You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

September 16, 2022

Thailand Details Procedures for Personal Data Protection Complaints

Subscribe to Updates

Thailand’s Personal Data Protection Committee (PDPC) has issued a regulation establishing procedures for filing and processing data subjects’ complaints under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The Regulation Re: Complaint Filing, Rejection, Termination, Consideration, and the Period for the Consideration of the Complaint B.E. 2565 (2022) was issued in July 2022 and took effect on July 12, 2022.

The PDPA entitles data subjects to file complaints against data controllers, data processors, and employees or service providers of either whose operations fail to comply with the PDPA. This article lays out the various requirements and procedures for the filing and processing of such a complaint.

Complaint Submission

The body designated by the PDPA to be responsible for handling complaints and imposing administrative penalties is called the “Expert Committee.” Data subjects who would like to make a complaint can submit it to the Expert Committee directly at the Office of PDPC, send it to the office by post, or submit the complaint electronically.

The written or electronic complaint must use clear, plain, polite, and appropriate language, and must not give an impression of being directly or indirectly extorting or intimidating. The complaint must include at least the following information:

  • Name, address, and telephone number or email address of the complainant (or an authorized representative), together with identification card, passport, or other official identification document (plus a power of attorney if submitted by a representative);
  • Details and facts of the noncompliance with or violation of the PDPA;
  • Details of resulting damages or impact;
  • Supporting evidence (e.g., documentary evidence, physical evidence, witness statements); and
  • Action desired of the offender.

The complaint must include a statement certifying its veracity, and must be signed by the complainant or the authorized representative.

Complaint Consideration

When a complaint is submitted, the receiving official will verify that the complaint is complete and then issue a receipt to the complainant. The official will then conduct a preliminary examination of the complaint within 15 days before proposing it to the Expert Committee through the secretary-general of the PDPC for consideration. In their examination, the committee aims to determine:

  • whether the act indicated in the complaint constitutes noncompliance with or violation of the PDPA;
  • whether there are grounds for filing the complaint, and whether the complaint is substantive and reasonable;
  • whether the complaint is within the scope of the Expert Committee’s authority; and
  • whether the duties and power for considering the complaint are subject to any other law or authority.

The Expert Committee may reject a complaint—for example, if it does not relate to noncompliance with or violation of the PDPA, if it has complete information or supporting documents, if it duplicates a previously settled complaint, and so on. If the Expert Committee considers the complaint negotiable, it may ask the complainant and the offender to consider doing so.

In general, the Expert Committee will finish its consideration of the complaint within 90 days of its first meeting. With the approval of the PDPC, this period may be extended twice, for up to 60 days each time.

Outcomes

After concluding its examination, the Expert Committee will notify the complainant of the outcome as well as the relevant reasoning. If the complaint is rejected or dismissed because it falls within the authority of another law or authority, the complainant may submit the complaint to that authority, which will then deem the complaint’s date of receipt as being the date on which the Expert Committee received the complaint.

If the complaint is not negotiable, or is negotiable but the parties fail reach the settlement, the Expert Committee will consider the complaint and may impose administrative penalties on the data controller or processor in accordance with the PDPA.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

March 29, 2024
Vietnam’s Ministry of Public Security (MPS) is drafting two reports to present to the government in May 2024 to advocate for the development and adoption of a Law on Personal Data Protection. These reports include an assessment of the policy impact of the proposal to develop a personal data protection law, and an assessment of the current state of social relations related to personal data protection. Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), adopted in April 2023, became the first comprehensive legal instrument on data protection in Vietnam. When the National Assembly was debating its text and adoption in 2022 and 2023, questions were raised as to the status of this new regulation and the legality to adopt a decree before a law. In accordance with the public announcements made throughout the development of the PDPD assuring that a law would be developed at a later stage, the MPS is now advocating for the development of a Personal Data Protection Law and has drafted the two reports pursuant to the Law on the Promulgation of Legal Documents. The main arguments advanced by the MPS in the two reports are as follows: As the right to privacy is enshrined in the Constitution, any restrictions thereof must be made through a law and not a decree. The MPS is notably referring to the lawful basis for processing and limited exceptions to consent under the PDPD. This may be a sign that the MPS intends to widen the exceptions to consent under the new law. The definitions of “personal data” and “personal data protection” need to be harmonized to consolidate the regulatory framework. The MPS indicates that there are 69 legal documents directly related to “personal data protection” in Vietnam with more than 10 different definitions, while “personal information” appears in
Read More
March 28, 2024
Recently, Vietnam has witnessed a dramatic increase in cyber fraud, causing significant financial losses and posing a grave threat to both Vietnamese and foreign entities. With the increasing reliance on digital technology and the widespread adoption of online platforms, the country has become fertile ground for cybercriminals to exploit vulnerabilities and conduct various fraudulent activities. This article aims to present an overview of addressing cyber fraud in Vietnam and offers practical advice for businesses to safeguard themselves from becoming victims of such illicit activities.
Read More
March 27, 2024
Two notifications on the cross-border transfer of personal data, issued by Thailand’s Personal Data Protection Committee (PDPC), came into effect on March 24, 2024. These notifications, which we detailed in a previous update, set out the criteria governing the cross-border transfer of personal data offshore, specifically focusing on situations where appropriate personal data protection standards are in place. Of particular importance is the role of binding corporate rules (BCRs) in enabling the cross-border transfer of personal data among affiliated businesses or within the same group of undertakings. The implementation of BCRs requires a comprehensive review and approval process by the Office of the PDPC, strictly in accordance with the criteria set out in one of the two notifications. With the notifications now fully enforceable, the Office of the PDPC has begun accepting BCRs for review. Data controllers and data processors intending to adopt BCRs as a means for transferring data to offshore affiliates or group companies must initiate the BCR submission process promptly. Failure to comply with PDPA requirements concerning the cross-border transfer of personal data could result in substantial penalties. Organizations involved in cross-border personal data transfers should be proactive in complying with the prescribed criteria to avoid these regulatory penalties and maintain the data protection standards mandated by the PDPA. For more information on these cross-border personal data transfer regulations, or on any aspect of complying with Thailand’s data protection laws, please contact Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Wilin Somya at [email protected].
Read More
March 27, 2024
The Bank of Thailand (BOT) has opened a public comment period on their consultation paper titled “Criteria for Supervising Virtual Banks” from March 19, 2024, to April 17, 2024. The consultation paper reveals that the BOT intends to apply traditional commercial bank supervisory standards to virtual banks. However, the BOT also explains that the wholly digital nature of the services offered by virtual banks necessitates additional regulatory supervision. Additional Supervisory Criteria for Virtual Banks Financial business group: If a virtual bank is within the same financial business group as other financial institutions, its parent company must structure the virtual bank to be under its own sole consolidated financial business group. After the virtual bank has undergone the “restricted phase” in its initial years of operation (see below), other financial institutions within the group are prohibited from extending credit to or engaging in transactions similar to lending activities with the virtual bank. Shareholding structure: If the increase in the financial institution system capital is higher than the actual capital injection resulting from the bank’s shareholding structure, the BOT aims to issue an additional regulation to supervise the capital of the virtual bank and financial institution system to prevent double counting. Operational risk: Virtual banks must not use a trademark or logo that bears resemblance to or implies association with other financial institutions or financial institution groups. Governance: Virtual banks must have at least one director and chief technology officer (CTO) with at least three years of experience in IT or digital service. Additionally, the CTO must work full-time for the virtual bank and may not be an employee of another legal entity. Restriction on related lending and related-party transactions: Virtual banks must obtain prior unanimous approval from their boards of directors before engaging in transactions with major shareholders or businesses
Read More