Newsletter
MOF Amended the Guidelines on Use of the E-GUI API
To regulate those business operators using the e-Government Uniform Invoice (“e-GUI”) Application Programming Interface (“API”) to develop software products and thereby provide the e-GUI services to consumers (“Developers”), on 30 March 2023, the Ministry of Finance (“MOF”) promulgated the amendments to the Guidelines on Use of the E-GUI API (“Amended Guidelines”), which came into effect on 31 March 2023 (“Effective Date”).
In addition to adding an API authorization period of no more than three (3) years (Point 4 of the Amended Guidelines) and requiring Developers’ information security management system to pass the CNS 27001 or ISO 27001 certification (Point 6 of the Amended Guidelines), with respect to Developers’ use of the API and related information, Point 5 of theAmended Guidelines especially stipulates that Developers shall not violate Article 33 of the Tax Collection Act, the Personal Data Protection Act (“PDPA”), the Trade Secrets Act, and other relevant laws and regulations so as to protect others’ privacy, trade secrets, or other rights, which includes (but is not limited to) the following requirements:
1. Before providing the e-GUI services to consumers, Developers shall (i) obtain consent from the consumers and (ii) allow the consumers to request the cessation of use or the deletion of their e-GUI data, usage records, and other related information (Paragraph 2, Point 5 of the Amended Guidelines).
2. When providing the e-GUI services to consumers, Developers shall (i) specify the scope of authorization granted by the consumers and (ii) comply with the relevant requirements under the PDPA, e.g., clearly informing the consumers of (a) the specific purposes of collecting, processing and using their e-GUI data, usage records, and other related information; and (b) how long, where, by whom, and in what manner such data and information will be used (Paragraph 4, Point 5 of the Amended Guidelines).
3. If a Developer would like to collect and store consumers’ e-GUI data, usage records, and other related information for the purpose(s) other than providing the e-GUI services, the Developer should seek the consumers’ reconfirmation by informing them of (i) such purpose(s); (ii) the scope of use for such purpose(s); (iii) the applicable laws and regulations involved; and (iv) how their rights/benefits will be affected if he/she chooses not to give consent to such purpose(s). Moreover, Developers shall retain log files of storing and using the e-GUI data for at least six (6) months (Paragraph 3, Point 5 of theAmended Guidelines).
4. Even with consumers’ reconfirmation to use their e-GUI data, usage records, and other related information for the purpose(s) other than providing the e-GUI services, Developers shall not (i) use such data and information to profile any certain business operator’s trade secret(s); (ii) provide or resell the consumers’ e-GUI data, usage records, personal data, or others’ business information (in whatever form) to any third party; or (iii) engage in any other conduct that infringes personal data protection, a third party’s trade secret(s), or any others’ rights/benefits (Paragraph 5, Point 5 of theAmended Guidelines).
5. Developers shall seek the consent and reconfirmation under Point 5 of the Amended Guidelines once every half a year and retain the relevant log files (Paragraph 6, Point 5 of the Amended Guidelines).
The Amended Guidelines would apply to Developers who have applied for using the API but have yet to be approved by the MOF before the Effective Date or file such application after the Effective Date. Nonetheless, the Amended Guidelines also require Developers who have been approved by the MOF to use the API before the Effective Date to reapply within two (2) years following the Effective Date; the MOF will review such application pursuant to the Amended Guidelines.