Thailand Personal Data Protection Act (PDPA)

Thailand’s Personal Data Protection Act enforcement begins from June 1, 2022. This Act ensures that personal data is protected and not misused.

Thailand’s PDPA is its first national data protection law. Among its provisions are requirements for data controllers and data processors, including both public and private entities, are required to obtain consent from data subjects before processing, collecting, or disclosing personal data under its provisions.

This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not.

If a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities:

1. The offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject.
2. The monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.

Personal Data

Any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.

Data Controller

A Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.

Data Processor

A Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.

Data Subjects are granted following privacy rights under PDPA:

1. Right to information access (Section 30)
   The data subject is entitled to request access to and obtain copy of the Personal Data related to him or her, which is under the responsibility of the Data Controller, or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent.
2. Right to data portability (Section 31)
   The Data Controller shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means.
3. Right to object the collection use or disclosure of personal data (Section 32)
   The data subjects have the right to object or opt out of the collection, use, or disclosure of the personal data linked to them; if the data was collected with exemption to consent and the Data Controller is unable to prove that it was for legitimate interest grounds, or to exercise legal claims.
4. Right to erasure (Section 33)
   The data subject shall have the right to request the Data Controller to erase or destroy the Personal Data or anonymize the Personal Data to become the anonymous data which cannot identify the data subject.
5. Right to ask data controller to restrict the use of the personal data (Section 34)
   The data subjects have the right to request the data controller to restrict the use of their personal data when it is no longer necessary to retain such Personal Data for the purposes of such collection.
6. Right to accurate and up-to-date personal data (Section 35)
   The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading
7. Right to withdraw consent (Section 19)
   The data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as to giving consent, unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject.

The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:

1. The Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee.
2. The activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data as prescribed and announced by the Committee.
3. The core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data according to section 26.

Civil Liability (Section 77 and 78)
The Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provisions of this Act which causes damages to the data subject, shall compensate the data subject whether such operation is performed intentionally or negligently.

The compensation includes all necessary expenses incurred by the data subject for the prevention of the damages likely to occur, or which was spent to suppress the damages occurred.

Criminal Liability (Section 79-81)
Any Data Controller who violates the provisions under section 27, or fails to comply with section 28, which relates to the Personal Data under section 26 can be punished with imprisonment for a term not exceeding one year and fine ranging from few thousand baht to 5 million depending upon the nature of violation.

The Digital Economy and Society (DES) Ministry insists the Personal Data Protection Act (PDPA) will be enforced on June 1 as scheduled, despite calls from the business sector for its postponement. The enforcement of the PDPA has been postponed twice and it is now the time to start.

However, the enforcement of penalties was relaxed in the first year of its implementation as this was the transitional period when law-understanding was the goal. The enforcement of the penalties under PDPA has already started w.e.f. 1st June, 2022.