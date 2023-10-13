Thailand:
New Sector-specific Data Privacy Requirements For Telecom Operators In Thailand
13 October 2023
On 4 September 2023, the National Broadcasting and
Telecommunications Commission ("NBTC")
Notification regarding Measures to Protect Rights of Telecom
Service Users relating to Personal Data, Privacy Rights and
Communication Freedom in Telecom B.E. 2566 (2023) (the
"Notification") was gazetted and came
into force on the same day.
What is the Notification about?
The Notification imposes data privacy requirements on licensed
telecoms service operators in relation to their processing of
personal data of telecoms service users. Most of the requirements
under the Notification are in line with the Personal Data
Protection Act of Thailand ("PDPA") but
there are some requirements which go beyond the Thai PDPA.
How does the Notification affect telecom operators?
Telecoms operators are required to revisit certain areas of
their data privacy practice to ensure compliance with the
Notification.
The NBTC may issue an order to request telecoms operators to
cease and/or rectify its non-compliant activities. If NBTC's
order is not followed, the NBTC may impose an administrative fine
of at least Baht 20,000 per day. After that, if the breach
persists, the NBTC may order the telecoms operator to suspend its
operation or revoke its telecoms licenses.
Key data privacy considerations
We have set out below five key (non-exhaustive) data privacy
requirements under the Notification.
|
Requirements
|
Details
|
Our observations
|1. Privacy policy
|
- Telecom operators must put in place a privacy policy which
shall
- be written in Thai and all other languages that the telecom
operator conducts marketing activities;
- be submitted to NBTC for its review and endorsement within 90
days from the issuance of the sub-regulations/Notification in this
respect;
- be publicly announced, at least on the telecom operator's
website, at the service points, and in the documents for
subscription of services or the service agreements; and
- contain details in respect of (i) retention period, (ii) rights
of the service users, (iii) rights to lodge complaints, (iv) the
transmission of data to the NBTC as requested by it (pursuant to
Clauses 11, 12, 13 and 19 of the Notification).
|
- Telecom operators need to revise its privacy policy to be in
line with the new requirements.
- The privacy policy may need to be translated to other
languages. Further, it needs to be submitted to the NBTC for its
review and endorsement (after the Notification in this regard is
issued, expected to be released in 2024).
|2. Telecoms service users' rights
|
- Telecom operators must provide a channel to receive data
subjects' requests from service users, both in writing and
electronically, of the service users.
- No fees can be charged for the request submitted
electronically. At-cost and fair fee charging is allowed for
requests to obtain verified copies of personal data.
- Telecom operators must procure a system for service users'
verification and authentication.
- If any telecom operator does not take action within 15 days
from the date on which the request is received, the service user
may notify the NBTC to enforce the relevant rights.
|
- The data subject request form (not explicitly required under
the Thai PDPA) is one of the compulsory privacy documents/forms the
telecom operators must have in place.
- An administrative order may be imposed by the NBTC on the
telecom operators if such telecom operator does not respond to
service users' request.
|3. Retention Period
|
- Telecom operators must retain the service users' personal
data processed at least in the last 90 days at any relevant time
throughout the service period.
- Such retention period does not apply in the case where there is
a complaint made by service users where the personal data is needed
to verify the complaint, in which case the period of retention is
for "to the extent necessary until the complaint review
period is completed, but no longer than 2 years from the date of
the complaint".
- In the case where the service is terminated, the telecom
operators must retain service users' personal data for at least
90 days after termination of services.
- In the event of service termination, such retention period will
not apply in case of necessity, or where the collection of
outstanding service fees is required, where there is no statutory
minimum retention period, in which case the telecom operators does
not need to retain such personal data for more than 2 years from
the termination date.
|
- The Thai PDPA is silent on the exact retention period required.
The telecom operator should update its data retention policy
accordingly.
|4. Data breach Notification
|
- A data breach incident which is required to be notified under
the Thai PDPA must also be notified to the NBTC.
- In the case where the data breach incident is highly likely to
impact the rights and freedom of the individuals, the data breach
incident must be notified to the NBTC within 24 hours upon the
telecoms service operator becoming aware of such breach.
|
- The Notification timeframe for reporting to NBTC for high-risk
cases is shorter than the 72 hour-timeframe under Thai PDPA.
- Amendments should be made to the internal data breach incident
policy and timeframe provided in data processing agreements.
|5. Complaint lodgement to the NBTC
|
- The service users may lodge a complaint for the infringement of
rights under the Thai PDPA, privacy rights, freedom in
communicating via telecommunications to the NBTC. A complaint may
be submitted in person or online via NBTC's service portal
(https://serviceportal.nbtc.go.th/).
|
- Data subjects can lodge complaints to the NBTC in addition to
their right to complain to Thai PDPC under the Thai PDPA.
