Thailand Personal Data Protection Act (PDPA)

Effective Date: 1 June 2022
Thailand’s PDPA is its first national data protection law. Among its provisions are requirements for data controllers and data processors, including both public and private entities, are required to obtain consent from data subjects before processing, collecting, or disclosing personal data under its provisions. Thailand’s Personal Data Protection Act ensures that personal data is protected and not misused.

Scope

The PDPA applies to personal data collected, used, and disclosed by a data controller or data processor in Thailand, irrespective of whether the collection, use, or disclosure occurs in Thailand or elsewhere.
If a Data Controller or a Data Processor is outside of Thailand, the PDPA shall apply to the collection, use, or disclosure of personal data of data subjects who are in Thailand, where the activities of such data Controller or data processor are the following activities:

1. The offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject;
2. The monitoring of the data subject’s behavior, where the behavior takes place in Thailand.

To whom it can be enforce:

1. Civil Liability?(Section 77 and 78):
The Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provisions of this Act which causes damages to the data subject, shall compensate the data subject whether such operation is performed intentionally or negligently. The compensation includes all necessary expenses incurred by the data subject for the prevention of the damages likely to occur, or which was spent to suppress the damages occurred.

2. Criminal Liability (Section 79-81):
Any Data Controller who violates the provisions under section 27, or fails to comply with section 28, which relates to the Personal Data under section 26 can be punished with imprisonment for a term not exceeding one year and fine ranging from few thousand baht to 5 million depending upon the nature of violation.

Personal Data:

Under the Thailand Personal Data Protection Act (PDPA), “Personal Data” refers to any information relating to an identifiable individual, whether directly or indirectly, whether in a private or public context, and regardless of the medium used to process that data. This includes any data that can be used to identify a person, such as their name, identification number, contact information, financial data, online identifiers, biometric data, and more.
The PDPA recognizes two main categories of personal data:

1. Personal Data: This category includes personal data that is commonly available and not considered sensitive. Examples include names, addresses, phone numbers, and email addresses.
2. Sensitive Personal Data: This category includes personal data that is considered more private and sensitive. It includes data related to race, ethnicity, political opinions, religious or philosophical beliefs, sexual orientation, health information, genetic data, biometric data, criminal records, and more.

Privacy Assessments:

The Thailand Personal Data Protection Act (PDPA) requires organizations to conduct privacy assessments as part of their data protection practices. Privacy assessments, also known as data protection impact assessments (DPIAs) in some contexts, are a systematic way of identifying and evaluating potential privacy risks that may arise from processing personal data. These assessments help organizations make informed decisions about how to handle personal data in a way that respects individuals’ privacy rights and complies with the PDPA.

Data Subject Rights (Section 30-35)

1. Right to information access (Section 30)
2. Right to data portability (Section 31)
3. Right to object the collection use or disclosure of personal data (Section 32)
4. Right to erasure (Section 33)
5. Right to ask data controller to restrict the use of the personal data (Section 34)
6. Right to accurate and up-to-date personal data (Section 35)
7. Right to withdraw consent (Section 19)

Data Controller and Data Processor Obligations:

1.Consent:
Organizations must obtain consent from individuals before collecting, using, or disclosing their personal data, unless there is a legal basis for doing so without consent.

2.Cross-Border Data Transfer:
The PDPA sets requirements for transferring personal data outside of Thailand, including obtaining consent and ensuring that the recipient country offers an adequate level of data protection.

3.Data Security:
Organizations are required to implement appropriate security measures to protect personal data from unauthorized access, disclosure, or loss. The PDPA requires that employers implement a system to destroy personal data when the retention period is over, when the data is no longer necessary or when the employee requests its destruction.

4.Data Breach Notification:
Organizations are obligated to report data breaches to the relevant authorities and affected individuals within a specified timeframe.

5.Data Protection Officer (DPO):
Certain organizations are required to appoint a Data Protection Officer responsible for ensuring compliance with the PDPA. A DPO is a new position established under the PDPA as the person responsible in helping the organization in ensuring that the data subjects’ personal data is processed in the most consistent manner and feasible with the PDPA requirements as well as being a contact point for PDPA issues with authority and the data subjects.

6.Penalties:
Non-compliance with the PDPA can result in fines, imprisonment, or other sanctions. The PDPA imposes penalties for non-compliance with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages.

Click here to know more about PDPA.