In 2019, Thailand introduced the Personal Data Protection Act (PDPA) which requires data controllers and processors to ensure data collected are managed and processed with explicit consent on sensitive data. Due to COVID-19, however, the enforcement of the law was delayed by two years until June 2022, the month the PDPA was set to be enforced. After the Act took effect, the government announced that SMEs would be exempt from some of the Act’s provisions following concerns from small and medium-sized businesses about their ability to comply with the law.

While data privacy protections have been enshrined in law, many users have expressed their willingness to give their personal data in exchange for better services, particularly around finance and fintech. According to a report published by technology consultancy Capco, around 70% of Thais are willing to share their personal data to improve their digital services experience. For financial and fintech businesses, doing so may mean that they need to collect user data to better tailor their services.

How can companies leverage consumer data while complying with the PDPA?

Personalization and setting customer-centric elements to digital services are key in understanding what customers want. Collecting data and analytics are important for businesses to identify opportunities to better serve their clients.

However, in light of the PDPA, and the growing consciousness of users to their rights as owners of their personal data, businesses in the fintech, technology, and financial space must be cognizant of what the types of data they can collect and how they are able to do so within the legal and ethical bounds of Thailand’s data privacy regulations. This is important as the data companies seek may not always be what customers feel obliged to share.

While many users in Thailand have expressed their willingness to give their personal data for better services, this should not be interpreted as a blank check for digital service providers to collect user data without consent. This is particularly so as digital users around the world take serious precautions when having to provide their personal information and place great importance on data privacy and protection.

Under the PDPA, the legal bases for the collection of personal data include:

• Archiving for documents of historical significance or public interest;
• The suppression of danger;
• Making contracts;
• Legitimate interests of either, or both, the user and the platform collecting personal data;
• Legal obligations; and
• Gaining consent from users.

Based on this, apart from legal obligations and maintaining the interests of both users and the platform, fintech and technology firms can only legally collect user data when users give prior consent to do so, particularly if sensitive data is involved.

How can companies get legal consent from users?

According to guidelines provided by the Personal Data Protection Committee (PDPC) on 7 September 2022, users must give consent in either written or electronic form and have the right to withdraw that consent at any given time.

Moreover, consent given by users must be informed and forthright, meaning platforms are required to provide the following information clearly when getting consent:

• The type of personal data that will be collected and how;
• The reasons for doing so;
• The users’ rights and obligations;
• How long the personal data will be held for; and
• Whether the personal data given by users will be sent to third parties, and if so, whom.

It should be noted that platforms cannot collect personal data from other sources unless they notify the users directly and gain consent to do so.

What should companies do if they wish to collect user data?

Obviously, companies and platforms that wish to collect user data to improve their services must obtain consent from their users. This means drafting a separate consent notice that is easily identifiable to users, such as a pop-up or notification, that is written in a way that is clear and unambiguous, as well as creating a data retention policy for the various types of data to be collected. Platforms may also want to consider ways of collecting consent from those with disabilities.

If policies covering consent already exist within the platforms’ operations, it may be prudent for service providers to review them to ensure they comply with the PDPA and its supporting regulations. However, we recommend that service providers consider a continuity plan for when consent is withdrawn by users as well as a process for destroying data when users want to do so.

As always, regardless of whether you are an established service provider or are looking to set up a technology or fintech company in Thailand, you should seek legal advice if in doubt to avoid severe consequences for non-compliance. We are an experienced law firm that has been advising clients on PDPA compliance, and we are ready to help you meet your business goals. To consult on PDPA-related issues, contact us at [email protected].