Email
Tel. +66 95 502 8852

Personal Data Protection Act

Personal Data Protection Act (PDPA)

This Act applies to the collection, use, or disclosure of Personal Data in the Kingdom of Thailand, by a Data Processor or Data Controller, even when the disclosure, use, or collection does not happen in Thailand. Should a Data Processor or Data Controller be outside of Thailand, the Act will apply to data subjects within Thailand.

"Personal Data" means any information relating to a person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular;
"Data Controller" means a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data;
"Data Processor" means a Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.

Background of Data Protection: Thailand

The Personal Data Protection Act was first published in 2019. There is a period of one year in which companies and entities can become compliant with the Act in terms of non-compliance penalties, obligations of a data controller, and the rights of a data subject.

The Office of the Data Protection Committee is the main supervising authority, and the Ministry of Digital Economy and Society is the supervisor of the PDPA.

Overview of Thailand's Personal Data Protection

Definitions
Person will refer to a natural person.
Personal Data will refer to information relating to someone that facilitates their identification, either indirectly or directly, but excludes information on deceased persons.

Application of PDPA compliance

In general, the PDPA applies to the disclosure, usage, and collection of data in Thailand or of Thailand citizens. There are some cases where data processors and data controllers must adhere to the PDPA when they are outside of Thailand:

  • When data subjects are being monitored in Thailand.
  • When data subjects have access to goods and services in Thailand.

Lawful bases for collection, usage, and disclosure of Personal Data
There are only six lawful bases for this practice. In any other case, consent is required from the data subject.

Lawful bases include:

  • Any instance where data controllers are subject to compliance laws that require data collection.
  • In cases where the fundamental rights of the data subjects do not override the legitimate interests of a controller or other persons who could benefit from Personal Data Collection.
  • When the controller of data needs to carry out a task that is in the public interest and involves the collection of personal data.
  • When the data subject is a party to a contract that requires it, or when the data subject wants to enter into a contract that requires steps to be taken.
  • For the purpose of preventing danger to a person's health, body, or life.
  • In cases where satisfactory measures are taken to protect the rights of a subject in terms of preparing historical documents for the purpose of public interest, or in relation to statistics or research, and assuming that all prescribed care is taken to follow regulations.

Issues of Consent

There are criteria that must be met for consent to be considered valid:

  • Deception or misinformation is not allowed in the request for consent.
  • Plain, clear language must be used in requests for consent.
  • The request that the form is in must be easily readable and accessible.
  • When the data subject is provided with other information, the request for consent must be easily distinguishable from all other information.
  • The data subject needs to know what the data is being used for and how it might be disclosed.
  • Consent needs to be made in written or electronic form.

Privacy Notice

A privacy notice needs to be given to the subject by the time that the data is collected. The notice has to include the following information:
The rights of the data subject include;

  • The rights of the data subject include;
    • right to access a copy of their personal data
    • request transference of data to other data controllers
    • right to withdraw consent
    • file complaints
    • accurate maintenance of personal data protection
    • request that use be suspended
    • request that data be deleted
    • Object to disclosure, usage, and collection of personal data
  • contact details of the data protection officer, the controller, and in certain circumstances, the controller's representative
  • the identity of organizations or persons to whom data might be disclosed
  • How long such data will be kept, or at least an expected data retention period that is in accordance with the data retention standard
  • Information on whether it is required for the data subject to provide his or her personal data.
  • What lawful basis was relied on for disclosure, usage, or collection of personal data.
  • The data to be collected:
    • Sensitive data
    • health data
    • etc.

Notifications of Breaches

Once a data controller becomes aware of a data breach that affects personal data protection, they have 72 hours in which to notify the office. If the data breach will have a significant impact or carries a high risk to the freedom and rights of the subject, then the subject must also be notified as soon as possible.

Data Protection Security Obligations

It is the duty of the data controller to keep data secure:

  • Once the retention period is over, there must be a suitable system to destroy records once data processing is complete.
  • Methods to prevent the data processor from disclosing or using the data in a way that has not been authorized or is unlawful.
  • All reasonable steps are taken to protect data privacy and prevent unlawful correction, disclosure, alteration, use, access to, or loss during data storage.

Cross Border Transfer

While "adequate data protection standards" have not officially been established yet, there is an expectation that when personal data is transferred elsewhere in the world, the country must have adequate protection standards for they govern data protection. The only exception is when exemptions are met.

Penalties Related to Failures of Data Protection

Depending on the severity of the violations of the Personal Data Protection Act, either administrative fines, criminal fines, criminal liability, or civil liability can apply.

For example, when consent was required by law, but a data controller collected data from a data subject without consent, they will receive a fine of less than THB 3 million.

Preparing for the Data Protection Act (PDPA)

Transitional provisions

Anything collected before 27 May 2020 can still be used, providing that the data controller takes the following steps:

  • An opportunity must be provided to the data subjects to object to the use of his or her personal data. The most popular way to do this is to publish a consent withdrawal method.
  • Providing no objection is made by the data subject, personal data must only be used for the purpose for which it was originally collected.

Preparing for data protection compliance:

  • You must first establish whether the PDPA applies to the activities you are going to undertake.
  • If you that the PDPA applies, then you will need to take these steps:
    • Make a map of your data flow.
    • If you are taking over any existing personal data, make sure that your subjects have the opportunity to object, then make sure that you only use the personal data that you do not receive objections for. Furthermore, make sure that such personal data is only used in accordance with its original purpose.
    • Make sure that data processing meets up to the national data protection standard and that you have up-to-date data consent protocols in place.
    • Make sure that you have a legal basis for the disclosure, usage, and collection of such personal data that you might need in your business. There must be a privacy notice and request for explicit consent from any party that you wish to collect personal data from, including business partners.
    • Assure compliance with any other duties that are expected of a data controller.

How do I Govern Data Protection in Small Businesses and Medium-Sized Enterprises?

You might find it easier to ensure compliance in smaller enterprises as things like undue exploitation is harder to cover up. Other key aspects are easier to keep track of and more direct communication with subjects is attainable. Data owners can invest real time and effort into data portability if necessary, as well as the quest to receive consent where needed and to make sure that the consolidated law is followed closely by data controllers. Communication and transparency with your data subject prior to data collection are also easier in the digital age, and processing activities are less time-consuming when the data pool is smaller.

Remember that in the case of data transfer, you should ensure that the data controller sends notifications out about such information. The Thai government will take punitive damages and criminal penalties for breach of confidentiality and failure to meet intellectual property standards quite seriously. The digital age has highly influenced how data and such interests are managed across the world, and Thailand is not the only country with a new law about data protection.

Penalties can be as severe as a large fine or up to one-year imprisonment, especially in the case of very sensitive (for example, public health) or large data breaches. Remember that this law is a Royal decree and is meant to get Thailand ready to meet international standards.

Summary

In case you are a victim of any personal data infringement or leakage, Juslaws is here to protect you for civil or criminal cases that may arrive.   

You might be interested in the following resources:
Setup your Thai Company with BOI Thailand
Speak with a Foreign Business License Lawyer
Everything you need to know on - Company Registration Thailand
Business & Commercial
Setting Up a Cannabis Business in Thailand
Respresentative Office
Partnerships
TAFTA
JTEPA
Joint Venture
International Trade Centers(ITC)
International Headquarters(IHQ)
Factory License
Branch Office
US Amity Treaty Company
Setting Up a Cannabis Business in Thailand
Respresentative Office
Partnerships
TAFTA
JTEPA
Joint Venture
International Trade Centers(ITC)
International Headquarters(IHQ)
Factory License
Branch Office
US Amity Treaty Company
Company Registration in Thailand
BOI Registration
Foreign Business License
Thai Customs & Free Zone
Work Permit in Thailand
Visa in Thailand
Corporate Due Diligence
Trademark Registration
Business Restructure & Debt Settlement
See More
We’re here to help
Please fill in the form and we will contact you as soon as possible.
Select Branch
Inquiry Sent
Thank You For Contacting Us
We will contact you as soon as possible

Please allow us up to 24 hours 
to get back to you 
Customer Service Team
Oops! Something went wrong while submitting the form.
Navigation
Home
Civil Litigation
Criminal Litigation
Business & Commercial
Property & Investment
ADR & Arbitration
Taxation
Privacy Policy
Contact us
Awards & Memberships
Bangkok Office
140 One Pacific Place ,1905-1907 19th Floor, Sukhumvit Road, Klongtoey District Bangkok 10110, Thailand
+66 95 502 8852  - 24 Hrs
+66 95 248 4292  - 24 Hrs
+66 2 254 4117
legal@juslaws.com
inquiries@juslaws.com
property@juslaws.com
Phuket Office
The Royal Place 96/66 Moo.1 Kathu, Kathu, Phuket 83120. Thailand
+66 95 502 8852 - 24 Hrs
+66 95 248 4292 - 24 Hrs
+66 7 630 4353
legal@juslaws.com
inquiries@juslaws.com
property@juslaws.com
©  2021, Juslaws & Consult Co., Ltd. All rights reserved.
Website by Revilian