PDPA: Handling Personal Data of Third-Party Representatives in Contractual Communications

Thailand’s Personal Data Protection Act B.E. 2562 (PDPA) regulates how companies, say Company K, which provides building management and outsourcing services, manage personal data. The Subcommittee under the Personal Data Protection Committee has clarified Company K’s obligations regarding consent and lawful bases for data processing in two scenarios: business transactions with representatives and property management services. This analysis details the facts, the subcommittee’s rulings, and the compliance implications.

Factual Background:

Company K operates in building administration and outsourcing, requiring the collection, use, and disclosure of personal data. It raised two issues: (1) When dealing with natural persons or entities, it coordinates with employees or agents, collecting their names, phone numbers, and other personal data – does it need their consent? Given Section 24(3)’s contractual exemption applies only to direct parties? (2) When managing condominiums/villages, either as the legal manager or an outsourced administrator, it handles residents’ data for billing, security, parking stickers, registries, and services—must it obtain consent, or does an exemption apply?

Subcommittee Decisions:

The subcommittee provided rulings on both issues:

1. Data of Representatives in Business Transactions
   • Case 1: Natural Person as Counterparty: When Company K contracts with an individual (e.g., for goods and services), it can collect their data under PDPA Section 24(3)—necessary for contract performance or pre-contractual steps—without consent. This includes names and contact details for coordination, as the individual is a direct party.
   • Case 2: Representatives of Entities: When coordinating with employees/agents of a legal entity counterparty, these individuals are not parties to the contract, so Section 24(3) does not apply. Instead, Company K can use Section 24(5)—legitimate interests—if the data collection (e.g., names, phone numbers for quotes and documents) is necessary, outweighs data subject rights, and respects reasonable expectations in business contexts. Caution is required to minimize impact and avoid excessive use. For sensitive data under Section 26 (e.g., health and criminal records), additional lawful bases from Section 26 are needed. Consent is not mandatory if these conditions are met.
2. Data of Residents in Property Management
   • Whether Company K manages a condominium/village as the legal entity (registered under condominium or land allocation laws) or as an outsourced administrator, it processes residents’ data (e.g., for billing, security and parking) under instructions from the condominium/village legal entity. Here, Company K is not a “data controller” (Section 6)—an entity deciding data use—but a “data processor” (Section 40), acting on behalf of the controller (the legal entity). The controller must secure a lawful basis under Sections 24 or 26 (e.g., contract and legal duty), not Company K. As a processor, Company K does not need residents’ consent or a direct lawful basis; it follows the controller’s lawful instructions (Section 40(1)). The controller must establish a data processing agreement per Section 40, paragraph 3, ensuring compliance.

Implications for Compliance:

Company K can avoid consent in business dealings by leveraging contractual (Section 24(3)) or legitimate interest (Section 24(5)) bases, tailoring its approach to the counterparty’s status, with extra care for sensitive data. In property management, its processor role shifts responsibility to the legal entity, requiring clear agreements to define duties and ensure lawful data handling. This dual framework simplifies Company K’s compliance while upholding PDPA standards.

Key Takeaways:

• Contractual Base for Direct Parties: Section 24(3) exempts consent for natural person counterparties, covering pre and post-contract data.
• Legitimate Interest for Agents: Section 24(5) supports collecting representatives’ data without consent, if necessary and balanced, with Section 26 for sensitive data.
• Processor Role in Management: As a processor, Company K does not need consent or a direct basis; the controller (legal entity) bears that duty.
• Agreements Are Key: Section 40 mandates controller and processor agreement to align outsourced data handling with PDPA.

This ruling enables Company K to streamline operations under PDPA, distinguishing its roles and leveraging exemptions effectively.