February 28, 2020

Thailand PDPA Summary: What Businesses Need to Know

Thailand’s Personal Data Protection Act (PDPA) was adopted into law on May 28, 2019, after being published in the Royal Thai Government Gazette a day earlier.

Viewed as Thailand’s groundbreaking data protection regulation, the enforcement of the PDPA’s crucial provisions that are focused on the collection, use, and sharing of personal information has been postponed to commence on 1 June 2021.

The key principles and requirements of Thailand’s PDPA are adapted from the GDPR (Check out the key differences between PDPA and GDPR). Nonetheless, it is important for businesses operating in Thailand or handling data of Thai residents to acquaint themselves with this regulation with the compliance deadline fast approaching.

What is PDPA?

Like the GDPR, the aim of the PDPA is to safeguard Thai data owners from the illegal collection, use, or sharing of their personal information.

Who Needs to Comply with PDPA

The scope of the PDPA covers businesses that are not headquartered in Thailand that market goods or services to Thai residents, or track their behavior. 

Most importantly, this law is applicable regardless of whether any payment is required for these activities or not.

Some of the core similarities between the PDPA and GDPR include;

  • A set of legal bases for processing personal information
  • Individual rights
  • Creation of a data protection oversight body

Under the PDPA, the legal bases for processing personal data include consent, legal obligation, public interest, and legitimate interest.

On the other hand, individual privileges include, but are not limited to the rights to access, erasure, or modify.

Lastly, the PDPA also aims to establish a Personal Data Protection Committee (PDPC), which is similar to the GDPR’s Data Protection Authorities (DPAs).

What are the Key Definitions in the PDPA?

It goes without question that the key definitions in Thailand’s PDPA are inspired by the GDPR. They include;

Personal Data; broadly described as information that can directly or indirectly pinpoint an individual. However, this definition does not include the data of a deceased individual, or private business information such as contact details, titles, or location.

Data Controller; The PDPA identifies a data controller as the authority that determines the means and purpose of collecting, using, and sharing personal data.

Data Processor; According to the PDPA, a data processor is any individual or party that gathers, uses, or shares personal information as directed by the data controller.

Sensitive Personal Data; This is information related to a data subject’s race, political views, religious beliefs, criminal background, genetic information, health data, sexual preference, biometric information, as well as trade union membership

Which Consumer Rights does the PDPA Protect?

Primarily, the PDPA is focused on safeguarding data owners from the illegal collection, use, or disclosure of personal data.

Like the GDPR, websites will be expected to have a simple and clear language in their privacy policies, seek active consent from users at the point of collecting, and sharing the data with third parties, as well as outlining the purpose of collecting this information.

As such, the rights of data owners under the PDPA include;

  • The right to be informed
  • The right to access
  • The right to data portability
  • The right to object
  • The right to erasure/right to be forgotten
  • The right to restrict processing
  • The right to rectify

What are the PDPA’s Consent Requirements?

Similar to the GDPR, Thailand’s PDPA explicitly states that clear, express consent must be sought on or before the collection of personal information. The law goes to make it clear that consent requests should not be misleading or deceptive.

Another crucial aspect regarding consent requirements under the PDPA is that data owners are allowed to withdraw their consent at any time. However, this withdrawal does not affect the collection, processing, or sharing of personal information that had been legitimately consented to.

However, the law also exempts the need for consent for the collection of personal information in specific circumstances. They include;

  • The fulfillment of contractual obligations
  • Public interest
  • Legitimate interest

Concerning minors, Thailand’s data privacy law requires parental consent for data subjects below 10 years old. This provision differs from the GDPR which requires parental consent for all children below the age of 16.

How Will the PDPA be enforced?

This regulation will establish the Personal Data Protection Committee (PDPC). The PDPC will be responsible for the enforcement of the PDPA and guarantee compliance through the development of guidelines and implementation of a data protection framework.

What are the PDPA’s Penalties for Non-compliance?

Companies found in violation of Thailand’s data privacy law will be liable to both criminal and civil fines. Each offense is likely to attract administrative penalties of up to TBH 5 million, which is equivalent to $165,000.

Apart from the fines, the PDPA also allows courts to enforce punitive compensations of up to double the amount of the actual damages and a one-year prison sentence.

Lastly, the PDPA allows data owners to lodge class action lawsuits.

How can you prepare for The PDPA?

It is vital for businesses to begin assessing their data processing practices and take the necessary measures to ensure compliance. Some of the steps include:

  • Data mapping to understand how your company collects, processes, transmits, and stores data, which includes identifying the legal basis to collect and use personal data
  • Reviewing internal policies, agreements, and practices related to personal data
  • Implementing data management processes and operating systems
  • Updating existing privacy notices and creating relevant legal documents
  • Ensuring employees and personnel are fully trained on the relevant requirements of the PDPA
  • Conducting a gap assessment to identify the current levels of compliance
  • Having processes in place that exercise the rights of individuals relating to their personal data