if the Data Controller does not take action regarding the request of the data subject, the Data Controller shall record such request of the data subject together with reasons, in the record as prescribed in Section 39.

The provisions of Section 34 paragraph two shall apply mutatis mutandis.

The Data Controller shall have the following duties:

1. provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety. It shall also be in accordance with the minimum standard specified and announced by the Committee;
2. in the circumstance where the Personal Data is to be provided to other Persons or legal persons, apart from the Data Controller, the Data Controller shall take action to prevent such person from using or disclosing such Personal Data unlawfully or without authorization;
3. put in place the examination system for erasure or destruction of the Personal Data when the retention period ends, or when the Personal Data is irrelevant or beyond the purpose necessary for which it has been collected, or when the data subject has requested to do so, or when the data subject withdraws consent, except where the retention of such Personal Data is for the purpose of freedom of expression, the purpose under Section 24(1) or (4) or Section 26(5)(a) or (b), the purpose of the establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose of compliance with the law. The provision in Section 33 paragraph five shall be used to govern the erasure or destruction of Personal Data mutatis mutandis.
4. notify the Office of any Personal Data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of the Persons. If the Personal Data breach is likely to result in a high risk to the rights and freedoms of the Persons, the Data Controller shall also notify the Personal Data breach and the remedial measures to the data subject without delay. The notification and the exemption to the notification shall be made in accordance with the rules and procedures set forth by the Committee.
5. in the event of being the Data Controller pursuant to Section 5 paragraph two, the Data Controller shall designate in writing a representative of the Data Controller who must be in the Kingdom of Thailand and be authorized to act on behalf of the Data Controller without any limitation of liability with respect to the collection, use or disclosure of the Personal Data according to the purposes of the Data Controller.

The provisions of the representative designation in Section 37(5) shall not apply to the following Data Controller:

1. the Data Controller which is a public authority as prescribed and announced by the Committee;
2. the Data Controller which engages in the profession or business of collecting, using, or disclosing Personal Data, that does not have the nature pursuant to Section 26, and does not have a large amount of Personal Data as prescribed by the Committee in Section 41(2).

In the event that the Data Controller in Section 5 paragraph two has a Data Processor, the provisions of Section 37(5) and the provisions in paragraph one shall apply to such Data Processor mutatis mutandis.

The Data Controller shall maintain, at least, the following records in order to enable the data subject and the Office to check upon, which can be either in a written or electronic form:

1. the collected Personal Data;
2. the purpose of the collection of the Personal Data in each category;
3. details of the Data Controller;
4. the retention period of the Personal Data;
5. rights and methods for access to the Personal Data, including the conditions regarding the Person having the right to access the Personal Data and the conditions to access such Personal Data;
6. the use or disclosure under Section 27 paragraph three;
7. the rejection of request or objection according to Section 30 paragraph three, Section 31 paragraph three, Section 32 paragraph three, and Section 36 paragraph one; and
8. details of the appropriate security measures pursuant to Section 37(1).

The provisions in paragraph one shall apply to the representative of the Data Controller under Section 5 paragraph two mutatis mutandis.

The provisions in (1), (2), (3), (4), (5), (6) and (8) may not apply to the Data Controller who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or not a business where the collection, use, or disclosure of the Personal Data is occasional, or involving in the collection, use, or disclosure of the Personal Data pursuant to Section 26.

The Personal Data Processor shall have the following duties:

1. carry out the activities related to the collection, use or disclosure of Personal Data only pursuant to the instruction given by the Data Controller, except where such instruction is contrary to the law or any provisions regarding Personal Data protection under this Act;
2. provide appropriate security measures for preventing unauthorized or illegal loss, access to, use, alteration, correction or disclosure, of Personal Data, and notify the Data Controller of the Personal Data breach that occurred; and
3. prepare and maintain records of personal data processing activities in accordance with the rules and methods set forth by the Committee.

The Data Processor, who fails to comply with (1) for the collection, use, or disclosure of the Personal Data, shall be regarded as the Data Controller for the collection, use or disclosure of such Personal Data.

In carrying out the activities in accordance with the Data Processor's obligations as assigned by the Data Controller under paragraph one, the Data Controller shall prepare an agreement between the parties to control the activities carried out by the Data Processor to be in accordance with the Data Processor's obligations for compliance with this Act.

The provisions in (3) may not apply to the Data Processor who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or not a business where the collection, use, or disclosure of the Personal Data is occasional, or involving in the collection, use, or disclosure of the Personal Data pursuant to Section 26.

The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:

1. the Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee;
2. the activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data as prescribed and announced by the Committee; or
3. the core activity of the Data Controller or the Data Processor is the collection, use or disclosure of the Personal Data according to Section 26.

In the event that the Data Controller or the Data Processor are in the same affiliated business or are in the same group of undertakings, in order to jointly operate the business or group of undertakings as prescribed and announced by the Committee according to Section 29 paragraph two, such Data Controller or Data Processor may jointly designate a data protection officer. In this regard, each establishment of the Data Controller or the Data Processor in the same affiliated business or in the same group of undertakings must be able to easily contact the data protection officer.

The provisions in paragraph two shall apply to the Data Controller or the Data Processor who is a public authority in (1) that is large in size or has several establishments mutatis mutandis.

In the event that the Data Controller or the Data Processor in paragraph one has to designate the representative according to Section 37(5), the provisions in paragraph one shall apply to the representative mutatis mutandis.

The Data Controller and the Data Processor shall have an obligation to inform the information of the data protection officer, contact address and contact channels to the data subject and the Office. The data subject shall be able to contact the data protection officer with respect to the collection, use or disclosure of the Personal Data and the exercise of rights of the data subject under this Act.

The Committee may prescribe and announce the qualifications of the data protection officer by taking into account the knowledge or expertise with respect to the Personal Data protection.

The personal data protection officer may be a staff of the Data Controller or the Data Processor, or a service provider under the contract with the Data Controller or the Data Processor.

The data protection officer shall have the following duties:

1. give advices to the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or of the Data Processor with respect to compliance with this Act;
2. investigate the performance of the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or of the Data Processor with respect to the collection, use or disclosure of the Personal Data for compliance with this Act;
3. coordinate and cooperate with the Office in the circumstance where there are problems with respect to the collection, use or disclosure of the Personal Data undertaken by the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or of the Data Processor with respect to the compliance with this Act; and
4. keep confidential the Personal Data known or acquired in the course of his or her performance of duty under this Act.

The Data Controller or the Data Processor shall support the data protection officer in performing the tasks by providing adequate tools or equipment, as well as facilitate the access to the Personal Data in order to perform the duties.

The Data Controller or the Data Processor shall not dismiss or terminate the data protection officer’s employment by the reason that the data protection officer performs his or her duties under this Act. In the event that there is any problem when performing the duties, the data protection officer must be able to directly report to the highest management person of the Data Controller or the Data Processor.

The data protection officer may be able to perform other duties or tasks but the Data Controller or the Data Processor must warrant to the Office that such duties or tasks are not against or contrary to the performance of the duties under this Act.