THAILAND Law and Practice Contributed by: Pranat Laohapairoj, Suphakorn Chueabunchai and Pitchaya Roongroajsataporn, Chandler Mori Hamada
Controllers Controllers must:
tions concerning the use of IoT services or data processing services in Thailand; only general PDPA provisions shall be applied. 3.3 Rights and Obligations Under Applicable Data Regulation Concerning rights and obligations under appli - cable data regulation, please see 3.1 Objectives and Scope of Data Regulation . 3.4 Regulators and Enforcement Concerning regulators and enforcement, please see 1.2 Regulators and 1.3 Enforcement Pro- ceedings and Fines . Currently, there is no specific legislation in Thai - land that regulates the use of cookies, but as the use of cookies is considered to fall under the processing of personal data, it shall also fall under the principles of the PDPA as follows: • strictly necessary cookies or essential cook - ies are required for the basic functioning of a website, and explicit consent is not required as they can be used on a contractual basis; • performance and functional cookies are used to enhance user experience and improve website performance, and explicit consent from users is required prior to the use of such cookies; and • targeting and advertising cookies track user behaviour for personalised advertising and are not necessary for any functions on the website, so explicit consent for their use is required. 4. Sectoral Issues 4.1 Use of Cookies Concerning the general requirements for using any type of cookie, the PDPA requires controllers
• provide appropriate security measures for preventing the unauthorised or unlawful loss, access to, use, alteration, correction or dis - closure of personal data; • in a circumstance where personal data is disclosed to other persons, take action to prevent such person from using or disclos - ing such personal data unlawfully or without authorisation; • establish a system to erase or destroy per - sonal data when the retention period ends, the data becomes irrelevant or is beyond the purpose for which it has been collected or the data subject puts in a request or withdraws consent, except when the data is needed in relation to freedom of expression, legal claims or compliance with the law; and • notify the Office of the PDPC of any personal data breach. Processors Processors must: • carry out the processing of personal data only pursuant to the instruction given by the controllers, except where such instruction violates any laws or any provisions in the PDPA; • provide appropriate security measures for preventing unauthorised or unlawful loss, access to, use, alteration, correction or dis - closure of personal data; and • notify the controller of personal data breach - es. 3.2 Interaction of Data Regulation and Data Protection As mentioned in 3.1 Objectives and Scope of Data Regulation , there are no specific regula -
463 CHAMBERS.COM
Powered by FlippingBook