Announcement of the Department of International Trade Promotion
By virtue of Section 32 of the National Government Organization Act B.E. 2534, and as amended, Section 5 and Section 95 of the Personal Data Protection Act B.E. 2562, Section 6 and Section 7 of The Royal Decree Prescribing Rules and Procedures of Electronic Transactions in the Public Sectors of B.E. 2006, the Department of International Trade Promotion has issued the notification as follows
Article 2 This Notification shall come into force from now on.
Article 3 In this Notification:
“DITP” means the Department of International Trade Promotion.
“Person” means natural persons.
“Personal Data” means information related to a natural person which can be used to identify such person whether directly or indirectly, but excludes information relating to deceased persons.
“Sensitive Data/Special Categorized Personal Data” means Personal Data relating to nationality, race, political opinions, religious, philosophical, or spiritual beliefs, sexual behavior, criminal records, medical records, disability, trade union information, genetic data, biometric data (such as face scanning, iris scanning, or fingerprints) or other information which similarly impacts the data subjects as determined by the Personal Data Protection Committee.
“Biometric Data” means Personal Data arising from the use of techniques or technologies related to the physical or behavioral dominance of Person, which can be used to identify such Person apart from other Persons, such as the facial recognition data, iris recognition data or fingerprint recognition data.
“Data Subject” means a person who can be personally identified by the Personal Data, either directly or indirectly.
“Data Controller” means a natural or juristic person who has the authority to decide on the issues relating to collection, use, and disclosure of Personal Data.
“Data Processor” means a natural or juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller.
“Processing” means the collection, use, and/or disclosure of Personal Data
Article 4 Purposes of Processing Personal Data
DITP has missions to promote exports, expand the market for Thai products and services, enhance value creation of export products and services, provide trade information services, and increase the competitiveness of Thai entrepreneurs in the world market in order to increase the value and volume of Thailand’s exports. Therefore, the Processing of Personal Data is for the benefit of DITP’s missions, duties, and management within DITP to support the implementation of various missions and to achieve the goals according to DITP’s authority, as follows:
(1) to formulate export promotion policies; set export targets and action plans as well as provide recommendations on trade and marketing measures;
(2) to carry out activities to promote, develop, and support the export of Thai products and services both domestically and internationally;
(3) to provide trade intelligence services, and promote the use of export related information and technology for Thai manufacturers, exporters, service providers as well as overseas importers;
(4) to publicize and broadcast Thai products and services to promote exports;
(5) to enhance private sector’s international trade knowledge and competencies in order to strengthen their trade competitiveness and export efficiency, as well as provide assistance and coordinate with local and overseas organizations;
(6) to support the development and value creation of products and branding to meet international market demand;
(7) to support and develop trade logistics system;
(8) to carry out operations related to DITP’s general administrative affairs, financial and accounting affairs, internal auditing, procurement, legal affairs, protocol and logistics;
(9) to conduct activities within the scope required by law or as assigned by the minister or the cabinet.
In addition, DITP will collect, use and/or disclose Personal Data of the Data Subject for the following purposes:
4.1 Purposes for which DITP requires consent
DITP relies on the consent of the Data Subject to collect, use and/or disclose personal data for the following purposes:
(1) in case where it is necessary to transfer the Personal Data of the Data Subject to a country that may not have an adequate level of data protection; and
(2) to collect, use and/or disclose Personal Data of the Data Subject for use in public relations, advertising projects or activities of DITP; and
(3) to collect, use and/or disclose Personal Data of the Data Subject for use in communicating, presenting and advertising news, projects and activities of DITP; and
(4) to collect, use, and/or disclose Sensitive Data in order to provide food suitable for the health of the Data Subject.
4.2 Purposes for which DITP may undertake, in compliance with exceptions under the law, to collect, use, and/or disclose of Personal Data without obtaining consent.
The principles or legal bases to collect, use and disclose Personal Data of the Data Subjects are as follows:
(1) It is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
(2) it is necessary for compliance with a law;
(3) it is necessary for a legitimate interest;
(4) it is to prevent or suppress a danger to life, body or health of the Person;
(5) it is for the performance of a task carried out in the public interest, or it is exercising of official authority vested in DITP;
DITP shall rely on the exceptions in (1) to (5) above for the collection, use and/or disclosure of Personal Data for the following purposes:
(a) to fulfil contractual obligations to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into the contract;
(b) to recruit and select participants for training or projects of DITP;
(c) to verify personal identity, contact and coordinate with the Data Subject;
(d) to organize and conduct trainings, seminars, examination and to issue certificates;
(e) to follow-up on the results and improvement which the Data Subject receives from trainings, seminars or projects of DITP;
(f) to provide opportunities for international trades, especially export, for Thai entrepreneurs through introducing and business matching between buyers or importers of Thai goods or services, and Thai entrepreneurs (Business Matching);
(g) to analyze data to formulate plans or projects to promote Thailand’s international trades to suit the needs of a particular region or special interest group or individuals;
(h) other purposes that DITP reasonably requires which is notified to the Data Subject in any relevant documents or channels;
DITP shall not collect, use and/or disclose Personal Data for any other purposes than ones which DITP has notified the Data Subjects, unless the Data Subject has been informed of the new purpose and DITP obtains the consent of the Data Subject, or in cases where the consent is not required by the law.
Article 5 Processing of Personal Data
5.1 Collection of Personal Data
DITP shall lawfully and fairly collect Personal Data as necessary, both physically and electronically, in accordance with DITP’s mission and purposes as set out in Article 4. DITP shall only collect Personal Data with the consent of the Data Subject, or where there is an exception by law allowing the collection of Personal Data without obtaining the consent of the Data Subject.
DITP shall adopt lawful means for collecting, using and/or disclosing the Personal Data, whereby the collection of Personal Data by DITP shall be limited and only to the extent necessary for the purposes for which it was collected, used, and/or disclose as specified in Article 4 and in accordance with the provisions of the law.
DITP shall collect, use and/or disclose the Personal Data that has been provided or collected by DITP, or that DITP has obtained, or have access from other reliable sources, such as information that the Data Subject has made public or from other government or private agencies that are partners or alliance of DITP.
In case where the Data Subject does not provide Personal Data or has provided Personal Data which are inaccurate or out of date to DITP, the Data Subject may not be able to enter into transactions with DITP, and it may cause inconvenience to the Data Subject, and DITP may not be able to perform its contractual obligation under the relevant contract with the Data Subject, and it may lead to loss of opportunities or damages to the Data Subject and it may affect compliance with any laws that the Data Subject or DITP must comply with.
The Personal Data that DITP collects, uses and/or discloses can be classified into 2 types as follows:
(1) Personal Data, including:
(1.1) information specific to the personal identity of data subject (Identification information) and contact information of data subject such as name, last name, identification card number, information as displayed on the identification card, passport number, portrait, gender, date of birth, age, status, address, occupation, work address, phone number, fax number, e-mail address; and
(1.2) Work information such as position, job title, department, contract details, personal background, educational background, employment history.
(2) Sensitive Data such as Biometric Data, fingerprints, face scan/ face recognition, criminal records, including alleged offenses or prosecution, health information.
DITP shall not collect Sensitive Data unless DITP has obtained the explicit consent from the Data Subject, or in case of exception where the law allows collection without obtaining the consent from the Data Subject.
5.2 Use of Personal Data
DITP shall use Personal Data in accordance with the missions and purposes of DITP’s operations specified in Article 4, upon obtaining the consent from the Data Subject, or in cases where the provisions of the law allow DITP to be able to use Personal Data.
5.3 Disclosure of Personal Data
DITP shall disclose Personal Data for the purposes of DITP’s missions and operations as stated in Article 4, or to provide services to the Data Subject upon request, or in accordance with contractual obligations upon consent from the Data Subject, or as required by law to disclose.
Whereas, a Person or juristic person which receives Personal Data from DITP must not use or disclose the Personal Data for any purposes other than the purposes that have been notified to DITP in the request to obtain such Personal Data.
DITP shall disclose Personal Data to other Data Controllers only for the purposes that DITP has notified to the Data Subject. DITP shall disclose Personal Data in the following circumstances:
(1) DITP has obtained consent from the Data Subject;
(2) it is necessary for the successful operation of businesses or other activities of the Data Subject and to achieve the purposes of the Data Subject including to fulfil contractual obligations, or as requested by the Data Subject;
(3) it is necessary for the legitimate interest such as disclosure to a juristic person or organization for the purpose of fraud investigation and prevention, taking a photograph of meetings or doing business with DITP for the security purpose, etc.;
(4) for compliance with the law, regulations, orders or notifications prescribed by a competent supervisory authority or official authority such as Ministry of Commerce, Ministry of Labor, Social Security Office, Department of Skill Development, Legal Execution Department, Student Loan Fund, National Office for Promotion and Department of Empowerment of Persons with Disabilities, Courts, Police, Office of the Public Sector Development Commission, Budget Bureau, or any other government agency as required by the applicable laws in order to comply with laws and regulations or legal obligations; or
On condition that DITP later changes the purpose of collecting, using and disclosing Personal Data, DITP shall notify the Data Subject through documents or e-mail or DITP’s website (www.ditp.go.th) or DITP’s relevant information technology system as appropriate. Along with this, DITP shall also maintain a record of the amendments as evidence.
Article 6 Data Subject Rights
The Data Subject has rights in relation to Personal Data under control of DITP, in accordance with the Personal Data Protection Act B.E. 2562, as follows:
6.1 the right to withdraw consent for the Data Controller to collect, use, or disclose Personal Data which was previously given in accordance with the purposes stipulated by the Data Subject. The revocation of consent can be carried out for as long as the Data Controller is in possession the Personal Data, unless there is a limitation on such right as prescribed by law or by contractual obligations between Subject Data and DITP;
6.2 the right to access and to request for a copy of the Personal Data from the Data Controller, and to be informed of any acquisitions of Personal Data without obtaining consent;
6.3 the right to receive Personal Data from the Data Controller in the case where the Personal Data is in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. This includes the right to request the Data Controller to transmit or transfer the Personal Data to another Data Controller by automated means, and to request Data Controller directly for the Personal Data in such formats that were sent or transferred to other Data Controllers, unless it is impossible to do so because of the technical circumstances;
The exercise of such right shall not apply to the transmission or transfer of Personal Data of the Data Controller which is in the performance of duties for public interest or the performance of duties under the law.
6.4 the right to object to the collection, use, or disclosure of Personal Data at any time, in the following circumstances:
(1) in case where the Data Controller can collect Personal Data without obtaining consent, in the following cases:
(1.1) it is necessary for the performance of duties for the public interest of the Data Controller or to perform the duties under state powers given to the Data Controller; or
(1.2) it is necessary for the legitimate interests of the Data Controller or of a person or a juristic person other than that Data Controller;
(2) in the case of collecting, using or disclosing Personal Data for direct marketing purposes; or
(3) in the case of collecting, using or disclosing Personal Data for the purpose of scientific research, historical research, or statistics, unless it is necessary for the public interest of the Data Controller.
6.5 the right to delete or destroy or make the Personal Data unable to be identified as to who the Data Subject is, in the following cases:
(1) when it is no longer necessary to keep the Personal Data for the purposes of collecting, using or disclosing Personal Data;
(2) when the Data Subject withdraws consent for the collection, use or disclosure of the Personal Data, or when the Data Subject object the collection, use or disclosure of Personal Data; or
(3) when the Personal Data have been unlawfully collected, used, or disclosed.
6.6 the right to restrict the processing of Personal Data in case where the Personal Data is subject to deletion or destruction due to unlawful collection, use or disclosure, or it is no longer necessary to keep the Personal Data;
6.7 the right to rectify the Personal Data to make the information accurate, up-to-date, complete and not misleading; and
6.8 the right to lodge a complaint to the Personal Data Protection Committee, in accordance with Personal Data Protection law, in the case where DITP or a Data Processor, including employees or contractors of DITP, violates or fails to comply with the Personal Data Protection law or related announcements, at Office of the Personal Data Protection Commission 7th Floor Ratthaprasasanabhakdi Building The Government Complex Commemorating His Majesty The King’s 80th Birthday Anniversary Chaeng Watthana Road, Thung Song Hong, Lak Si, Bangkok 10210
Article 7 Retention Period of Personal Data
DITP shall keep the Personal Data for as long as necessary for the fulfilment of the purposes stated to the Data Subject or for the purposes set forth in Article 4, or until it is no longer necessary to keep the Personal Data. In case Data Subject terminates transaction with DITP, or there is no use of services or transactions with DITP, DITP shall store the Personal Data of the Data Subject for a specified period of time or as specified by law or legal prescription or the exercise of legal claims. At the end of the retention period, DITP shall delete or destroy Personal Data or make Personal Data anonymous which cannot identify the Data Subject. The retention period of Personal Data shall be in accordance with DITP’s Data Retention Policy, whereas DITP may retain Personal Data for a period of time as required by law.
The storage of Personal Data in electronic form shall be in accordance with the Regulations of the Office of the Prime Minister on Correspondence Work, provided that the period for storing such personal data shall be in accordance with the first paragraph of Article 7.
Article 8 Quality of Personal Data
DITP shall collect, use and disclose Personal Data for the purpose of carrying out the mission, duties, objectives of DITP’s operations, and the role of supporting functions of DITP. DITP shall emphasize on the accuracy, completeness, and keep the Personal Data up-to-date.
Article 9 Limitations on the Use of Personal Data
DITP shall not use Personal Data that has been collected for using or disclosing to other persons other than for the purpose of operating DITP’s mission, duties, and operational objectives, and the role of the supporting sectors of DITP, except for obtaining the consent of the Data Subject, or there are exceptions by law that allows DITP to use or disclose Personal Data without obtaining consent from the Data Subject, for example, in the case of disclosure of Personal Data to parties of a contract who provide services to DITP that require Personal Data.
Article 10 Security Measures in Storing and Processing Personal Data
DITP has standards to maintain the security of Personal Data appropriately by maintaining confidentiality, integrity and availability of the Personal Data for the prevention of loss, access, destruction, use, alteration, modification or disclosure of Personal Data without right or by unlawful means and not less than those specified in the Notification of the Personal Data Protection Committee Re: Security Measures of Data Controller B.E. 2565 (2022) and its amendment (if any).
Article 11 Involvement of the Data Subject
DITP shall provide a channel for the Data Subject to verify the existence and correctness of the Personal Data, including the right to withdraw consent, right to access, correct, delete, object to the Processing of Personal Data through a document or e-mail or DITP’s website (www.ditp.go.th) or DITP’s information technology system as appropriate.
Article 12 Information of a Third Party
Article 14 Personal Data Collected before the Enforcement of the Law (Transitional Provision)
DITP shall collect and use Personal Data before the Personal Data Protection Act B.E. 2562 has been enforced for the original purposes. If the Data Subject wishes to withdraw consent, the withdrawal can be carried out through a document form or e-mail or through DITP’s website (www.ditp.go.th) or the information technology system of DITP.
Article 15 Governing Law and Jurisdiction
Article 16 Contact Information of DITP
Department of International Trade Promotion (Bang Kra Sor) 563 Nonthaburi Road, Bang Kra Sor, Amphoe Muang,Nonthaburi 11000 at: E-mail: firstname.lastname@example.org Call Center: 1169, or Data Protection Officer (DPO) at: E-mail: email@example.com Telephone: 0-2507-7999