This Act applies to the collection, use, or disclosure of Personal Data in the Kingdom of Thailand, by a Data Processor or Data Controller, even when the disclosure, use, or collection does not happen in Thailand. Should a Data Processor or Data Controller be outside of Thailand, the Act will apply to data subjects within Thailand.
"Personal Data" means any information relating to a person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular;
"Data Controller" means a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data;
"Data Processor" means a Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.
The Personal Data Protection Act was first published in 2019. There is a period of one year in which companies and entities can become compliant with the Act in terms of non-compliance penalties, obligations of a data controller, and the rights of a data subject.
The Office of the Data Protection Committee is the main supervising authority, and the Ministry of Digital Economy and Society is the supervisor of the PDPA.
Person will refer to a natural person.
Personal Data will refer to information relating to someone that facilitates their identification, either indirectly or directly, but excludes information on deceased persons.
Application of PDPA compliance
In general, the PDPA applies to the disclosure, usage, and collection of data in Thailand or of Thailand citizens. There are some cases where data processors and data controllers must adhere to the PDPA when they are outside of Thailand:
Lawful bases for collection, usage, and disclosure of Personal Data
There are only six lawful bases for this practice. In any other case, consent is required from the data subject.
Lawful bases include:
There are criteria that must be met for consent to be considered valid:
A privacy notice needs to be given to the subject by the time that the data is collected. The notice has to include the following information:
The rights of the data subject include;
Once a data controller becomes aware of a data breach that affects personal data protection, they have 72 hours in which to notify the office. If the data breach will have a significant impact or carries a high risk to the freedom and rights of the subject, then the subject must also be notified as soon as possible.
It is the duty of the data controller to keep data secure:
While "adequate data protection standards" have not officially been established yet, there is an expectation that when personal data is transferred elsewhere in the world, the country must have adequate protection standards for they govern data protection. The only exception is when exemptions are met.
Depending on the severity of the violations of the Personal Data Protection Act, either administrative fines, criminal fines, criminal liability, or civil liability can apply.
For example, when consent was required by law, but a data controller collected data from a data subject without consent, they will receive a fine of less than THB 3 million.
Anything collected before 27 May 2020 can still be used, providing that the data controller takes the following steps:
You might find it easier to ensure compliance in smaller enterprises as things like undue exploitation is harder to cover up. Other key aspects are easier to keep track of and more direct communication with subjects is attainable. Data owners can invest real time and effort into data portability if necessary, as well as the quest to receive consent where needed and to make sure that the consolidated law is followed closely by data controllers. Communication and transparency with your data subject prior to data collection are also easier in the digital age, and processing activities are less time-consuming when the data pool is smaller.
Remember that in the case of data transfer, you should ensure that the data controller sends notifications out about such information. The Thai government will take punitive damages and criminal penalties for breach of confidentiality and failure to meet intellectual property standards quite seriously. The digital age has highly influenced how data and such interests are managed across the world, and Thailand is not the only country with a new law about data protection.
Penalties can be as severe as a large fine or up to one-year imprisonment, especially in the case of very sensitive (for example, public health) or large data breaches. Remember that this law is a Royal decree and is meant to get Thailand ready to meet international standards.
In case you are a victim of any personal data infringement or leakage, Juslaws is here to protect you for civil or criminal cases that may arrive.