Latest News & Insights

Seminars are common and essential operations that must be conducted by any entity, whether small or large, in the public or private sector. Normally, the arrangement of seminars will involve the collection or use of personal data such as the registration of seminar participants for preparing meeting facilities or to confirm the number of participants, taking photographs during the seminar to compile minutes, providing satisfaction surveys for improving the efficiency of the operations, etc.

Therefore, any operation which is performed on personal data such as collection, use, and disclosure of personal data (“Processing of Personal Data”) will be subject to to Personal Data Protection Act B.E. 2562 (“PDPA”).. This article explains appropriate practices for managing personal data in the context of seminars to enhance knowledge and understanding in accordance with the principles of PDPA. Organizations have the following duties and responsibilities as follows.

1. Creating a record of personal data processing activities (RoPA)

Record of Processing Activity (RoPA) is a legally mandated document that specifies how personal data will be processed. It enables the organization to know which personal data processing activities require legal documents under the PDPA. Seminars are also operations within an organization that involve the processing of personal data. Therefore, it is necessary to record them in the Record of Processing Activities (RoPA) as well. Since RoPA documentation represents operational records within an organization , it is not necessary to create separate RoPA entries for every individual seminar or meeting. Organizations can record these activities as a single consolidated entry in their RoPA, provided the events follow the same pattern of processing personal data.

 Moreover, the Data Controller or Data Processor must establish a legal basis for processing personal data. Note that a single data processing activity may be supported by multiple legal bases, depending on the purpose of data use. For example:

• Contract : In case there is a contract with the participants and it is necessary to process their personal data to comply with obligations under the contract, or if there is no contract yet but processing personal data is necessary to fulfill the data subject's request before entering into a contract.
• Legal obligation : In case of compliance with legal requirements, such as the Regulation of the Office of the Prime Minister on Archives, B.E. 2526 (1983) and its amendments, Section 6.
• Legitimate interests : In case of taking photographs during the seminar to complie minutes.
• Consent : In case no other legal basis under the PDPA can be applied or it is not exemption to the collection of sensitive personal data according to section 26 of PDPA.

Examples: Personal Data Processing for Conference and Seminar

*Note: The legal basis for referencing depends on the organization and the personal data collected.

2. Preparation of Legal Documents: Privacy Notice

Privacy notice is a legal document that serves the purpose of informing data subjects about how their personal data will be collected and used during seminar and meeting activities. This practice ensures compliance with the principles of lawfulness, fairness, and transparency. Personal data will not be used beyond the purposes specified in the privacy notice. Regarding notification guidelines for data subjects, organizations must inform individuals of the processing purposes before or at the time of personal data collection. The notification approach and details are as follows:

• Assess your seminar participants and tailor your language and messaging to ensure clarity and comprehension.
• Display the Privacy Notice in a clear visible place such as
  • Registration points for event participation.
  • Attach the Privacy Notice along with the seminar invitation letters.
  • Publish the Privacy Notice on organization website.
  • Create QR code of the Privacy Notice and share through channels during online seminars or conference.
• The details of the Privacy Notice must be specified as required by section 23 of PDPA, as follows:
  • Purpose of Personal Data Processing.
  • Details of personal data collected, collection methods, how the data will be used and disclosed.
  • Third-party sharing and transfers - specify the types of external organizations or entities involved, including any international data transfers
  • Retention period of personal data
  • Data subjects’ rights
  • Security measures
  • Contact information for the data controller or data protection officer

3. Best Practices for Effective Conference and Seminar Management

• In case photographs are taken during the seminar that may capture participants’ images, the privacy notice must state the purpose and legal basis of such processing. For any participants who prefer not to be photographed, the data controller or data processor should have a way to accommodate such as special identification badges or symbols for those opting out of photography.
• Avoid collecting or using sensitive personal data during seminar activities by considering whether sensitive data is truly necessary to achieve the seminar’s objectives. If not essential, avoid collecting such data entirely. Data controllers or processors may modify their collection methods to avoid sensitive data - for example, instead of collecting food allergy information, provide meal options for participants to select from.

The relationship between seminar management and PDPA compliance is inherently interconnected. Event organizers must fulfill their legal responsibilities as data controllers or processors to safeguard participants' privacy rights. Equally important, participants should actively review privacy notices to ensure the stated purposes and data collection practices align with their expectations and consent. Data subjects who have questions or concerns about how their personal information is handled retain the right to exercise their legal protections under data protection regulations.