Thai government announced a royal decree provides certain exemptions to data controllers’ obligations under Thai Personal Data Protection Act B.E. 2562 (PDPA) on 17 August 2023. The royal decree will be effective after 150 days from its publication in the Government Gazette, which reflects the government’s effort to make a balance between privacy, state interests, and the data protection regulatory burden on organizations.
泰國政府在2023 年8 月17 日宣布一項皇家法令,在對資料控制者根據佛曆2562年《泰國個人資料保護法》(PDPA)承擔的義務提供特定豁免。該皇家法令將於在政府公報發布後150 天後生效,這反映政府在隱私、國家利益和組織的資料保護監管負擔之間取得平衡的努力。
The royal decree indicates that data controllers, including business operators and state agencies, are exempt from certain PDPA requirements on the collection, use, and disclosure of personal data and data subject rights. The conditions for considering exemptions are:
皇家法令指出,資料控制者,包括企業經營者和國家機構,可豁免遵守 PDPA 關於收集、使用和披露個人資料和資料主體權利的某些要求。考慮豁免的條件是:
Ø Collection or requests for personal data are to be for the public interest pursuant to the purpose and scope prescribed by any law authorizing a state agency to carry out a certain action, without imposing an undue burden on the data controller responsible for disclosing the personal information;
收集或請求個人資料應符合授權國家機構採取某種行動的任何法律規定的目的和範圍,以符合公共利益,而不會對負責披露個人資訊的資料控制者造成不當負擔;
Ø Data controllers can share personal data without the data subject’s consent if legally authorized state agencies request it and specify the statutory provisions granting authority to request the data;
如果合法授權的國家機構提出請求,並指定授予請求數據資料權限的法律規定,資料控制者可以在未經資料主體同意的情況下共享個人資料;
Ø Data subjects and data controllers of requested personal data must have the right to submit complaints to the PDPA’s Expert Committee or seek its expertise for clarification or determination;
請求個人資料的資料主體和資料控制者必須有權向 PDPA 專家委員會提出投訴或尋求其專業知識以進行澄清或確定;
Ø Exemption from offenses and criminal penalties according to this royal decree, wrongful operations are not protected by this royal decree.
根據皇家法令免除犯罪和刑事處罰,不當操作不受皇家法令的保護。
With the above conditions, data controllers will be partially exempted from certain requirements under the PDPA when the following state agencies request personal data:
滿足上述條件,當以下國家機構請求個人資料時,資料控制者將部分豁免遵守 PDPA 的某些要求:
Ø The National Anti-Corruption Commission or other government entities with mandates aligned with anticorruption laws according to Section 6 of this royal decree;
依據皇家法令第6條,國家反貪腐委員會或具有與反腐敗法一致的職權的其他政府實體;
Ø The Revenue Department, Customs Department, Excise Department, or other governmental units operating under taxation laws according to section 7 of this royal decree;
依據皇家法令第7條,稅務局、海關局、消費稅局或其他根據稅法運作的政府單位;
Ø Local governmental bodies recognized by the Personal Data Protection Committee (PDPC), or any government unit with mandates as per the laws related to land and building taxation according to section 8 of this royal decree;
依據皇家法令第8條,個人資料保護委員會 (PDPC) 認可的地方政府機構,或根據土地和建築稅相關法律具有授權的任何政府單位;
Ø The Secretariat of the Cabinet, executing responsibilities as defined by the laws concerning the royal prerogatives of the monarch according to section 9 of this royal decree;
依據皇家法令第9條,內閣秘書處,履行有關君主皇家特權的法律規定的職責;
Ø State agencies acting in line with laws concerning significant public interests according to section 10 of this royal decree.
依據皇家法令第10條,國家機關依照涉及重大公共利益的法律行事。
The exemption also apply to the collection, use, and disclosure of personal data by data controllers for international legal matters, covering deportation, extradition, and combating transnational organized crime.
該豁免還適用於資料控制者為國際法律事務收集、使用和披露個人資料,包括驅逐出境、引渡和打擊跨國有組織犯罪。