Uncategorized

个人数据保护法

Personal Data Protection Act

个人数据保护法

The Thailand Personal Data Protection Act was finally approved and endorsed by the National Legislative Assembly on 28 February 2019 (“PDPA“). The PDPA will be submitted for royal endorsement and subsequent publication in the Government Gazette. 

2019228日,《泰国个人数据保护法》(PDPA)最终被国民立法大会批准通过。该法律将会提交皇室支持并随后在政府公报上发布。

01
The key definitions defined by PDPA as follows;
PDPA中界定的关键定义如下

· Personal Data” means any data pertaining to a natural person which enables the identification of such person, whether directly or indirectly.

个人数据意为任何能够直接或间接确定身份的关于一名自然人的数据

· Data Controller” means any person or an entity which has the power to make decisions regarding collection, use, and disclosure of Personal Data.

数据控制者指在个人数据的收集、使用和透露方面,拥有决策权的任何个人或实体

· Data Processor” means a person or an entity that conducts any collection, use and disclosure of Personal Data on behalf of, or under the instruction of, the Data Controller.

数据处理者指代表或数据控制者指示下,进行个人数据收集、使用或透露的任何个人或实体

· Person” means natural person. Note that this means that juristic entities are not subject to the protection under the PDPA.

个人意为自然人。注意这意味着法律实体并不受PDPA的保护

02
The Proposed Personal Data Protection Act
拟《个人数据保护法》

· Unless permitted by law, the collection, usage or disclosure of personal data without the consent from the data subject is prohibited;

除非经过法律允许,在未获得数据主体同意的情况下,禁止收集、使用或透露个人信息;

· A data controller must inform the data subject on the purpose for which the respective personal data is collected and obtain the data subject’s consent. Collected personal data can be used or disclosed for the approved purposes only;

数据控制者必须告知数据主体其个人数据被收集的目的,且必须征得数据主体的同意。使用或透露被收集的个人信息只能用于已征得同意的目的;

· If a data controller intends to use or disclose personal data beyond the purpose for which consent has been obtained, he will need to inform the data subject and obtain additional consent;

如果数据控制者意图出于超过已征得同意的目的使用或透露个人数据,数据控制者将需要告知数据主体并获取额外同意;

· The collection of sensitive data (e.g. data related to sexual conduct, criminal history, health, national origin, race, political opinions or religious beliefs) is only permitted within the strict limitations of the law;

敏感数据(如有关性行为、犯罪记录、健康状况、国籍、种族、政治观点或宗教信仰的数据)的收集必须在法律的严格限制范围内;

· Except where the data subject expressly consented otherwise, any processing of personal data for marketing purposes is not permitted;

除非数据主体明确同意,否则严禁出于营销目的处理个人数据;

· Measures must be implemented to ensure that collected personal data is protected against loss, alteration and modification;

必须执行措施以避免被收集的个人数据遗失、变更和修改;

· A Personal Data Protection Committee would be established and hear any claim lodged by a data subject concerning the abuse of personal data; and

将会成立个人数据保护委员会,接受数据主体提出的有关个人数据滥用的任何投诉;以及

· Violations would be punishable under criminal law and permit the data subject to claim for damages.

违法行为将会根据刑法进行处罚,数据主体能够提出损害赔偿要求。

03
Scope of Applicability
适用范围

The PDPA shall not apply to personal or household activities. In terms of territory, the PDPA will apply to:

PDPA不适用于个人或家庭活动。PDPA的适用地区为:

· Any Data Controller or Data Processor residing in Thailand, regardless of whether or not the acquisition, usage or disclosure of the data is carried out in Thailand;

居住于泰国的任何数据控制者或数据处理者,无论数据的获取、使用或透露是否在泰国进行;

· In the case that the Data Controller or the Data Processor resides outside of Thailand, if the subject of the aforesaid activities is data belonging to a person residing in Thailand, the PDPA shall apply only when:

对于数据控制者或数据处理者居住于泰国以外地区的情况,如果前述活动的主体为属于居住于泰国的个人的数据,则仅以下情况可适用PDPA

o goods or services are being offered to such persons, regardless of whether any payment is involved; and

这些人被提供商品或服务,无论是否涉及付款;以及

o behavior surveillance activities of such persons take place within Thailand.

这些人的行为监视活动发生在泰国境内。

If there is a sector-specific law for my organization, according to Section 3 of the PDPA, in the case that there is a sector specific law regarding Personal Data protection for an activity or an organization, such sector-specific law shall prevail, however:

如果存在我方机构的特定行业法律,根据PDPA3部分,对于存在有关活动或机构的个人数据保护的特定行业法律的情况,以该特定行业法律为准,然而:

· The provisions in the PDPA regarding collection, use or disclosure of Personal Data including the liabilities thereof shall apply along with and in addition to such sector-specific law, whether or not the two are repetitious.

PDPA中有关个人数据收集、使用或透露的条款,包括责任义务,应与该特定行业法律共同适用和额外适用,无论两者是否重复。

· The provisions in the PDPA regarding filing claims and vesting of rights in officials, including the relevant liabilities thereof, shall be applicable insofar that:

PDPA中有关索赔和授予官员权利的条款,包括相关责任义务,在以下范围内适用:

o The sector-specific law lacks provisions regarding filing claims; or

特定行业法律缺少有关索赔的条款;或者

o The sector-specific law contains provisions that vest the relevant authority the right to issue orders that protects the rights of the data owner, but not so extensive as the rights of the official under the PDPA.

特定行业法律包含授予有关部门权利,以发布保护数据所有者权利的指令的条款,但这些条款的范围不及PDPA下官员的权利广泛的情况。

04
The key requirements are that data must be:
关键要求在于数据必须:

· Processed lawfully, fairly and transparently, on the basis of the legal grounds set

out in the GDPR;

GDPR为法律依据,合法、公正、透明处理;

· Collected for limited purposes and not further processed beyond those purposes;

基于有限目的收集,不能超过这些目的进一步处理;

· Limited to what is necessary for the processing purposes;

仅限于处理目的所必须的内容;

· Accurate and kept up-to-date;

准确且保持更新;

· Kept in a form that permits identification of data subjects for no longer than necessary; and

以允许确认数据主体的形式保存不超过不必要的时间;以及

· Processed in a manner that ensures appropriate security of the personal data.

以保证个人数据恰当安全的方式处理。

05
Data can only be processed on the following grounds:
数据仅能基于以下原因被处理:

· Consent: clear consent by the individual to process personal data for a defined purpose;

同意:个人明确同意出于确定目的处理个人数据;

· Contract: processing is necessary to give effect to a contract with an individual;

合同:与个人的合同必须处理才能生效;

· Legal obligation: processing is required to comply with the law;

法定义务:遵循法律需要处理;

· Vital interests: processing is required to save the life of an individual;

切身利益:为拯救个人的生命需要处理;

· Public task: processing is required to carry out a public or official duty and this is clearly set out in law; and

公共任务:执行公职或公务需要处理,且该行为在法律中有明确规定;以及

· Legitimate interests: processing is required for the legitimate interests of the data controller or third party.

正当权益:数据控制者或第三方的正当权益要求处理。

06
Several other key elements of the Act
该法案的其它几项关键要素

1) Rights of data owners:

数据所有者的权利

The Act states that data owners bear the right to request access to personal data pertaining to them except in cases where, among others, the request is incongruent with provisions of other applicable laws or court orders. Data owners are likewise entitled to request that their personal data be destroyed, temporarily suspended, or anonymized.

法案规定,数据所有者拥有要求获取有关其本人的个人数据的权利,除了其中该要求与其它适用法律或法院决议的条款相违背。数据所有者同样有权要求销毁、暂时中止或者匿名化其个人数据

2) Responsibilities of data administrators:

数据管理者的责任

The draft Act highlights several obligations of data administrators, including the collection of data within lawful means or purposes. Administrators are required to inform data owners of the details regarding the collection of their personal data and obtain their consent to do so. Moreover, the Act specifies that administrators must implement appropriate security measures to prevent loss or unauthorized alterations to the data and give data owners access to their information upon request.

法案草案强调数据管理者的几项义务,包括在合法途径范围内或合法目的内收集数据。管理者必须告知数据所有者收集其个人数据的细节,且征得其同意进行收集。此外,法案明确规定管理者必须执行恰当的保密措施,防止数据遗失或未经许可被变更,且依据数据所有者要求,授予其数据获取途径。

3) Extraterritorial reach:

域外效力

Personal data administrators based overseas may be subject to the Data Protection Act if goods and services are offered to data owners residing in Thailand. These administrators will also be required to assign a local representative in the Kingdom and must comply with the conditions set forth in the Act.

如果向居住于泰国的数据所有者提供商品或服务,海外据点的个人数据管理者可能受数据保护法限制。这些管理者还将需要在泰国指派当地代表,且必须遵从法案规定的规则条款。

4) Consent:

同意

The draft states that requests for consent must be clear and conducted in a way that does not mislead data owners. It adds that requests must be made in writing or via digital means, outlining the purpose of the collection, what data is to be collected, and to whom the data will be disclosed. However, exemptions can be made under certain circumstances, notably for vital interests or if parties are bound by contractual obligations. The draft also stipulates that parental consent is required to collect data from minors below 10 years of age, and under certain circumstances, even those beyond that age.

草案规定,同意授权请求必须明确且以不会误导数据所有者的方式执行。法案补充道,请求必须以书面方式制作或通过电子途径,概述收集的目的和将要收集的数据,以及数据透露的对象。然而,特定情况下能够获得豁免,尤其是由于切身利益或受合同义务约束的情况。法案还规定,对于10岁以下的未成年人,需征得其父母同意才能收集其数据,且在特定情况下,甚至超过该年龄也同样适用。

5) Transfer of data to third countries:

数据传输至第三方国家

The draft Act specifies that the transfer of personal data to third countries where data protection regulations are substantially deficient is not permitted except in the following scenarios:

法案草案明确规定,严禁传输个人数据至严重缺乏数据保护法规的第三方国家,下列情况除外:

· Where consent from the data owner, who has been made aware of the third country’s insufficient data protection laws, has been obtained;

数据所有者知悉第三方国家的数据保护法律不充分后获得其同意;

· Where obligations to a contract to which the data owner is a party must be performed;

必须履行的数据所有者为合同方的合同义务;

· Transfer of data to a third country is conducted for the benefit of a data owner who does not have the capacity to give consent; and

为了没有能力给予同意授权的数据所有者的利益;以及

· Where data is transferred to individuals or entities that are certified by the official mark declaring fully compliant personal data protection practices by the committee and/or transactions that fall under legal frameworks established by international agreements.

数据传输的接收方为委员会官方标志认证的个人或实体,声明完全符合个人数据保护实践,及/或属于国际协议建立的法律框架下的交易。

· Where otherwise required by another law.

或根据其它法律要求。

6) Data Protection:

数据保护

Data administrators are required to implement procedures to keep personal data secure. According to the draft Act, the committee may produce and circulate guidelines data administrators can use as a basis for their data protection practices. The Committee may also grant data administrators the right to display an official mark indicating that the data administrator’s data protection practices have been certified as fully compliant by the Committee.

数据管理者必须采取措施确保个人数据安全。根据本法案草案,委员会可能制作和传播指南,数据管理者可以其为数据保护实践的基础。委员会还可能授予数据管理者展示官方标志的权利,表明数据管理者的数据保护实践经委员会认证,完全符合法律法规。

07
Fines and penalties
罚款和处罚

Both civil and criminal penalties can be imposed on the data controller for violation of the provisions of the Draft Act.

违反该草案条款的数据控制者将被处以民事和刑事处罚。

Please find attached draft of Personal Data Protection Act for your further information

详情请见附件个人数据保护法草案网址

https://thainetizen.org/wp-content/uploads/2015/01/personal-data-protection-bill-20150106-en.pdf

发表评论