Data controllers subject to Thailand's Personal Data Protection Act are generally required to obtain a data subject's consent prior to personal data processing, unless one of the act's limited exemptions applies.
Research and statistics are recognized as a lawful basis for processing personal data under the PDPA. This contrasts significantly with the EU General Data Protection Regulation, under which research and statistics necessitate separate lawful bases for processing.
Data controllers in Thailand, however, must implement additional appropriate measures when relying on research or statistics as a lawful basis. In April, enforcement began of the sub-regulation regarding appropriate measures for collecting personal data for research or statistics purposes.
Key information
The sub-regulation defines research as a systematic inquiry conducted to generate new knowledge. It includes disseminating such knowledge, both at fundamental or basic levels and applied levels, as well as research and development conducted from the knowledge generated.
Statistics refer to processes related to collecting, surveying, processing, or presenting conducted for general reference — meaning the personal data is not used to make decisions or take actions affecting any individual data subject.
When relying on research and statistics as a lawful basis, data controllers must comply with specific measures outlined in the sub-regulation. For processing general personal data, data controllers are required to: implement organizational, technical and physical measures to ensure data minimization, enforce prescribed security measures, and comply with ethical standards.
In the case of sensitive personal data, the same obligations apply but may be more stringent based on a risk-based approach for high-risk personal data. In addition, the data controller must establish an ethics committee to review and approve the research prior to its commencement.
Furthermore, the sub-regulation outlines examples of recognized ethical standards, such as the Belmont Report, Good Clinical Practice, and the International Ethical Guidelines for Health-related Research Involving Humans.
It also highlights the distinction between consent as a lawful basis for processing personal data and consent for participation in research. While data controllers may rely on the lawful basis of research and statistics, they are obligated to obtain consent for research participation from data subjects unless one of the limited exemptions applies.
Moreover, in addition to information required to be included in the privacy notice, data controllers directly collecting personal data from data subjects must inform them of the research purpose, general research details and anticipated benefits, as well as risks and impacts associated with the research, unless withholding such information is permitted under the framework and conditions prescribed in relevant accepted ethical standards.
How businesses in Thailand will be affected
Previously, research and statistics were rarely relied on as a lawful basis for most businesses in Thailand. However, the sub-regulation has broadened the scope of what constitutes research, including the development of technology and innovations derived from research findings.
This expansion marks a pivotal shift in the country's regulatory landscape, as technology-related businesses now have a clearer lawful basis for developing their products, along with additional appropriate measures required for implementation.
Data controllers processing personal data associated with research and statistics should verify whether internal policies and practices align with the obligations outlined in this sub-regulation. If not, data controllers should act promptly to revise internal policies and practices.
Patcharapol Sudsakorn, CIPP/E, is a corporate lawyer at Norton Rose Fulbright (Thailand).
Sirapop Pongsupap, CIPP/E, is a senior legal innovation and platform counselor at Athentic Consulting.