Database

Argentina endorses the right to be forgotten for which individuals are entitled to seek the deletion of links on search engines about themselves if the information is outdated or irrelevant.

Section 12 of the Data Protection Act of Argentina (Law 25,326) prohibits the transfer of personal data to countries that do not have an adequate level of protection in place. According to Regulation No. 60-E/2016, the list of countries with adequate levels of data protection includes the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faroe Islands, Canada (only private sector), New Zealand, Andorra and Uruguay. The prohibition does not apply to transfers of data made: (i) for international judicial cooperation; (ii) for healthcare or anonymised personal data for the purpose of an epidemiological survey; (iii) for stock exchange or banking transfers; (iv) when subject to an international treaty to which the Argentine Republic is a signatory; (v) for international cooperation between intelligence agencies in the fight against organised crime, terrorism and drug trafficking; or (vi) where the data subject has expressly consented to the assignment.

Regulation No. 60-E/2016 also provides model contract language for international data transfers to countries that do not provide adequate levels of protection. The Regulation also requires notification to the Dirección Nacional de Protección de Datos Personales (DNPDP) when contracts are used other than those provided in the Regulation. This acts as a de facto registration requirement for some international data transfers, which has been reported as cumbersome.

A Draft Personal Data Protection Law would require that certain public sector data be stored locally. This requirement extends to public institutions and to private-sector companies that provide services for governmental entities, and would furthermore prohibit federal government entities from contracting with any service provider that may allow other international governmental agencies or organizations to access the data concerned.

Thailand currently does not have comprehensive privacy laws.

Under the Thai Civil and Commercial Code, a person who wilfully, negligently, or unlawfully injures the life, body, health, liberty, property or any right of another person has committed a wrongful act and is required to compensate the victim. Disclosure or transfer of data may be considered a wrongful act if it causes damage to the data owner.

Data controllers in specific businesses must maintain an appropriate level of security to protect any stored personal data from unauthorised access. Failure to comply with this requirement normally can result in both imprisonment (from six to 18 months) and monetary penalties (THB5,000 to THB20,000 or around 550,000 USD).

Under section 18 of Thailand's Computer Related Crimes Act, officials are able to order individuals to “decode any person’s computer data” without a court order. At request, individuals must produce data or evidence in an "understandable form", which appears to grant an ability to compel decryption of communications. Furthermore, subsections 18(2) and 18(3) allow officials to compel production of traffic data and userrelated data without built-in privacy safeguards. Additionally, subsections 18(4) through 18(6) similarly allow officials to compel inspection of or production of data from individuals controlling computer data or storage equipment.

The prior written consent of the data owner should be obtained before transferring the data to any third person. Disclosure of data without the consent of the data owner is permissible in very limited circumstances (e.g. pursuant to an order from a government authority or Thai court).

The Council of State recently announced that it is in the process of drafting the Personal Information Protection Act. According to the draft, the Act would require specific consent by the data subject before an overseas transfer is executed.

Thailand does not have any general statutory law governing data protection or privacy. However, the Constitution does recognize the protection of privacy rights and some laws in some specific areas do provide a certain level of protection against any unauthorised collection, processing, disclosure and transfer of personal data.

According to the Personal Data Protection Act (PDPA), the private sector organization must delete or discontinue processing the information when the purpose of collection has been fulfilled or the period in which the personal information may be used has expired, or it must delete the information when requested to do so by the data subject.

The Financial Supervisory Commission (FSC) established stringent rules for processing of personal financial information off-shore. Yet, on May 2014, the requirements that both local and foreign banks establish standalone onshore data centers were lifted.

There is no consent requirement for transfer in third countries, but the data subject has to be notified in advance that his/her personal data is being transferred to another country.

Yet, according to Article 21 of the Personal Data Protection Act (PDPA), the international transmission of personal information can be interrupted by the central competent government authority if the transmission involves major national interests or if the country receiving personal information lacks adequate data protection laws.

The transfer of personal information to mainland China is prohibited.

The Personal Data Protection Commission can direct an organisation to:
- stop collecting, using or disclosing personal data;
- destroy personal data; and
- pay a financial penalty of up to 1 million SD (approx. 700,000 USD).
Criminal offeces can result also in imprisonment for up to three years.

Each organisation is required to appoint one or more data protection officers to be responsible to ensure the organisation’s compliance with the Personal Data Protection Act.

The collection, use and disclosure of personal data is permitted only when:
- the individual has consented; or
- those activities are required by law.