top of page
logo-globalforumethicsai.png

Privacy Policy

Electronic Transactions Development Agency (ETDA) (“Agency”) places great importance on the protection of personal data and compliance with the Personal Data Protection Act B.E. 2562 (2019). Since the Agency’s operations require the collection and processing of personal data, the Agency is the data controller under the Personal Data Protection Act B.E. 2562, with duties and responsibilities to protect personal data in accordance with the law.

The Agency therefore has prepared this Privacy Policy (“Policy”) to establish guidelines and practices for the Agency’s personal data protection operations.

1. Scope

This Policy applies to all individuals involved in the management of personal data throughout its lifecycle within the Agency, such as directors, committees, subcommittees, employees, contractors, task forces, interns, counterparties, external agencies or individuals working on behalf of or in collaboration with the Agency, as well as those in the data governance structure and those directly responsible for supporting the implementation and compliance with this Policy.

The Agency expects all persons subject to this Policy to understand and strictly adhere to the principles and guidelines stated herein. If any person violates this Policy or any practices under this Policy, the Agency will consider taking necessary measures to impose penalties on such violators.

2. Objectives

  • To ensure the Agency’s personal data protection operations comply with legal requirements.

  • To provide guidance for Agency personnel and those involved to strictly adhere to proper practices in protecting personal data collected and processed by the Agency.

  • To assure data subjects that their personal data collected by the Agency will be protected, managed appropriately, processed transparently, and in accordance with the Personal Data Protection Act.

3. Definitions

“Personal Data Protection Act” means the Personal Data Protection Act B.E. 2562 (2019) and its future amendments, including subordinate laws and regulations.
“Personal Data” means any information relating to an individual that can identify that individual, directly or indirectly, such as name, nickname, email, telephone number, address, vehicle registration, biometric data (e.g., facial images, fingerprints), but excludes data of deceased persons.

“Data Controller” means a person or legal entity with the authority to decide on the collection, use or disclosure of personal data.
“Data Processor” means a person or legal entity that processes personal data on behalf of the data controller, without having control of the personal data.
“Data Subject” means a natural person to whom the personal data relates, excluding cases of data ownership or original data collectors.
“Processing” means collecting, using or disclosing personal data under the Personal Data Protection Act.
“Employee” means executives, employees, contractors or legally appointed individuals working for the Agency.

4. Key Personal Data Protection Principles

The Agency will process personal data based on the following key principles:

  • Lawfulness, fairness, and transparency;

  • Purpose limitation: processing only for clear, lawful purposes as designated by the Agency;

  • Data minimization: processing only sufficient, relevant, and necessary data;

  • Accuracy: ensuring personal data is accurate and up-to-date, correcting inaccuracies as necessary;

  • Storage limitation: retaining personal data only as long as necessary for processing, except where the law requires longer retention;

  • Integrity and confidentiality: applying appropriate security measures to protect data from unauthorized or unlawful processing, accidental loss, destruction or damage.

5. Ensuring Compliance with Key Principles

The Agency emphasizes personal data protection by implementing measures as required by law, internal controls, guidelines, and manuals to ensure efficient and law-compliant data protection operations. The Agency’s employees must comply strictly with laws, this Policy, and related practices.

The Agency ensures practical implementation of the key principles by:

  • Establishing organizational structures with designated responsibilities to oversee and direct data protection activities in line with the Policy and law and to provide consultation to employees and liaise with data subjects and the Personal Data Protection Committee.

  • Defining practices and responsibilities for employees in data protection in accordance with this Policy, the law, and related policies.

  • Providing training and raising awareness among employees about personal data protection.

  • Informing service users or contacts about data processing purposes and any data sharing through clear Privacy Notices and Cookie Notices.

  • When obtaining consent, ensuring it is explicit, uses clear language, is easily accessible and understandable.

  • Setting methods, channels, and responsible persons for receiving complaints and requests regarding data subject rights.

  • Defining procedures and responsible persons for internal audits, investigations, and reporting in case of personal data breaches.

  • Keeping records as required by Section 39 of the Personal Data Protection Act, reviewed at least once a year.

  • Establishing a data retention schedule to ensure personal data is retained only as necessary and for designated purposes.

  • Entering into data processing agreements or contracts when outsourcing personal data processing.

  • Implementing internal measures for the transfer or transmission of personal data outside the Agency, both domestically and internationally.

6. Lawful Basis for Processing

The Agency will process personal data lawfully based on the following:

  • Necessity for contract performance or pre-contractual measures.

  • Necessity to protect life, body, or health.

  • Necessity to perform public tasks or exercise official authority.

  • Legitimate interests, provided such interests do not override data subjects’ fundamental rights.

  • Processing for archiving in the public interest, research, statistical purposes, with appropriate safeguards.

  • Legal obligations under law.

  • Explicit consent from the data subject.

7. Data Subject Rights

The Agency acknowledges data subjects’ rights under the PDPA and facilitates their exercise:

  • Right to be informed: issuing clear Privacy Notices and Cookie Policies explaining processing purposes and cookie types.

  • Right to withdraw consent: data subjects may withdraw consent at any time.

  • Right of access: requesting access to personal data, activity logs, and information on data acquisition.

  • Right to rectification: requesting correction of inaccurate personal data.

  • Right to erasure: requesting deletion or anonymization of personal data.

  • Right to data portability: requesting data in a machine-readable format and transfer to another controller.

  • Right to restriction: requesting suspension of data processing.

  • Right to object: objecting to data processing.

Requests can be submitted to pdpa@etda.or.th. See the “Access and Exercising Rights” section on the Agency’s website for detailed procedures.

8. Related Policies and Guidelines

  • Data Governance Policy

  • Operational Procedures for Data Management

  • Information Security Policy and Practices

  • Guidelines and Procedures for Handling Data Subject Rights Requests

9. Policy Review and Update

The Agency will review and update this Policy at least annually or as needed to ensure its suitability, and will announce updates on the ETDA website and other appropriate communication channels.

bottom of page