On 4 September 2023, the National Broadcasting and Telecommunications Commission ("NBTC") Notification regarding Measures to Protect Rights of Telecom Service Users relating to Personal Data, Privacy Rights and Communication Freedom in Telecom B.E. 2566 (2023) (the "Notification") was gazetted and came into force on the same day.

What is the Notification about?

The Notification imposes data privacy requirements on licensed telecoms service operators in relation to their processing of personal data of telecoms service users. Most of the requirements under the Notification are in line with the Personal Data Protection Act of Thailand ("PDPA") but there are some requirements which go beyond the Thai PDPA.

How does the Notification affect telecom operators?

Telecoms operators are required to revisit certain areas of their data privacy practice to ensure compliance with the Notification.

The NBTC may issue an order to request telecoms operators to cease and/or rectify its non-compliant activities. If NBTC's order is not followed, the NBTC may impose an administrative fine of at least Baht 20,000 per day. After that, if the breach persists, the NBTC may order the telecoms operator to suspend its operation or revoke its telecoms licenses.

Key data privacy considerations

We have set out below five key (non-exhaustive) data privacy requirements under the Notification.

Requirements

Details

Our observations
1. Privacy policy
  • Telecom operators must put in place a privacy policy which shall
    • be written in Thai and all other languages that the telecom operator conducts marketing activities;
    • be submitted to NBTC for its review and endorsement within 90 days from the issuance of the sub-regulations/Notification in this respect;
    • be publicly announced, at least on the telecom operator's website, at the service points, and in the documents for subscription of services or the service agreements; and
    • contain details in respect of (i) retention period, (ii) rights of the service users, (iii) rights to lodge complaints, (iv) the transmission of data to the NBTC as requested by it (pursuant to Clauses 11, 12, 13 and 19 of the Notification).
  • Telecom operators need to revise its privacy policy to be in line with the new requirements.
  • The privacy policy may need to be translated to other languages. Further, it needs to be submitted to the NBTC for its review and endorsement (after the Notification in this regard is issued, expected to be released in 2024).
2. Telecoms service users' rights
  • Telecom operators must provide a channel to receive data subjects' requests from service users, both in writing and electronically, of the service users.
  • No fees can be charged for the request submitted electronically. At-cost and fair fee charging is allowed for requests to obtain verified copies of personal data.
  • Telecom operators must procure a system for service users' verification and authentication.
  • If any telecom operator does not take action within 15 days from the date on which the request is received, the service user may notify the NBTC to enforce the relevant rights.
  • The data subject request form (not explicitly required under the Thai PDPA) is one of the compulsory privacy documents/forms the telecom operators must have in place.
  • An administrative order may be imposed by the NBTC on the telecom operators if such telecom operator does not respond to service users' request.
3. Retention Period
  • Telecom operators must retain the service users' personal data processed at least in the last 90 days at any relevant time throughout the service period.
  • Such retention period does not apply in the case where there is a complaint made by service users where the personal data is needed to verify the complaint, in which case the period of retention is for "to the extent necessary until the complaint review period is completed, but no longer than 2 years from the date of the complaint".
  • In the case where the service is terminated, the telecom operators must retain service users' personal data for at least 90 days after termination of services.
  • In the event of service termination, such retention period will not apply in case of necessity, or where the collection of outstanding service fees is required, where there is no statutory minimum retention period, in which case the telecom operators does not need to retain such personal data for more than 2 years from the termination date.
  • The Thai PDPA is silent on the exact retention period required. The telecom operator should update its data retention policy accordingly.
4. Data breach Notification
  • A data breach incident which is required to be notified under the Thai PDPA must also be notified to the NBTC.
  • In the case where the data breach incident is highly likely to impact the rights and freedom of the individuals, the data breach incident must be notified to the NBTC within 24 hours upon the telecoms service operator becoming aware of such breach.
  • The Notification timeframe for reporting to NBTC for high-risk cases is shorter than the 72 hour-timeframe under Thai PDPA.
  • Amendments should be made to the internal data breach incident policy and timeframe provided in data processing agreements.
5. Complaint lodgement to the NBTC
  • The service users may lodge a complaint for the infringement of rights under the Thai PDPA, privacy rights, freedom in communicating via telecommunications to the NBTC. A complaint may be submitted in person or online via NBTC's service portal (https://serviceportal.nbtc.go.th/).
  • Data subjects can lodge complaints to the NBTC in addition to their right to complain to Thai PDPC under the Thai PDPA.


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.