On 10 February 2023, Thailand's Personal Data Protection Committee ("PDPC") released a practical guideline for data controllers and data processors, focusing on case studies extracted from consultation issues related to the implementation of the Personal Data Protection Act B.E. 2562 (2019). The purpose of the guideline is to demonstrate the application of the law through real-life examples and scenarios.
We provide below two examples of case studies mentioned in the guideline.
Case Study 1
Is a business operator managing condominiums on behalf of condominium juristic persons considered a data controller which is a small business that would fall under the exemption from the requirement of preparing records of processing activities ("ROPA"), pursuant to the PDPC's Notification on An Exemption from the Recording by the Data Controller which is a Small Business B.E. 2565 (2022) ("PDPC's Notification on ROPA exemption")?
PDPC responded that a condominium juristic person whose objective is to manage and maintain common property, without providing goods or services to non-owners or non-residents, would be considered a data controller which is a non-profit organisation and shall be exempted from the preparation of ROPA pursuant to PDPC's Notification on ROPA exemption.
However, the condominium management company has the operational objective of sharing profits, thus, it would not be considered a non-profit organisation. In addition, as the company processes personal data under the instructions or on behalf of the condominium juristic person who acts as a data controller, the company would be regarded as a data processor who has a duty to prepare and maintain a ROPA according to PDPC's Notification on Rules and Methods in Preparing and Maintaining Records of Personal Data Processing Activities for the Data Processor B.E. 2565 (2022).
Case Study 2
Does a bank need to obtain consent from customers who are minors if the bank wishes to introduce a new product to them for marketing purposes? Can the minors give consent alone?
PDPC issued an opinion that if personal data is used for marketing purposes and is not related or necessary for compliance with a contract, and other legal bases were not applicable, the bank should obtain consent from the minors. In addition, taking into consideration the age of minors, their maturity level and the impact of their decision, consent for marketing purposes should also be obtained from the holder of parental responsibility over the minors.