What is PDPA?

What Does PDPA Stand For?

The Thailand PDPA stands for the new Personal Data Protection Act B.E.2562 of the Kingdom of Thailand. It was passed in 2019 and was scheduled to take full effect on 27 May 2020.

However, In May 2020, the Thai Cabinet approved a royal directive granting a one-year exemption from certain provisions of the Personal Data Protection Act 2019 (PDPA) up to May 31, 2021, when the new law will be expected to be fully implemented.

PDPA is the most comprehensive Thai data privacy law to date. It expands on the rights of users whose data you collect, which means expanding on your obligations as well.

Is It Similar To Other Data Protection Laws, Such As GDPR And CCPA?

The Thailand PDPA follows the trend set by the GDPR. It has many similarities with this regulation, as well as with data protection laws of East and South-East Asia. If your business complies with the GDPR, it would be easy to comply with the PDPA as well. Read more about Thailand PDPA vs. GDPR and what the key differences are. 

Who Does PDPA Apply To?

The Thailand PDPA applies to:

• Thai businesses that collect or process personal data in Thailand from users from anywhere in the world
• Any business from all around the world that collects or processes personal data of Thai citizens for the purposes of:

1. the offering of goods or services to data subjects on the territory of Thailand, irrespective of whether the payment is made by them or not
2. the monitoring of the data subject’s behaviour, where the behaviour takes place in Thailand.
   

What Are The Penalties For Non-Compliance?

There are two types of penalties for violation of the Thailand PDPA: administrative and criminal penalties.

Most of the violations lead to administrative penalties imposed by the Personal Data Protection Committee. Depending on the severity of the violation, fines may go up to 5 million baht, which is around USD 150,000.

For some violations, PDPA prescribed criminal penalties including imprisonment of up to one year and fines of up to 5 million baht. You may face such penalties if you:

• Disclose to another person the personal data obtained while performing the duties under this Act
• Disclose sensitive personal data without data subject’s consent or for a purpose other than what the consent has been given for a personal benefit or in a way that may cause them damage, or
• Transfer sensitive personal data to a country without adequate personal data protection standards for a personal benefit or in a way that may cause damage to data subjects.

In addition to the penalties, you are liable for the damages that the data subject has suffered due to your non-compliance with the law. If proven responsible, you’d have to compensate them for the damages. Read more about how you can make your website PDPA compliant. 

What Is Personal Data?

According to Section 6 of the law, personal data is any information relating to a person, which directly or indirectly enables the identification of such a person. This includes names, address, email address, phone number, ID number or another number that identifies a specific person, and others.

Although there is no explicit definition in the PDPA, the law implies that sensitive data is any personal data related to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner.

PDPA protects only living individuals. It excludes deceased persons from protection.

Do I Need To Obtain Consent Before Collecting Or Processing Personal Data?

Yes, you have to obtain explicit user’s consent before collecting or processing their data. The request must be presented in a way that clearly differentiates the request from the other content on the website. In addition, you have to inform the user about the purpose of data collection or processing in a clear and non-deceptive way.

This means that you need a cookie banner requesting consent for using cookies. Inserting a link to your privacy policy on that banner is a practical way to inform users about the purpose of data collection.

What About Consent From Minors?

When collecting consent from a minor, you need to obtain the consent from both the minor and their parent.

If the minor is a child under the age of 10, you need consent only by the parent.

Find your National Data Protection Authority online

Is Our Privacy Policy Compliant With The Thailand PDPA?

A Thailand-PDPA-compliant privacy policy contains at least the following:

• Information on the purpose of collection, use, or disclosure of personal data
• Notification if the user is obliged to provide their personal data for compliance with law or contract or entering a contract, if applicable
• The personal data to be collected and the retention period
• The categories of persons or entities to whom the collected personal data may be disclosed
• Your information, address, and the contact channel details or your representative or data protection officer, if applicable, and
• The rights of the data subject.

This is the minimum that any privacy policy must meet. If you want to be more transparent, you can add more information.

What Rights Do My Visitors And Users Have?

Your users have the right to:

• Be informed about the purpose of collection and processing of data
• Withdraw the consent given for the collection and processing of their personal data
• Non-discrimination for not giving consent for data collection and processing
• Access and obtain a copy of their data
• Object to the collection, use, and disclosure of their data
• Restrict the use of their data
• Correct their data
• Have their data transferred to another data controller
• Have their data erased, destroyed, or anonymized

In addition, you have to ensure that the data is accurate, up-to-date, complete, and not misleading.

If you do not allow users to exercise their rights under the PDPA, they have the right to file a complaint to the Personal Data Protection Committee, which may lead to penalties for you.

Can We Transfer Personal Data Freely Abroad?

You can transfer personal data to foreign countries only if the destination country has implemented adequate standards of data protection. If you want to transfer data to an inadequate country, then you have to obtain consent from the data subject for that specific purpose. If you have dilemmas whether your destination country has implemented such standards, you should request the Committee to decide.

When the data controller and the data processor belong to the same business group, they do not need to obtain consent for transferring data between each other.

Do We Need A Data Protection Officer?

You need a Data Protection Officer only if you meet any of the following requirements:

• You are a public authority
• You collect, use, or disclose large amounts of personal data (the Committee has yet to decide what does ‘large amount’ mean) and your activities require regular monitoring on the personal data or the system
• Your core activity includes the collection, use, or disclosure of sensitive personal data

When the data controller and the data processor belong to the same business group, they may appoint a joint DPO.

Who Enforces PDPA

The Personal Data Protection Committee enforces the PDPA. It has the power to impose administrative penalties. Criminal processes arising as a result of non-compliance with this law, however, are handled by the criminal prosecution authorities and courts.

Do We Need A Representative In Thailand?

You need to appoint in writing a representative located in Thailand if you are a foreign business that collects or processes personal data of Thai citizens for the purposes of:

• The offering of goods or services to data subjects on the territory of Thailand, irrespective of whether the payment is made by them or not
• The monitoring of the data subject’s behaviour, where the behaviour takes place in Thailand.

The representative shall be authorized to act on your behalf without any limitation of liability regarding the collection, use or disclosure of the personal data according to your purposes.

What Should We Do In Case Of A Data Breach?

You have to notify any data breaches to the Office of the Personal Data Protection Committee without delay and, if possible, within 72 hours after having become aware of it, unless such personal data breach is unlikely to cause a risk to the rights and freedoms of the data subjects.

If the breach is likely to cause a risk to the rights and freedoms of the data subjects, then you have to notify without delay the data subjects as well.