This Act applies to collection, use, or disclosure of personal data in the Kingdom of Thailand by any data processor or data controller, even when such disclosure, use, or collection does not take place in Thailand. Should a data processor or data controller be located outside of Thailand, the Act will still apply to data subjects within Thailand.
"Personal data" means any information relating to a particular person which enables identification of such person, whether directly or indirectly, but not including the information of the deceased persons;
"Data controller" means an ordinary or a juristic person having the power and duties to make decisions regarding collection, use, or disclosure of the personal data;
"Data processor" means a natural or a juristic person who operates in relation to collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a data controller, whereby such natural or juristic person is not the data controller.
The Personal Data Protection Act was first published in 2019, and there was a period of one year during which companies and other entities could become compliant with the Act in terms of non-compliance penalties, obligations of a data controller, and the rights of a data subject.
The Office of the Data Protection Committee is the main supervising authority, and the Ministry of Digital Economy and Society is the supervisor of the PDPA.
Application of PDPA compliance
In general, the PDPA applies to any disclosure, usage, and collection of data in Thailand or pertaining to Thai citizens. There are some cases where data processors and data controllers must adhere to the PDPA even when they operate outside of Thailand:
Legal Grounds for Collection, Usage, and Disclosure of Personal Data
There are only six lawful permissions for this practice. In any other case, consent is required from the data subject.
Legally permitted practices include:
There are criteria that must be met for consent to be considered valid:
A privacy notice needs to be given to the subject by the time that the data is collected. The notice has to include the following information:
Once a data controller becomes aware of a data breach that affects personal data protection, they have 72 hours to notify the office. If the data breach has a significant impact or carries a high risk to the freedom and rights of the subject, then the subject must also be notified as soon as possible.
It is the duty of the data controller to keep data secure:
While "adequate data protection standards" have not officially been established yet, there is an expectation that when personal data is transferred elsewhere in the world, the country must have adequate protection standards for they govern data protection. The only exception is when exemptions are met.
Depending on the severity of the violations of the Personal Data Protection Act, either administrative fines, criminal fines, criminal liability, or civil liability can apply.
For example, when consent was required by law, but a data controller collected data from a data subject without consent, they will receive a fine of up to THB 3 million.
Any data collected before 27 May 2020 can still be used, providing that the data controller takes the following steps:
You might find it easier to ensure compliance in smaller enterprises, as things like undue exploitation is harder to cover up. Other key aspects are easier to keep track of and more direct communication with subjects is attainable. Data owners can invest real time and effort into data portability if necessary, as well as the quest to receive consent where needed and to make sure that the consolidated law is followed closely by data controllers. Communication and transparency with your data subject prior to data collection are also easier in the digital age, and processing activities are less time-consuming when the data pool is smaller.
Remember that in case of data transfer, you should ensure that the data controller sends notifications out about such information. The Thai government will apply both punitive damages and criminal penalties for breach of confidentiality and failure to meet intellectual property standards. The digital age has highly influenced how data and such interests are managed across the world, and Thailand is not the only country with a new law about data protection.
Penalties can be as severe as a large fine or up to one-year imprisonment, especially in the case of very sensitive (for example, public health) or large data breaches. Remember that this law is a Royal decree and is meant to get Thailand ready to meet international standards.
In case you are a victim of any personal data infringement or leakage, do not hesitate to contact us. Juslaws & Consult is always here to protect your interests.