We have discussed the basic details of the Personal Information Consent Act. And the penalties in part 2, we will talk about the Personal Data Protection Act In a way that is closer to us, whether it is the rights of the data subject. The need to set Personal Data Protection Officer, including the importance of Cookies Policy in order to practice the readiness Before dealing with the Act. To have full real effect
Q1: Who is a Personal Data Protection Officer (DPO), and is a Personal Data Protection Officer always required to be established?
The Act does not require all organizations to have a DPO unless it is an organization with the specified characteristics. The organization has a duty to set up a DPO, and if not, it may face an administrative penalty of not more than 1,000,000 baht. Failure to establish a DPO has no civil or criminal penalties.
The Personal Data Protection Committee sets out the criteria for organizations in which a preliminary DPO is required, including:
- Data controller Or processing information that is required to process large amounts of personal data
- Data controller Or process data with the primary processing activities of sensitive personal data
If it is an organization that does not process large amounts of data Especially personal information is sensitive May not have a duty under the Act that requires a specific DPO.
In any event, however, in all organizations, a responsible body should be established to advise and Always check the operation according to the Act, there may be no need to adjust the structure, set up a new position. The thing that the organization should be aware of is that if one employee in the organization commits any penalties, the penalties will be imposed on the entire organization.
For the organization to which the DPO will be appointed, the DPO qualification has not yet been established, so the DPO can be a single individual or a team from within or outside the organization.
Q2: Is it necessary to record all data processing transactions at all?
The data controller is obliged to record the transactions. That shows details of the data processing such as details of personal information Purpose of data processing Use and processing of the resulting information Including the rejection of requests to exercise the rights of the data subject And must record a complete description of all security measures taken. If not, you may There is an administrative fine not exceeding 1,000,000 baht.
Every organization has a duty to record the refusal of a request or an objection to a data subject's right to exercise. But the Department of Personal Data Protection May establish rules for the exclusion of recording details of the data processing for small entities.
Even the last controller of personal information is small. May be exempt from making full records, but recording data processing It is something that every organization should do. Because such records could be used as tools Or evidence in proving to escape liability under the Act, either in civil, criminal or administrative cases
Read more information about the news >>slotxo