THAILAND Law and Practice Contributed by: Pranat Laohapairoj, Suphakorn Chueabunchai and Pitchaya Roongroajsataporn, Chandler Mori Hamada
4.3 Employment Privacy Law Similar to other relationships, the enactment of the PDPA has significantly impacted the employ - ment relationship, particularly in terms of how employers collect, use and manage employees’ personal data. The PDPA requires employers to obtain specific consent from employees before collecting their personal data, including sensi - tive personal data, ensuring transparency from recruitment through the entire employment life cycle. The PDPA emphasises data minimisation and purpose limitation, requiring employers to col - lect only the personal data necessary for specific purposes related to employment – eg, to fulfil the employment process, provide employee benefits or manage payroll. Employers must ensure that personal data is used solely for the purposes for which it was collected and in accordance with the employees’ privacy policy. In addition, employers also have the obligations to maintain data security and comply with other provisions regarding the controllers’ obligations under the PDPA (for more details, please see 3.1 Objec- tives and Scope of Data Regulation ). As data subjects, employees are granted sev - eral rights under the PDPA, such as the right to access, correct and delete their personal data and the right to withdraw consent for data pro - cessing, among others. Employers must estab - lish procedures to facilitate these rights, allowing employees to control their personal data, there - by enhancing privacy and trust in the employer- employee relationship. 4.4 Transfer of Personal Data in Asset Deals There are no specific regulations concerning the transfer of personal data in asset deals in Thai -
to provide clear information about the purpose and function of each type of cookie, typically through a cookie, policy and cookie, banners or pop-ups that are designed to inform users and obtain their consent. The details therein shall be similar to other notifications for data processing provided to data subjects, namely the types of cookies used on the website, the personal data to be processed, the purposes of processing, the retention period, the rights of data subjects, etc. In addition, users must have the ability to manage their cookie, preferences, withdraw consent, and access or delete data collected through cookies. 4.2 Personalised Advertising and Other Online Marketing Practices Generally, online marketing may be based on legitimate interest or consent of the data sub - ject. Personalised advertising is regarded as too intrusive for data subjects, and consent under the PDPA is therefore required. In addition to the PDPA, online marketing may be classified as computer data or electronic mail under the Computer-Related Crime Act BE 2550 (2007). Where an operator sends any computer data or electronic data (such as via email, short message service (SMS) or comments) to another person in a manner that disturbs that person, such operator must give that person an easy opportunity to cancel or provide notification of their wish to deny receipt of such computer data or electronic mail (ie, an opt-out option). Oth - erwise, such operator shall be liable to a fine not exceeding THB2 million. Once any person requests cessation, the operator must stop sending such marketing messages immediately (ie, after no more than seven days).
464 CHAMBERS.COM
Powered by FlippingBook