Thailand is updating its data protection laws and adopting an approach similar to data protection reforms in other countries. The Personal Data Protection Act (PDPA) (B.E. 2562 (2019)) enters into force on May 27, 2020. Employers will need to comply with several conditions set out in the PDPA in order to lawfully process their employees’ personal data. There is no blanket exemption for the employment relationship and employers are required to meet all requirements imposed on personal data controllers under the PDPA. These conditions include:
- Consent must be obtained from employees prior to or at the time of collection of a person’s data.
- The request for consent must be presented in easily accessible easy-to-read written printed or electronic format.
- The request must be presented in clear and plain language, and not use language that is deceptive or misleading regarding the data the individual would be giving consent to.
Employers may want to supply a notice setting out the specific purposes for which the information is being collected and the type of processing when they give the employee the consent form.
There are some exceptions to the need for consent listed under the PDPA. Pursuant to Section 26(3) of the PDPA, an employer may collect the employees’ personal data without their consent provided that such data is collected for the purpose of compliance with applicable laws and regulations (e.g., labour protection, social security registration, or tax return). Under PDPA Section 26(3), an employer also may collect employees’ data without consent if this is necessary for the performance of a contract to which the employee is a party, provided that the use of such data is only for the purpose of performing obligations under the contract.
In the event that employees’ personal information is transferred to the employer’s affiliate entity overseas, the employer must (i) ensure that the recipient country has an adequate level of data protection; and (ii) comply with the requirements to be further prescribed by the Personal Data Protection Committee (PDPC). These requirements do not apply in some cases listed under the PDPA, which include instances where transfer is made for the purpose of complying with legal obligations; is based on the employee’s consent (provided that such employee has been notified of the foreign country’s (potential) inadequate personal data protection standards); or is necessary for the performance of a contract to which the employee is a party.
Further clarification from the PDPC is awaited as to the extent of the above exemptions to obtain an individual’s consent and the requirements for overseas transfers. For the sake of prudence, it seems preferable as of now to request consent to transfer information to another country from employees prior to the collection and processing of their personal data as well as in any instance where personal information shall be transferred to a foreign country.
Written by Kraisorn Rueangkul and Marion Lagrange of DFDL and Roger James of Ogletree Deakins
© 2020 DFDL and Ogletree, Deakins, Nash, Smoak & Stewart, P.C.