Announcement of the Department of Trade Negotiations
on Personal Data Protection Policy B.E. 2565
The Department of Trade Negotiations (hereinafter in this policy called the Department), is aware of the importance of personal data protection. The Department therefore issues the Personal Data Protection Policy to create policies and guidelines for important practices in personal data management, providing that personal data collected, used and disclosed by the Department be in accordance with the Personal Data Protection Act B.E. 2562. Personal data owners would be confident that the Department will take care and provide appropriate security measures of their personal data. The main substances are as follows:
Section 1. This announcement is entitled “Announcement of the Department of Trade Negotiations on Personal Data Protection Policy B.E. 2565”.
Section 2. Scope of Policy Enforcement:
This announcement shall enter into force from now on and shall be applied to the collection, use, and processing of personal data by the Department at present and in the future (if any).
Section 3. Definitions:
“Department” means the Department of Trade Negotiations.
“Personal Data” means information about a person by which that person can be identified, either directly or indirectly, but not including the information of the deceased.
“Sensitive Personal Data” means personal data that are regulated under Article 26 of the Personal Data Protection Act B.E. 2562, such as race, ethnicity, political opinions, beliefs in creeds, religions or philosophies, sexual behavior, criminal record, health information, disability, labor union information, genetic information, biological data or any other data which may affect a personal data owner as announced by the Committee on Personal Data Protection.
“Processing of Personal Data” means the collection, use or disclosure of personal data.
“Data Subject” means a natural person who is the owner of personal data that the Department collects, uses, or discloses.
“Data Controller” means a person or a juristic person who has the authority to make decisions regarding the collection, use, or disclosure of personal data.
“Data Processor” means a person or a juristic person who carries out the collection, use, or disclosure of personal data according to the order or on behalf of the data controller. However, a person or a juristic person who performs such action is not the Data Controller.
“Committee” means the Committee on Personal Data Protection.
Section 4. Purposes of Collecting Personal Data
The Department has undertaken the mission to negotiate international trade, at bilateral, sub-regional, regional, plurilateral and under economic and trade cooperation frameworks, as well as related international trade organizations, in order to expand economic and trade opportunities, to tangibly protect benefits of the country, to strengthen and publish knowledge and understanding on international trade negotiations, and to support participations of all relevant sectors.
The Department will collect personal data as limited and as necessary, under the purposes of the operation of the Department only. There are several purposes for collecting personal data, depending on type of activities, services, or consideration in each context, which may be as following:
1) To provide and manage the services of the Department, both services under existing contracts or according to the mission of the department.
2) To carry out the necessary operation within the organization, including job recruitment and selection of personnel or various positions and evaluation of qualifications.
3) To confirm and verify identity, and to check information when applying for the Department's services, such as requesting for services, exercising the legal rights, etc.
4) To confirm identity in order to prevent spam, or unauthorized or illegal actions.
5) To conduct the Department’s transactions.
6) To analyze data Including solving problems relating to the Department's services.
7) To supervise, use, monitor, inspect, and manage the service.
8) To maintain and update information.
9) To prepare the Record of Processing Activity (RoPA) as required by Law.
10) To prevent, detect, avoid and monitor fraud, security breach or prohibited or illegal actions that may cause damage to both the Department and the data subject.
11) To improve and develop the quality of modern activities or services.
12) To assess and manage risks.
13) To send notifications, to confirm inquiry, to communicate and inform service recipients.
14) To prepare and deliver relevant and necessary documents or information.
15) To examine how the data subjects access and use the Department's services, both in general and individually, and for the purpose relating to research and analysis.
16) To take necessary actions to carry out the duties of the Department for agencies having control over taxes, law enforcement or legal obligations of the Department.
17) To take necessary actions for the legitimate interests of the Department, or of other persons or juristic persons involved in the operations of the Department.
18) To prevent or suppress danger to life, body, or health of a person, including surveillance of epidemics.
19) To prepare historical documents in the context of public interests, research, or compile statistics as assigned to carry out by the Department.
20) To comply with applicable laws, announcements, orders. or proceedings regarding lawsuits, subpoena information as well as exercising personal data rights.
Section 5. Principles of Processing of Personal Data
The Department will collect, use or disclose personal data as appropriate, in accordance with activity context and the principles of the Personal Data Protection Act B.E. 2562 as follows:
5.1 The Department can collect personal data without obtaining consent for the following purposes:
1) It is to achieve the objectives related to the preparation of historical documents or archives for public interests or related to studies, researches or statistics.
2) It is to prevent or suppress danger to life, body, or health of a person.
3) It is necessary for the performance of a contract to which the data subject is a party, or in order to carry out the request of the data subject prior to entering into a contract.
4) it is necessary for the performance of the Department’s missions carried out in the public interest or in the exercise of official authority.
5) It is necessary for the purposes of the Department’s legitimate interests, except where such interests are overridden by the fundamental rights to personal data of the data subject.
6) it is necessary for the Department to perform duties in accordance with the law.
5.2 In case where it is necessary for the Department to collect, use or disclose personal data that need to obtain consent from the data subject, the Department will inform the purposes of the collection, use or disclosure of personal data to the data subject prior to requesting for consent.
5.3 In case where it is necessary to collect personal data for the performance of a contract, the performance of legal duties or for the necessity of entering into a contract, if the data subject refuses to provide personal data or opposes such operation, this may affect the Department unable to perform or provide the services requested in whole or in part.
Section 6. Source of Personal data Collected by The Department
The Department collects or obtains various types of personal data from the following sources:
1) Data directly obtained from the data subject in various service channels such as registration applications, job applications, signing contracts / documents, answering surveys or using products / services, or other service channels controlled by the Department, or when the data subject communicates with the Department at the office or through other channels controlled by the Department, etc.
2) Data obtained from the data subject when accessing the websites, products or other services according to contracts or missions such as tracking the usage behavior of the Department’s websites, products or services by use of Cookies or from software on the device of the data subject, etc.
3) Data collected from sources other than the data subject, where the referring data source has authorities and duties, legal rights or consent from the data subject to disclose information to the Department, for example linkage of digital services of government agencies to provide comprehensive services for public interests to the data subject, receiving personal data from other government agencies, as well as necessity to provide services in accordance with contracts that may involve exchanging personal data with the contracting agencies.
4) Personal data of the third party where provider of such data has obligation and is responsible for notifying details of this policy to that third party, as well as for requesting consent from that person if it is a case that consent is required to disclose information to the Department.
Section 7. Types of Personal Data Collected and Stored by The Department in Part or In Whole
7.1 Types of personal data that the Department collects and stores in part or in whole consist of the followings:
|
Type of personal data |
Details and examples |
|
1. Identification information |
Information indicating names or information from official documents indicating identity such as title, rank, first name, last name, middle name, nickname, signature, ID card number, nationality, driver's license number, passport number, house registration information, business license number, professional license number, insurer identification number, social security number, etc. |
|
2. Characteristic information |
Detailed information regarding a person's characteristics such as date of birth, gender, height, weight, age, marital status, military conscription status, photograph, language spoken, etc. |
|
3. Contact information |
Contact information such as home phone number, mobile phone number, fax number, email, home mailing address, house registration address, current address, online society username, accommodation location map, etc. |
|
4. Work and Educational information |
Employment details Including educational history and work history such as type of employment, occupation, rank, position, duties, expertise, work permit status, reference person information, tax identification number and tax payment history, tenure history, work history, history or results of educational or work assessments, history of receiving insignia, salary information, date of starting work, date of leaving work, date of return to government service, welfare and benefits, supplies in the possession of the officer, academic work, bank account, etc. |
|
5. Information regarding the use of the Department's services |
Details about the department's products or services such as user account, passwords in the form of numbers, patterns, or biodata verifying identity, PIN numbers, Single Sign-on (SSO ID), OTP, computer traffic data. geolocation data, photographs, videos, audio recordings, usage behavior data through websites or applications under the Department’s supervision, browsing history, cookies or similar technologies, device ID, type of device, connection details, browser information, language used, operating system used, etc. |
|
6. Sensitive personal data |
Sensitive personal data according to Article 26 of the Personal Data Protection Act, B.E. 2562 such as race, religion, data concerning disability, criminal history, biometric data, data concerning health, etc. The Department will not collect and store sensitive personal data unless explicit consent has been obtained from the data subject, or in any other cases as specified by law as an exception that can be collected without obtaining consent from the data subject. |
7.2 The data collected and stored according to Article 7.1 is only a framework for collection and storage. The details may change to be consistent with the operation of the mission or related activities or contexts.
Section 8. Cookies
The Department collects and uses cookies and other similar technologies on websites, applications, or other information systems under the supervision of the Department and services providing to outsiders in order to perform safety for the Department's services and to provide convenience for users in using the Department's services. This information will be used to improve the Department's website to better meet the needs of service users where users can set or delete the use of cookies from the web browser’s settings on their owns.
Section 9. Personal Data of a Minor Person, Incompetent Person and Quasi-Incompetent Person
9.1 In cases where it is known in advance that the collection of personal data needs to be based on consent because the data subject is a minor person, incompetent person or quasi-incompetent person, the Department will not collect such personal data until consent is given or authorized by the holder of parental responsibility over the minor or by the custodian or the guardian, in accordance with the conditions specified by the law.
9.2 In cases where it is unknown to the Department that the data subject is a minor person, incompetent person or quasi-incompetent person, and it is discovered later that the Department has already collected personal data of such persons without consent from the holder of parental responsibility over the minor or the custodian or the guardian, the Department will promptly request for consent in accordance with Article 20 of the Personal Data Protection Act, B.E. 2562. However, in case consent is not granted, the Department must rapidly delete and eliminate such personal data, providing that the Department doesn’t have any other legitimate lawfulness to collect, use or disclose such data other than consents.
Section 10. Type of Person that The Department Discloses the Personal Data
10.1 The Department will not disclose collected personal data to any other agency or person without consent, except in case where the collection and disclosure of such data is based on a lawful basis, in accordance with Article 24 of the Personal Data Protection Act, B.E. 2562.
10.2 The Department may disclose personal data to the following persons,
|
Type of persons receiving data |
Details and examples |
|
1. Government agencies or authorities to which the Department must disclose data for the purpose of legal operations or other important purposes such as operations for public interest |
The law enforcement agencies or agencies having control and supervision power or having other important purposes, such as the Cabinet, Acting Minister, Department of Provincial Administration, Revenue Department, Police Office, Courts, Prosecutor's Office, Department of Disease Control, Ministry of Digital Economy and Society, Office of the Permanent Secretary to the Prime Minister, Office of the Civil Service Commission, Department of Consular Affairs, Comptroller General's Department, Social Security Office, Student Loan Fund, etc. |
|
2. Contracting parties, which operations relating to welfare of Department’s employees |
Third parties that the Department procures for welfare operations such as insurance companies, hospitals, banks, telephone service providers, etc. |
|
3. Service Providers |
The Department may assign third party to provide the service on its behalf, or to support the operations of the Department, such as data storage service providers, developers of systems/ software/ applications/ websites, document delivery service providers, payment service providers, internet service providers, telephone service providers, digital ID service providers, social media service providers, risk management service providers, third party consultants, transport service providers, event organizers, etc. |
|
4. Other types of recipients |
The Department may disclose personal data to other types of recipients, such as those who contact the Department, family members, non-profit foundations, temples, hospitals, educational institutions, or other agencies, for operations relating to the Department’s services, trainings, awards’ receipts, merit-making, donations, etc. |
|
5. Public discloser |
The Department may disclose personal data to the public in cases where it is necessary, such as the operations that require the announcement in the Royal Gazette or Cabinet resolution, etc. |
10.3 However, the above types of persons receiving data are only a general framework for disclosing personal data. These are carried out specifically under the purposes in Section 4 to the person who receives data related to products or services that are used or have relationship with the Department only.
Section 11. Sending or Transferring Personal Data Abroad
In the case that the Department has necessity to send or transfer personal data abroad, the Department will undertake to ensure that such personal data has adequate personal data protection measures in accordance with the international standards, or will proceed following the conditions that could send or transfer such data in accordance with Article 28 of the Personal Data Protection Act B.E. 2562, as well as in accordance with the criteria for protection of personal data that are sent or transferred abroad, as announced by the Personal Data Protection Committee.
Section 12. Period for Collecting Personal Data
The Department shall store personal data for the period only necessary within the purpose of collecting personal data. In this regard, when the period has elapsed and the personal data are no longer necessary for the said purpose, the Department will delete, destroy or make personal data no longer identifiable, in accordance with the format and standards of deleting and destroying personal data that the Personal Data Protection Committee or the law will announce or according to the international standards. However, in the case of a dispute, exercising rights or lawsuits related to personal data, the Department reserves the right to continue store that data until the dispute has a final order or judgment.
Section 13. Services Providing by Third Parties or Outsourcing Providers
13.1 The Department may assign or procure third parties to perform personal data processing instead of or on behalf of the Department, where such third parties may offer services in various ways, such as being hosting, outsourcing or a cloud computing service/provider or a work in other forms of services.
13.2 Assigning a third party to process personal data as a personal data processor according to Section 13.1, the Department will arrange for an Agreement specifying the rights and duties of the Department as the Data Controller and of a third party assigned by the Department as the Data Processor, specify the details of the types of personal data to be assigned by the department to process, and include the purpose and scope of processing personal data and other related agreements. However, the Data Processor is responsible for processing personal data only within the scope specified in the agreement and in accordance with the Department's Orders and cannot processed for any other purposes or benefits than those specified.
13.3 In the case where the Data Processor has assigned a sub-service provider (Sub-processor) to process personal data instead of or on behalf of the Data Processor, the Department will assign the Data Processor to prepare the agreement between the Data Processor and the sub-processor in form and standard that is not lower than the agreement between the Department and the Data Processor.
Section 14. Maintaining Security of Personal Data
14.1 The Department will limit the right of access to personal data to only specific officials or persons who have authority or been designated with necessity to use such data only for the purposes that have been notified to the data subject. Such officials or persons must maintain the confidentiality of the personal data they receive and strictly comply with the Department's personal data protection measures.
14.2 The Department will manage the appropriate security and confidentiality measures to protect personal data and in accordance with the law to prevent loss, access, use, change, alteration, destruction or disclosure of personal data without unauthorized or unlawful, in order to create confidentiality that the data are always secured.
Section 15. Connections to External Websites or Services
Services of the Department may connect to websites or services of the third party, where such websites or services may announce the Personal Data Protection Policy with different details than this Policy. Therefore, the Department suggests that the Personal Data Protection Policy of such websites or services is to be studied in detail before applying the service. However, the Department has no authority in controlling personal data protection measures of such websites or services and is not responsible to content, policies, damages, or actions resulting from third-party websites or services.
Section 16. Data Protection Officer
The Department has appointed the Data Protection Officer to inspect, supervise and provide advice on the collection, use or disclosure of personal data, including coordination and cooperation with the Office of the Personal Data Protection Committee, in order to comply with the Personal Data Protection Act B.E. 2562.
Section 17. Rights under the Personal Data Protection Act B.E. 2562
Rights of a data subject are in accordance with the Personal Data Protection Act B.E. 2562. Details of the rights are as follow:
1) Rights to access and obtain a copy of personal data.
2) Rights to request the correction of personal data to be accurate, complete and up-to-date.
3) Rights to delete or destroy personal data.
4) Rights to request the suspension of use of personal data.
5) Rights to object the processing of personal data.
6) Rights to withdraw the consent.
7) Rights to request for receiving, sending or transferring personal data.
8) Rights to complain.
Section 18. Personal Data Collected Prior To Applicable Law
The Department will collect and use the personal data collected before the Personal Data Protection Act B.E. 2562 has come into force following the original purposes. However, if the Data Subject wishes to withdraw such consent, this can be done through e-mail, the Department's website (www.dtn.go.th) or information technology systems of the Department.
Section 19. Improving the Personal Data Protection Policy
The Department may consider amending or changing this policy as it deems appropriate. We will notify users of changes through the website www.dtn.go.th or notify by e-mail or other channels, as the case may be. We will clearly notify the purpose of improving or amending the policy.
Section 20. Contacting the Department of Trade Negotiations
In the case of having doubt, suggestions or concerns regarding the collection, use, and disclosure of personal data by the Department or regarding this policy, you can contact and inquire for information at
The Department of Trade Negotiations
563 Thanon Nonthaburi, Thambon Bang Krasor,
Amphor Mueang Nonthaburi, Nonthaburi Province 11000
Email: dpo@dtn.go.th
Phone number: 0 2507 7444
Announced on the 23rd June B.E. 2565
-----------------------------------------------
Announcement of the Department of Trade Negotiations
on Personal Data Protection Policy (No. 2) B.E. 2566
Whereas it is appropriate to amend the announcement of the Department of Trade Negotiations on Personal Data Protection Policy B.E. 2565, dated 23rd June B.E. 2565, the Data Controller is responsible for providing appropriate security measures in accordance with the announcement of the Committee on Personal Data Protection regarding the Security Measures of Data Controllers B.E. 2565.
By virtue of the provision of Article 16 (4) and Article 37 (1) of the Personal Data Protection Act B.E. 2562, the Director-General of the Department of Trade Negotiations hereby issued the announcement as follow:
Section 1. This announcement is called “Announcement of the Department of Trade Negotiations on Personal Data Protection Policy (No. 2) B.E. 2566”
Section 2. This announcement shall come into force from now on.
Section 3. To add the following clause: “14.3 The Department will determine guidelines for responding to data leak situation, examining source of the leak and identifying cause of the leak. If it is considered that the leakage of personal data is at high risk and affects the security measures of personal data, the Department shall notify the data subject of such violations and guidelines for remedies, and shall report such violations to the Office of the Committee on Personal Data Protection without delay within 72 hours after knowing the cause as much possibly done, as part of Section 14 Maintaining Security of Personal Data under Announcement of the Department of Trade Negotiations on Personal Data Protection Policy, B.E. 2565.
Section 4. To repeal the content of Section 20. of the Announcement of the Department of Trade Negotiations on Personal Data Protection Policy, B.E. 2565 and use the following content instead.
“Section 20. Contacting the Department of Trade Negotiations
In the case of having doubt, suggestions or concerns regarding the collection, use, and disclosure of personal data by the Department or regarding this policy, you can contact and inquire for information at
The Department of Trade Negotiations
563 Thanon Nonthaburi, Thambon Bang Krasor,
Amphor Mueang Nonthaburi, Nonthaburi Province 11000
Email: dpo@dtn.go.th
Phone number: 0 2507 7445
Section 5. All relevant Announcements that were in effect before this Announcement came into force are continuing to be in force as long as they do not contradict to this Announcement.
Announced on the 5th April B.E. 2566
-------------------------------------------------
Available for Internet Explorer v9+, Firefox v.20+, Safari v.5+, Chrome v.25+, Opera v.10+
