Under the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) notice and consent are two separate but related matters required for any collection, use or disclosure of personal data.

Notice Requirement

The PDPA requires the Controller to notify each data subject of the purpose of any collection, use or disclosure of personal data prior to or at the time of data collection so that the data subject is made aware of how his/her personal data will be used and the purpose it will serve.  The notice must contain at least the intended purpose of data collection, the retention periods, the consequences of not providing data, the types of data to be collected, the rights of data subjects, and information about the Controller.

The notice is strictly required, except for: (1) in a situation where it can be proven that a notice would defeat the purpose of collection, use or disclosure and (2) in an urgent situation where collection, use or disclosure of personal data is vitally important and required by law to protect the legitimate interests of employer.

Consent Requirement

Personal data is owned by the data subject. Any collection, use and disclosure of personal data cannot be made without express consent of the data subject.  Consent for its collection and use may be at any time revoked.  Consent may be given either in writing or by electronic means. A consent request must: (1) contain the purpose of the collection, use or disclosure; (2) be clearly distinguishable from other matters; and (3) be made in clear and plain language that is easy to understand and is not misleading to the data subject.

The PDPA provides exceptions of consent for collection of personal data for the following purposes:

(1)   preventing harm to life or the health of an individual
(2)   lawful activities of non-profit organizations
(3)   preparing historical or statistical documents for the public benefit
(4)   carrying out duties to benefit of the public or to perform functions as allocated by the State
(5)   complying with contractual obligations
(6)   complying with the PDPA, other laws and public policy objectives (health and research)
(7)   establishing and enforcing and upholding legal claims
(8)   protecting the legitimate interests of the employer.

Offences and Penalties

A failure to give a required notice and obtain consent for collecting personal data can impose fines of up to THB1,000,000 on offenders (Section 82 of the PDPA).

Mitigation of Risks

In relation to notice and consent, each business should:

(1)   Compile information on how it collects, uses and discloses personal data, which requires notice to data subjects.
(2)   Determine potential impacts on the business if consent is withdrawn.
(3)   Create a data retention policy for various types of personal data collected by it.
(4)   Create a data privacy policy in line with the notice and consent requirements.
(5)   Identify situations where consent is required and where exemptions may apply.
(6)   Prepare and review its online and offline consent request to make it comply with the PDPA.

LawPlus Ltd.
Revised: January 2020