Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies are governed by specific regulations. For example, the Credit Information Business Act specifically covers the collection and processing of credit information. Similarly, pursuant to regulations issued under the Telecommunications Business Act, the use and disclosure of personal information is restricted to those purposes set out in the regulatory notification.

There are no specific regulations governing the collection, storage and processing of personal data by private sector companies operating outside the specially regulated sectors.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

No specific regulations govern the retention of personal data by private sector companies operating outside the specially regulated sectors. Some laws and regulatory notifications regarding the retention of personal data apply to parties operating within the specially regulated sectors and government agencies. For example, the Computer Crimes Act imposes requirements on ‘service providers’ (as defined therein) in relation to retaining the personal data of service users. The Telecommunications Business Act imposes similar obligations on telecommunications licensees.

Do individuals have a right to access personal information about them that is held by an organisation?

Data subjects have no specific right to access their personal data that is held by private sector companies operating outside the specially regulated sectors. Some laws and regulatory notifications set out data subjects’ rights to access and correct their personal data that is held by parties operating within the specially regulated sectors and government agencies. Examples include the Credit Information Business Act and regulations issued under the Telecommunications Business Act – each of which contain provisions for an access and correction mechanism.

Do individuals have a right to request deletion of their data?

Data subjects have no specific right to request that private sector companies operating outside the specially regulated sectors delete their personal data. Some laws and regulatory notifications could provide such a right for companies operating within the specially regulated sectors and government agencies, but this would typically be phrased as a right to request correction of the personal data. As noted above, examples include the Credit Information Business Act and regulations issued under the Telecommunications Business Act – each of which contain provisions for an access and correction mechanism.

Consent obligations
Is consent required before processing personal data?

There is no explicit requirement for private sector companies operating outside the specially regulated sectors to obtain consent before processing personal data. Some laws and regulatory notifications require parties operating within the specially regulated sectors and government agencies to obtain consent. Even when not explicitly required, it is advisable to obtain consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

There are no prescribed circumstances in which private sector companies operating outside the specially regulated sectors can process personal data without consent. Some laws and regulations set out such circumstances for parties operating within the specially regulated sectors and government agencies. For example, specified processing is permitted by telecommunications licensees (under the Telecommunications Business Act) and credit bureaus (under the Credit Information Business Act).

What information must be provided to individuals when personal data is collected?

No law prescribes what information private sector companies operating outside the specially regulated sectors must provide to individuals when collecting their personal data. Some laws and regulatory notifications set out such requirements for parties operating within the specially regulated sectors and government agencies (eg, the Telecommunications Business Act).

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Some rules may govern the security of personal data held by parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies. For example, the Credit Information Business Act restricts the transfer of information abroad and regulations issued under the Telecommunications Business Act specify that further regulatory notification may be issued to restrict the transfer of information abroad.

No law prohibits or restricts private sector companies operating outside the specially regulated sectors from transferring personal data to another country. In addition, there is no government authority from which approval for such transfers should be sought. 

Are there restrictions on the geographic transfer of data?

See above.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

No law sets out requirements for the transfer of personal data to a third party for processing by private sector companies operating outside the specially regulated sectors. Such requirements may exist for parties operating within the specially regulated sectors and government agencies, depending on the sector and the applicable provisions. For example, financial institutions must observe the Bank of Thailand regulations on outsourcing, which address – among other things – data protection matters.

Click here to view the full article.