Thailand Personal Data Protection Act (PDPA)
Key highlights of PDPA:
Know the difference between Virginia’s CDPA, CCPA and CPRA?
Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.
Data Subject Rights under Thailand Personal Data Protection Act (PDPA) (Section 30-35)
- Right to information access (Section 30)
The data subject is entitled to request access to and obtain copy of the Personal Data related to him or her, which is under the responsibility of the Data Controller, or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent. - Right to data portability (Section 31)
The Data Controller shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. - Right to object the collection use or disclosure of personal data (Section 32)
The data subjects have the right to object or opt out of the collection, use, or disclosure of the personal data linked to them; if the data was collected with exemption to consent and the Data Controller is unable to prove that it was for legitimate interest grounds, or to exercise legal claims. - Right to erasure (Section 33)
The data subject shall have the right to request the Data Controller to erase or destroy the Personal Data or anonymize the Personal Data to become the anonymous data which cannot identify the data subject. - Right to ask data controller to restrict the use of the personal data (Section 34)
The data subjects have the right to request the data controller to restrict the use of their personal data when it is no longer necessary to retain such Personal Data for the purposes of such collection. - Right to accurate and up-to-date personal data (Section 35)
The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading - Right to withdraw consent (Section 19)
The data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as to giving consent, unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject.
Appointment of Data Protection Officer (Section 41)
The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:
- The Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee.
- The activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data as prescribed and announced by the Committee.
- The core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data according to section 26.
How Mandatly helps you achieve Thailand's PDPA compliance?
Mandatly’s PDPA compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.