You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

September 16, 2022

Thailand Details Procedures for Personal Data Protection Complaints

Subscribe to Updates

Thailand’s Personal Data Protection Committee (PDPC) has issued a regulation establishing procedures for filing and processing data subjects’ complaints under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The Regulation Re: Complaint Filing, Rejection, Termination, Consideration, and the Period for the Consideration of the Complaint B.E. 2565 (2022) was issued in July 2022 and took effect on July 12, 2022.

The PDPA entitles data subjects to file complaints against data controllers, data processors, and employees or service providers of either whose operations fail to comply with the PDPA. This article lays out the various requirements and procedures for the filing and processing of such a complaint.

Complaint Submission

The body designated by the PDPA to be responsible for handling complaints and imposing administrative penalties is called the “Expert Committee.” Data subjects who would like to make a complaint can submit it to the Expert Committee directly at the Office of PDPC, send it to the office by post, or submit the complaint electronically.

The written or electronic complaint must use clear, plain, polite, and appropriate language, and must not give an impression of being directly or indirectly extorting or intimidating. The complaint must include at least the following information:

  • Name, address, and telephone number or email address of the complainant (or an authorized representative), together with identification card, passport, or other official identification document (plus a power of attorney if submitted by a representative);
  • Details and facts of the noncompliance with or violation of the PDPA;
  • Details of resulting damages or impact;
  • Supporting evidence (e.g., documentary evidence, physical evidence, witness statements); and
  • Action desired of the offender.

The complaint must include a statement certifying its veracity, and must be signed by the complainant or the authorized representative.

Complaint Consideration

When a complaint is submitted, the receiving official will verify that the complaint is complete and then issue a receipt to the complainant. The official will then conduct a preliminary examination of the complaint within 15 days before proposing it to the Expert Committee through the secretary-general of the PDPC for consideration. In their examination, the committee aims to determine:

  • whether the act indicated in the complaint constitutes noncompliance with or violation of the PDPA;
  • whether there are grounds for filing the complaint, and whether the complaint is substantive and reasonable;
  • whether the complaint is within the scope of the Expert Committee’s authority; and
  • whether the duties and power for considering the complaint are subject to any other law or authority.

The Expert Committee may reject a complaint—for example, if it does not relate to noncompliance with or violation of the PDPA, if it has complete information or supporting documents, if it duplicates a previously settled complaint, and so on. If the Expert Committee considers the complaint negotiable, it may ask the complainant and the offender to consider doing so.

In general, the Expert Committee will finish its consideration of the complaint within 90 days of its first meeting. With the approval of the PDPC, this period may be extended twice, for up to 60 days each time.

Outcomes

After concluding its examination, the Expert Committee will notify the complainant of the outcome as well as the relevant reasoning. If the complaint is rejected or dismissed because it falls within the authority of another law or authority, the complainant may submit the complaint to that authority, which will then deem the complaint’s date of receipt as being the date on which the Expert Committee received the complaint.

If the complaint is not negotiable, or is negotiable but the parties fail reach the settlement, the Expert Committee will consider the complaint and may impose administrative penalties on the data controller or processor in accordance with the PDPA.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

April 30, 2024
On March 25, 2024, Thailand’s Securities and Exchange Commission (SEC) published an amendment to its Notification re: Public Digital Token Offering to strengthen governance for initial coin offerings (ICOs). The amendments took effect on April 16, 2024, and reflect the SEC’s commitment to creating a safer and more transparent ICO environment, enhancing investor protection, and building confidence in ICOs as a fundraising tool. The key changes are outlined below: New Checks and Balances Requirements The new regulations require digital token issuers to implement checks and balances to protect investor rights—including an annual audit requirement and measures to prevent and manage conflicts of interest. These measures must be clearly disclosed in the ICO filing documents. In addition, certain project-related decisions must be approved by the issuer’s board of directors, which is also responsible for the accountability of such decisions. Improved Rules Concerning Voting Rights The SEC has introduced rules concerning voting rights and procedures for digital token holders, particularly for token types that previously lacked regulatory clarity. These rules specify the procedures for soliciting votes, the rationale behind vote requests, and the criteria for determining voting outcomes. The new rules, however, do not apply to real estate-backed tokens or infrastructure-backed tokens. Enhanced Advertising Regulations The SEC has revised advertising guidelines to ensure that investors receive essential information. The updated rules now require all ICO advertising to be fair and informative and to avoid misleading content. Advertisements must include appropriate risk warnings and a credible source for any claims made. The notification also stresses that it is the responsibility of digital token issuers to strictly supervise and ensure that those who create advertisements with or for an issuer comply with all relevant advertising regulations, including the following: Warning of investment risk: Advertisements must include warnings about investment risks and contact information
Read More
April 5, 2024
On March 15, 2024, Thailand’s Board of Investment (BOI) updated its investment incentives for software development and data centers by issuing a regulation replacing the previous categories of software or platforms for digital services or content (category 8.1) and data centers (category 8.2.1). The new and updated categories are detailed below. Software and Platform Development Under the new promotion policy, the BOI has made separate subcategories for “development” and “improvement” of software or platforms, each with its own set of incentives. The BOI is expected to clarify the characteristics of these two activities in a forthcoming announcement. Qualifying development activities are eligible for a corporate income tax (CIT) exemption for eight years (capped), while improvement activities are not eligible for any CIT exemption. A number of adjustments have been made to the eligibility criteria for development of software and platforms for digital services or content. These include the following: Salary expenditures for Thai information technology (IT) personnel hired temporarily after applying for investment promotion can now be included in the calculation of total salary expenditures for Thai IT personnel hired subsequent to applying for investment promotion. Previously, only salary expenditures for permanently employed personnel could be included in this figure. The minimum salary expenditures for each project remain unchanged at THB 1.5 million per year. Similarly, salary expenditures for temporary hiring of Thai IT personnel can be included in calculating the actual expenditures in the year that the project would like to benefit from the CIT exemption. Projects must commence operations within 12 months of the promotion certificate being issued. No extensions are allowed. Projects are no longer allowed to extend the machinery importation period. The other eligibility criteria for development of software and platforms for digital services or content remain unchanged. Projects in the new BOI subcategory for
Read More
April 4, 2024
On March 18, 2024, the president of the Supreme Court of Thailand announced the establishment of a specialized Technology Crime Division within the Criminal Court of Thailand. This represents a significant commitment to cybercrime within the Thai judiciary and a step forward in Thailand’s ability to investigate cybercrime. The rise in cybercrime investigations in recent years has made it increasingly difficult for Thailand’s traditional criminal courts to consider and issue enforcement orders in support of ongoing investigations in a timely manner. The new Technology Crime Division addresses this challenge. This new division has jurisdiction over cybercrime and technology-related crime, fraud or extortion using computers, and criminal offenses relating to personal data protection laws. In addition, this new division has jurisdiction over all requests from competent law enforcement officers seeking court orders under the Computer Crimes Act B.E. 2550, the Personal Data Protection Act B.E. 2562, and the Cybersecurity Act B.E. 2562. The Technology Crime Division will have trainees and judges with expertise in technology and cybercrime—not only to facilitate expert prosecution of cybercrime but also to offer critical and time-sensitive support to law enforcement investigations of alleged cybercrime. The Technology Crime Division is not yet operational. The president of the Supreme Court is expected to announce the division’s opening date in the coming months. For more details on Thailand’s measures for dealing with cybercrime, please contact Michael Ramirez at [email protected] or Piyawat Vitooraporn at [email protected].
Read More
March 29, 2024
Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024. CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status. The key obligations of CII organizations are laid out below. Reporting to the National Cyber Security Agency (NCSA) CII organizations must provide the following to the NCSA: A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes. A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason). Policies, Guidelines, and Procedures As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025: Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan. Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery. CII organizations must also prepare the following: Mechanisms, procedures, and steps for monitoring and detecting
Read More