Personal Data Protection Act

Personal Data Protection Act (PDPA)

This Act applies to collection, use, or disclosure of personal data in the Kingdom of Thailand by any data processor or data controller, even when such disclosure, use, or collection does not take place in Thailand. Should a data processor or data controller be located outside of Thailand, the Act will still apply to data subjects within Thailand.

"Personal data" means any information relating to a particular person which enables identification of such person, whether directly or indirectly, but not including the information of the deceased persons;

"Data controller" means an ordinary or a juristic person having the power and duties to make decisions regarding collection, use, or disclosure of the personal data;

"Data processor" means a natural or a juristic person who operates in relation to collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a data controller, whereby such natural or juristic person is not the data controller.

Background: Personal Data Protection in Thailand

The Personal Data Protection Act was first published in 2019, and there was a period of one year during which companies and other entities could become compliant with the Act in terms of non-compliance penalties, obligations of a data controller, and the rights of a data subject.

The Office of the Data Protection Committee is the main supervising authority, and the Ministry of Digital Economy and Society is the supervisor of the PDPA.

Overview of Thailand's Personal Data Protection

Application of PDPA compliance
‍
In general, the PDPA applies to any disclosure, usage, and collection of data in Thailand or pertaining to Thai citizens. There are some cases where data processors and data controllers must adhere to the PDPA even when they operate outside of Thailand:

• When data subjects are being monitored in Thailand.
• When data subjects have access to goods and services in Thailand.
  ‍

Legal Grounds for Collection, Usage, and Disclosure of Personal Data
There are only six lawful permissions for this practice. In any other case, consent is required from the data subject.

Legally permitted practices include:

• Any instance where data controllers are subject to compliance laws that require data collection.
• In case where the fundamental rights of the data subjects do not override the legitimate interests of a controller or other persons who could benefit from personal data collection.
• When the controller of data needs to carry out a task that is in the public interest and involves the collection of personal data.
• When the data subject is a party to a contract that requires it, or when the data subject wants to enter into a contract that requires steps to be taken.
• For the purpose of preventing danger to a person's health, wellbeing, or life.
• In cases where satisfactory measures are taken to protect the rights of a subject in terms of preparing historical documents for the purpose of public interest, or in relation to statistics or research, and assuming that all prescribed care is taken to follow regulations.

Issues of Consent

There are criteria that must be met for consent to be considered valid:

• Deception or misinformation is not allowed in the request for consent.
• Plain, clear language must be used in requests for consent.
• The request that the form is in must be easily readable and accessible.
• When the data subject is provided with other information, the request for consent must be easily distinguishable from all other information.
• The data subject needs to know what the data is being used for and how it might be disclosed.
• Consent shall be made either in writing or via electronic means of communication.

Privacy Notice

A privacy notice needs to be given to the subject by the time that the data is collected. The notice has to include the following information:

• The rights of the data subject which include:
  • Right to access a copy of their personal data
  • Right to request transfer of the data to other data controllers
  • Right to withdraw consent
  • Right to file complaints
  • Right for accurate maintenance of personal data protection
  • Right to request for suspension of the data usage
  • Right to request for deletion of the data
  • Right to object against disclosure, usage, and collection of personal data
• Contact details of the data protection officer, the controller, and in certain circumstances, the controller's representative
• Identities of organizations or persons to whom data might be disclosed
• How long such data will be kept, or at least an expected data retention period that is in accordance with the data retention standard
• Information on whether it is required for the data subject to provide his or her personal data
• What legal grounds were used for disclosure, usage, or collection of personal data
• The data to be collected:
  • Sensitive data
  • Health related data
  • Other data

Notification of Breaches

Once a data controller becomes aware of a data breach that affects personal data protection, they have 72 hours to notify the office. If the data breach has a significant impact or carries a high risk to the freedom and rights of the subject, then the subject must also be notified as soon as possible.

Data Protection Security Obligations

It is the duty of the data controller to keep data secure:

• Once the retention period is over, there must be a suitable system to destroy records once data processing is complete.
• Methods to prevent the data processor from disclosing or using the data in a way that has not been authorized or is unlawful.
• All reasonable steps are taken to protect data privacy and prevent unlawful correction, disclosure, alteration, use, access to, or loss during data storage.

Cross Border Transfer

While "adequate data protection standards" have not officially been established yet, there is an expectation that when personal data is transferred elsewhere in the world, the country must have adequate protection standards for they govern data protection. The only exception is when exemptions are met.

Penalties Related to Failures of Data Protection

Depending on the severity of the violations of the Personal Data Protection Act, either administrative fines, criminal fines, criminal liability, or civil liability can apply.

For example, when consent was required by law, but a data controller collected data from a data subject without consent, they will receive a fine of up to THB 3 million.

Preparing for the Data Protection Act (PDPA)

Transitional Provisions

Any data collected before 27 May 2020 can still be used, providing that the data controller takes the following steps:

• An opportunity must be provided to the data subjects to object to the use of his or her personal data. The most popular way to do this is to publish a consent withdrawal method.
• Providing no objection is made by the data subject, personal data must only be used for the purpose for which it was originally collected.

Preparing for data protection compliance:

• You must first establish whether the PDPA applies to the activities you are going to undertake.
• If you find out that the PDPA applies to your activities, then you will need to take these steps:
  • Make a map of your data flow.
  • If you are taking over any existing personal data, make sure that your subjects have the opportunity to object, then make sure that you only use the personal data that you do not receive objections for. Furthermore, make sure that such personal data is only used in accordance with its original purpose.
  • Make sure that data processing meets up to the national data protection standard and that you have up-to-date data consent protocols in place.
  • Make sure that you have a legal basis for the disclosure, usage, and collection of such personal data that you might need in your business. There must be a privacy notice and request for explicit consent from any party that you wish to collect personal data from, including business partners.
  • Assure compliance with any other duties that are expected of a data controller.

How do You Govern Data Protection in SMEs?

You might find it easier to ensure compliance in smaller enterprises, as things like undue exploitation is harder to cover up. Other key aspects are easier to keep track of and more direct communication with subjects is attainable. Data owners can invest real time and effort into data portability if necessary, as well as the quest to receive consent where needed and to make sure that the consolidated law is followed closely by data controllers. Communication and transparency with your data subject prior to data collection are also easier in the digital age, and processing activities are less time-consuming when the data pool is smaller.

Remember that in case of data transfer, you should ensure that the data controller sends notifications out about such information. The Thai government will apply both punitive damages and criminal penalties for breach of confidentiality and failure to meet intellectual property standards. The digital age has highly influenced how data and such interests are managed across the world, and Thailand is not the only country with a new law about data protection.

Penalties can be as severe as a large fine or up to one-year imprisonment, especially in the case of very sensitive (for example, public health) or large data breaches. Remember that this law is a Royal decree and is meant to get Thailand ready to meet international standards.

Summary

In case you are a victim of any personal data infringement or leakage, do not hesitate to contact us. Juslaws & Consult is always here to protect your interests.