In brief

The Bank of Thailand (BOT) has issued the Notification on the Rules, Procedures, and Conditions for Hire-Purchase and Financial Leasing of Automobiles and Motorcycles Businesses ("BOT Notification"), introducing obligations, including sector-specific data protection obligations, for hire-purchase and leasing businesses regulated under the Royal Decree prescribing the Hire Purchase and Leasing of Automobiles and Motorcycles Business to be governed under the Financial Institutions Business Act B.E. 2551 (2008), B.E. 2568 (2025) ("Royal Decree").

The BOT Notification imposes new requirements for the collection, use, and disclosure of customer data, supplementing those under the PDPA. These new requirements took effect on 1 June 2026.

Regulated hire-purchase and leasing businesses should revisit the customer consent form, privacy notice, and relevant privacy documents for compliance.

In more detail

Background

  • The Royal Decree applies to juristic persons engaging in hire‑purchase and financial leasing of automobiles and motorcycles in the ordinary course of business ("Regulated Business"). This excludes natural persons and entities already regulated under sector‑specific frameworks (e.g., commercial banks, specialized financial institutions, and cooperatives).
  • Regulated Business must comply with BOT requirements relating to financial service provision, including the disclosure of interest rates and fees to ensure transparency, the submission of business operation and regulatory reports, and compliance with BOT rules and supervisory requirements, including this BOT Notification.
  • The BOT Notification also introduces sector‑specific data protection obligations, supplementing those under the Personal Data Protection Act B.E. 2562 (2019) (PDPA).Data protection-related requirements

Regulated Businesses must provide financial services in a responsible and fair manner, including ensuring robust customer data protection. In particular, customer data must be maintained with appropriate security measures and due regard for customer privacy, in order to prevent loss of or any unauthorized access, use, alteration, modification, or disclosure of personal data. This includes:

1. Data security governance: Regulated Business must implement appropriate policies, procedures, and systems, including:

  • Security of customer data (confidentiality and appropriate retention/deletion).
  • System security and availability.
  • Access controls based on a "need to know" basis.
  • Oversight of co‑branding and business partner arrangements to ensure proper data handling.

2. Rules on disclosure of customer data:

  • General requirements: Customer data may only be disclosed to third parties where necessary. Regulated Business must ensure that recipients maintain appropriate security measures, retain data only as necessary, and use data strictly for notified purposes.
  • Marketing-related disclosures: Additional requirements apply where customer data is disclosed for marketing purposes. Regulated Businesses must comply with applicable consent requirements, including:

i. Obtain clear and separate customer consent.
ii. Ensure that consent does not affect access to products or services.
iii. Provide the required information to customers, including marketing purposes, data recipients, and/or their categories, and available channels for inquiries and withdrawal of consent.
iv. Implement processes to manage consent withdrawal effectively.

Effectiveness and enforcement of data-protection related requirements

  • Existing contracts entered into before 1 June 2026 remain valid until completion. However, business operators must additionally comply with the relevant obligations under the BOT Notification, including data protection requirements, once effective.
  • Failure to comply with these requirements under the BOT Notification could result in administrative penalties, including fines.

What does this mean for Regulated Businesses

Regulated Businesses should:

  • Revisit and implement documentation, including customer consent forms, privacy notices, and marketing preference management processes, to ensure alignment with BOT and PDPA requirements.
  • Review and update internal data governance policies and procedures.
  • Reassess co‑branding and third‑party arrangements.

Regulated Businesses are encouraged to take this opportunity to review current practices and address any gaps to mitigate compliance risks and manage regulatory exposure.

* * * * *

Phatrajarin Tanjaturon, Associate, has contributed to this legal update.

Explore More Insight