Up Again Thailand: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

As of the date of publication, the implementation of the Personal Data Protection Act B.E. 2562 (PDPA) has been postponed until 31 May 2021 (grace period).

Therefore, there are no legal obligations to obtain prior consent to collect personal data under the PDPA, during the grace period, and even after the grace period if the purpose of collection remains the same.

However, obtaining consent is still highly recommended to avoid tortious claims under the Civil and Commercial Code (CCC) in cases where personal data collection causes damage to the data subject.

Personal data in the context of COVID-19 is likely to be sensitive personal data, which includes genetic data and health data. This is not a legislative term under the PDPA, but we have defined it for ease of reference.

Once the grace period ends, the collection of sensitive personal data in the context of COVID-19 will require explicit consent which is exempted in certain circumstances, including where the purpose is:

  • to prevent bodily harm or danger to life and the data subject is unable to provide consent for whatever reason; or
  • to comply with the law to achieve the purpose of:
    • preventative medicine;
    • public health, in particular, in the context of epidemic prevention;
    • employment protection and national health security; and
    • the public interest.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Yes. There is no law prohibiting temperature monitoring and other health checks on employees and visitors. As part of the partial lockdown relaxation, Thai authorities have required business operators to conduct temperature screening on participants of their business places/premises to comply with disease control prevention measures. Further, an employer is obliged to monitor its workplace for any signs of notifiable diseases according to the Communicable Disease Act B.E. 2558 (2015) (CDA).

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Yes. There is no law prohibiting an employer mandating that employees and visitors fill out questionnaires. As above, questionnaires could be considered a key part of disease control prevention measures that employees may be obliged to comply with in addition to those required under the CDA.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Yes. On 26 February 2020, COVID-19 was listed as a dangerous communicable disease under the CDA. This means that an owner or a person controlling a workplace or any other place is required to notify a communicable disease control officer if there is a person who is infected or is reasonably suspected of being infected with a dangerous communicable disease on the premises. Failing to notify could result in a fine of up to THB20,000 (USD600) under the CDA.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Health-related information is protected by the National Health Act B.E. 2550 (2007) (NHA) and the PDPA. The general rule is that health-related information must be kept confidential and its collection, use or disclosure must be consented to by the relevant data subjects unless it falls under the exemptions under the PDPA or NHA.

In the case of COVID-19, the confidentiality and consent requirements under the NHA and the PDPA could be exempted, by claiming that the collection and processing of an employees’ health data is required to comply with laws for the purpose of maintaining public health (e.g. protection against cross-border transmissions of dangerous contagious diseases or epidemics).

In all cases, to apply such an exemption, employers are required to apply additional protective measures to their data storage facilities under the PDPA to ensure the security of such data.

Tort law may also become relevant if the disclosure of personal information results in any harm (reputational or otherwise) to the employee. In such circumstances, the exemptions under the PDPA and NHA will not be applicable.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Yes. As mentioned above, an employer is obliged to notify a communicable disease control officer if an employer discovers a person infected or who is reasonably suspected of being infected with a dangerous communicable disease in their workplace. Failing to notify could result in a fine of up to THB20,000 (USD600) under the CDA.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Yes. This is currently possible. However, when the PDPA’s grace period expires and the act becomes fully enforceable, the transfer of personal data under the PDPA is subject to certain minimum levels of data of protection as prescribed by Thai authorities (i.e. a destination country receiving the transferred personal data must have adequate level of personal data protection).

After the PDPA is fully enforceable, if the purpose of such a transfer does not fall under any exemption under the PDPA (e.g. public health and scientific research), the transfer can be made only if the employee consents.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Yes. An employer can set out rules, policies and/or orders on social distancing measures if it is for communicable disease control.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

When the PDPA is fully implemented, persons/entities violating it could be subject to civil damages, criminal penalties and/or administrative liabilities. In addition, if a breach causes any damages to an employee, the employee could claim for damages from the employer under the CCC if they are able to prove such damages in the Thai courts.