Technology & Data Privacy

Follow Our Latest COVID-19 Updates

THAILAND: COVID-19: Further Postponement of Implementation Deadline for Personal Data Protection Act

On 8 May 2021, the Royal Decree Prescribing an Entity and Business in which the Data Controller is Exempted from the Personal Data Protection Act B.E. 2562 (No. 2) B.E. 2564 was published in the Government Gazette. As a result, the previous one-year long postponement of the effective date of key operative provisions of the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") have been further postponed from 1 June 2021 to 1 June 2022.

The rationale for the further postponement is the severity of the COVID-19 pandemic and its significant impact on entities and businesses in both the private and public sectors across the country, which has delayed the PDPA readiness of many. When combined with the need to utilise advanced technology to implement the PDPA provisions, it was deemed reasonable to extend the period of enforcement of full implementation of the PDPA until 1 June 2022. This Update provides a brief overview of key provisions of the PDPA.

MALAYSIA: Personal Data Protection Commissioner Issues Advisory on the Collection, Processing and Storage of Personal Data During the Conditional Movement Control Order

Following the shift from the previous Movement Control Order to the Conditional Movement Control Order (“CMCO”) in Malaysia (which is currently scheduled to end on 9 June 2020), most industries and businesses have been allowed to resume operations, subject to compliance with standard operating procedures issued by the Malaysian Government. On 29 May 2020, the Personal Data Protection Commissioner issued an Advisory on the Procedure for the Handling of Activities relating to the Collection, Processing and Storage of Personal Data by Business Premises during the Conditional Movement Control Order (“Advisory”), which outlines the minimum requirements to be complied with by business premises operating during the CMCO period in order to comply with the seven Personal Data Protection Principles (“PDP Principles”) of the Personal Data Protection Act 2010.

In this Update, we analyse some of the minimum requirements against each of the PDP Principles as identified in the Advisory to be observed by businesses when collecting personal data for contact tracing purposes during the CMCO period.

THAILAND: COVID-19: Postponed Implementation Deadline for Personal Data Protection Act

On 19 May 2020, the Thai Cabinet approved in principle a proposal made by the Ministry of Digital Economy and Society to provide a one-year long postponement of the effective date of key operative provisions of the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") from 27 May 2020 to 31 May 2021 ("New Effective Date"). This move comes as good news for companies struggling to implement their personal data protection regimes by the original 27 May 2020 date. For example, by the New Effective Date, companies are required to ensure they obtain consent from the Data Subject prior to or at the time of any collection, use, or disclosure of Personal Data, except where consent is not required under the PDPA or pursuant to any other laws.

This Update highlights the implications of the postponement, as well as the key features of the PDPA

MALAYSIA: Processing Personal Data in the Context of COVID-19 and the Movement Control Order

In light of the COVID-19 outbreak in Malaysia, organisations will likely face questions in respect of their right to share and disclose personal data of employees, customers and visitors to their premises (in particular, after the end of the Movement Control Order when business resumes as usual) for the purpose of contact tracing or to take other response measures.

In this client update, we explore the possible legal grounds for the collection, disclosure and retention of personal data under the Personal Data Protection Act 2010 in the context of the COVID-19 outbreak.

SINGAPORE: In Containing COVID-19 and Complying with the PDPA: Practical Tips

As part of the DORSCON Orange risk assessment, organisations have started implementing precautionary measures to minimise the risk of further transmission of COVID-19, including requiring visitors and employees to fill in health declaration forms to enable ease of contract tracing. When implementing these measures, organisations should be aware that large amounts of personal data may be amassed, and hence should pay particular attention in complying with the Personal Data Protection Act 2012 ("PDPA"). The Personal Data Protection Commission has released an "Advisory on Collection of Personal Data for COVID-19 Contact Tracing" on 13 February 2020 ("Advisory") to provide some guidance in this regard. In this Update, we look at the key aspects of the Advisory and how organisations can ensure compliance with the PDPA.