The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) requires the Controller to comply with the three limitations on collecting, using and disclosing personal data, which are (1) the purpose limitation under Section 21 of the PDPA; (2) the source limitation under Section 25 PDPA; and (3) the proportionality limitation under Section 22 of the PDPA.

Purpose Limitation
The purpose limitation is closely linked to the notice and consent requirements.  The Controller must notify the data subject of the purpose of data collection prior to or at the time of data collection.  Any use of the collected personal data outside the notified purpose is prohibited. 

The purpose limitation does not apply to a new purpose if the data subject has been informed of the new purpose and his/her consent for the new purpose has been given prior to or at the time of the data collection, or if the new purpose is required by the PDPA or other laws.

Source Limitation
The Controller cannot collect personal data from any source other than from the data subject, except in certain situations, such as:

(1)   The Controller has notified the data subject of the collection of his/her personal data from the other source within 30 days of the date of such collection.

(2)   Use or disclosure of personal data is made for an urgent and lawful basis and suitable safeguards have been implemented to protect the data subject’s rights.

(3)   Collection of personal data for:

• preventing harm to life;
• necessary performance of a contract to which the data subject is a party;
• legitimate interests of the Controller;
• complying with the law or establishing legal claims; or
• complying with important public policies.

Proportionality Limitation
The Controller is permitted to collect the personal data only to the extent that it is necessary to accomplish the intended and lawful purpose as already notified to the data subject.  The Controller cannot abuse its better bargaining power to force a data subject to give more information than is necessary for the provision of its services.  A reliable test of proportionality would be to consider whether or not the personal data collected from the data subject exceeds what is necessary for the Controller to achieve the intended purpose.  This can be illustrated in the following flow chart:

Risks of Breaching Limitations
Collecting and keeping personal data more than necessary beyond the notified and intended purpose could result in legal liabilities and reputation risks.  While personal data can provide great insights into the markets and consumers, the collection and retention of data more than necessary can expose the Controller to fines up to THB3,000,000 under Section 83 of the PDPA. The data subject harmed by a breach of the limitations by the Controller can file a civil lawsuit against the Controller for actual damages plus punitive damages up to two times of the actual damages.  If a director, manager or officer of the Controller is in charge of, or actively involved with, the breach of the limitations by the Controller, they can also be liable jointly with for the Controller.

Mitigation of Risks
To mitigate the risks mentioned above, each business may do some or all of the followings:

• Review/create an internal personal data management policy and system to ensure that all personal data is used only for lawful and intended purposes as notified to data subjects.
• Review the proportionality of data collection practices using the two-step test shown above.
• Review the sources from which the business collects personal data.

LawPlus Ltd.
Revised: January 2020