PDPA Privacy Notice

According to the Personal Data Protection Act (“PDPA”), the Data Controller is a person or juristic person who makes decision to collect, use and disclose individual Personal Data.

1. the purpose of collection for use or disclosure of the Personal Data, including the purpose of collection of the Personal Data without having to obtain the Data Subject's consent under the PDPA, if any; 
2. notification of the case where the Data Subject must provide his or her Personal Data for complying with a law or contract, or for making a contract, including potential impact where the Personal Data is not provided; 
3. the Personal Data to be collected and the period for which the Personal Data will be kept; 
4. the persons or entities to whom the collected Personal Data may be disclosed; 
5. information and contact details of the Data Controller; and
6. the Data Subject’s rights under the PDPA.

Legally, the Privacy Notice is not required if the Data Subject already knows the details therein (“Exception”). But, in practice, it could be difficult to prove whether the Data Subject already knows all the six details of the Privacy Notice as stated above. 

In addition, the Data Controller who fails to issue the Privacy Notice may be liable to a fine not exceeding Baht one million. 

Therefore, in practice, many Data Controllers normally prefer to issue the Privacy Notices rather than trying to apply the Exception by proving that the Data Subject already knows all the Privacy Notice details. 

Besides, without the aforesaid Privacy Notice Exception, the Data Controller still has a duty to issue the Privacy Notice regardless of whether the Data Subject’s consent for collection, use or disclosure of the Personal Data is required by the PDPA, or not. 

Our team at KPMG Law can assist you in preparing the legally required Privacy Notice and giving practical advice on Privacy Notice issuance methods and other recommendations related to the Privacy Notice upon request.