Thailand’s PDPA (Personal Data Protection Act) laws offer data protection regulations against the misuse of personal information belonging to business customers in Thailand. One of the key principles in these laws have to do with the data owner’s consent – which is among the main legal bases for general and sensitive data found under Part 2 of the PDPA.

Acquiring Consent from the Data Owner

As far as consent is concerned under Thailand’s new PDPA laws, data controllers and processors must seek the data owners’ consent in good faith and in an honest manner. Under the same laws, data subjects can revoke consent at any time, applicable to current Thailand laws and other agreements, of course – however, this revocation has no bearing on any data collection, usage or disclosure which the data owner previously legally consented to.

Data controllers are also obliged to ensuring that the appropriate security measures are put in place in order to guard against any data loss or modification. In addition, they must ensure that the data used or disclosed (with consent) is completely accurate, complete and up to date.

In situations where a data controller must process or disclose a data owner’s personal information, they must seek their consent in writing.

With certain exceptions, consent in writing must also be sought when transferring personal data overseas. As such, a formal process must be adhered to in order to determine whether the recipient’s country has the appropriate personal data protection laws in place to ensure reasonable protection against any misuse of the personal data being transferred.

Deemed consent or implied consent is also applicable under PDPA laws. For instance, in situations where data owners have willingly provided personal information to the data controller – such as subscribing to newsletters or email updates, where the data owner may opt-in or out by providing his/her email address to the data controller. Should the data owner no longer wish to receive those updates, they may opt-out, in which case, the data controller must provide an opt-out measure to the former.

Formalities involved in obtaining consent for personal data processing

Furthermore, there are specific formalities data controllers must observe in order to obtain consent for the purpose of processing personal data. Therefore, when seeking consent either electronically or in writing, the controller must adhere to the following:

• Clearly mention the purpose as to why the personal data will be processed
• Present the consent request in a way that is distinct from other requests, using clear, plain and simple language that’s available in an easily accessible and intelligible form
• Not be misleading, ambiguous or deceptive in respect of the above

Consent cannot be used as a condition for enforcing a contract or provision of any related service if the required processing does not serve any purpose whatsoever in fulfilling that contract or provision.

Data owners have the right to withdraw their consent at any time. This withdrawal request should be as simple and straightforward as it is to provide consent.

Rules to follow when processing personal data of children

For all individuals aged between 10 and 20 where their personal data is required, consent should be obtained from the individual and his/her legal guardian. The only exception here is if the consent is related to any act that minors are allowed to commit under the Civil and Commercial Code of Thailand. However, if the individual is 10 or under the age of 10, consent must be obtained from his/her legal guardian in any case.

Additional rules for obtaining consent for sensitive personal data processing

All sensitive personal data can only be processed based on the following:

• Consent of the individual
• Protect the vital interest of that individual
• Sensitive personal data made available publicly only after the individual’s express consent

Consent regarding data owners’ rights

A data owner may ask the data controller to delete, destroy or anonymize his/her personal data when:

• It is no longer required for the underlying purpose of collection, use or disclosure
• When the data owner withdraws consent for the same
• When the data controller no longer has the authority to do the same
• When the data owner objects to the collection, use or disclosure of personal data and the data controller does not have any legal grounds to turn down such a request
• When the data owner’s personal information has been collected, used or disclosed illegally and in non-compliance with Thai PDPA laws.

Closing thoughts

In conclusion, Thailand’s PDPA laws offer adequate protection to keep individuals’ personal data from being misused, processed or disclosed unlawfully. Companies can safeguard this data and stay well within the compliance boundaries by ensuring that their respective data controllers and data processors are aware of all the laws around consent – where they obtain the required consent from data owners in order to use their personal data as and when required.

With that said, there are exceptions around certain data processor and data controller operations which do not require consent for collecting and processing personal data, some of which were highlighted at the beginning of the article.

VinarcoPDPA’s data privacy experts are always on hand to answer any questions you may have around consent with regard to the new PDPA laws in Thailand, keeping you compliant and free from any legal woes. contact us via   email    or call on  +66 (0) 2 649 2670