Introduction
In an age where data privacy is paramount, Thailand has introduced comprehensive laws to ensure data protection. It is now vital that businesses operating in Thailand understand and enforce the requirements established in the Personal Data Protection Act. Failure to comply can result in the company facing large sanctions, including criminal prosecution and fines of up to 5 million THB. This comprehensive guide is your essential companion for achieving full PDPA compliance.
Thailand’s PDPA stands for Personal Data Protection Act has brought significant change to the data privacy law landscape in Thailand. As of 2023, the PDPA has been fully implemented; organizations must comply with the PDPA’s deep and complex requirements.
This comprehensive guide will explore the key provisions and obligations under Thailand’s PDPA, providing a clear roadmap for organizations to navigate the data protection landscape.
Key Points
- The PDPA stands for the Personal Data Protection Act and is Thailand’s first comprehensive regulatory framework and data protection law for protecting sensitive personal data.
- Failure to comply can result in the company facing large sanctions, including criminal prosecution and fines of up to 5 million THB.
- Companies must have a clear legal basis for collecting and processing personal data.
- Companies must establish a policy for managing personal data and implement reasonable safeguards to protect it.
- Companies must inform data subjects of the purpose and legal basis for collecting, using, disclosing, or transferring their personal data.
- Companies must appoint a Data Protection Officer (DPO) to ensure compliance with the PDPA.
What is the PDPA Thailand?
The PDPA Thailand stands for Personal Data Protection Act and is Thailand’s first consolidated data privacy law. It is influenced by the EU General Data Protection Regulation (GDPR) but also incorporates unique national perspectives. The PDPA aims to empower individuals to control the collection, usage, and disclosure of their sensitive personal data under the PDPA by data controllers. It applies to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents, regardless of their legal status or presence in the country.
What are the Key Definitions of the PDPA?
To better understand the PDPA, let’s start with some important definitions:
- Data subject: An individual who can identified by the information collected. Identification can be either directly or indirectly.
- Personal Data: Any information that enables the identification of a person, whether directly or indirectly, excluding data of deceased individuals.
- Data Controller: A person or entity responsible for making decisions regarding collecting, using, or disclosing personal data.
- Data Processor: A person or entity that collects, uses, or discloses personal data on behalf of a data controller.
These definitions form the foundation for understanding the roles and responsibilities of organizations under the PDPA.
What is the Scope of Application for the PDPA?
The PDPA has both territorial and extraterritorial scope. It applies to the collection, usage, and disclosure of personal data by data controllers or data processors in Thailand, regardless of where the actual processing occurs. Additionally, organizations outside Thailand that collect, use, or disclose personal data of individuals in Thailand may also be subject to the PDPA if they offer goods or services to Thai data subjects or monitor their behavior within Thailand.
What are the Consent and Legal Bases for Collecting Data under the PDPA?
Under the PDPA, organizations must obtain consent from data subjects before collecting, using, or disclosing their sensitive personal data under the PDPA unless there is a legal basis for processing.
The legal bases include:
- the performance of a contract,
- compliance with legal obligations,
- protection of vital interests, public interest,
- and legitimate interests of the data controller.
Sensitive personal data requires explicit consent, except in specific circumstances such as protecting a person’s life or health.
The request for consent must be explicit, written or electronic, and separated from other messages. Organizations must ensure that consent is freely given and not conditional on entering into a contract. Data subjects can refuse or withdraw their consent at any time.
What are the Obligations of Data Controllers?
Data controllers have several obligations under the PDPA to protect personal data. These include:
- Notice: Data controllers must provide notice to data subjects about the collection, usage, and disclosure of their personal data. The notice should include the purpose of collection, data retention period, categories of recipients, contact details of the data controller, and data subject’s rights.
- Data Minimization: Data controllers must collect only the personal data that is necessary for the intended purpose and ensure its accuracy, completeness, and currency.
- Security Measures: Data controllers must implement appropriate security measures to protect personal data from loss, unauthorized access, alteration, or disclosure.
- Data Processing Records: Data controllers must maintain records of their data processing activities, including the purposes of processing, categories of personal data, recipients of data, and data retention periods.
- Data Protection Impact Assessment (DPIA): While not explicitly required, data controllers must assess the level of risk associated with their data processing activities and implement appropriate security measures.
How Long Can a Company Keep Sensitive Personal Data?
The Law doesn’t specify the exact retention period. Still, in practice, the company may retain personal data as long as it is necessary to fulfill the purpose of collecting, using, disclosing, or transferring personal data as required or permitted by applicable laws.
Data Transfers and Cross-Border Transfers
The PDPA imposes restrictions on the transfer of personal data outside of Thailand. Organizations must ensure that the recipient country or international organization has adequate data protection standards. Transfer without adequate protection is only permitted in specific circumstances, such as with the data subject’s consent or for the performance of a contract. Group companies may be exempt from certain transfer requirements if they have approved personal data protection policies.
What are the Rights of Data Subjects?
The PDPA grants data subjects several rights to control their personal data. These include:
- Right to Access: Data subjects can request access to their personal data and obtain a copy of it.
- Right to Rectification: Data subjects can request the correction of inaccurate or incomplete personal data.
- Right to Erasure: Data subjects can request the deletion or anonymization of their personal data under certain circumstances.
- Right to Restriction of Processing: Data subjects can request the suspension of the processing of their personal data.
- Right to Data Portability: Data subjects can receive their personal data in a machine-readable format and request its transfer to another data controller.
- Right to Object: Data subjects can object to the processing of their personal data in specific situations.
- Right to Withdraw Consent: Data subjects have the right to withdraw their consent to the processing of their personal data.
What Must a Company Do If There Is a Personal Data Breach Notification?
In the event of a personal data breach, data controllers must report the breach to the PDPC without undue delay and, if feasible, within 72 hours of becoming aware. They also must notify affected data subjects if the breach is likely to result in high risks to their rights and freedoms. The PDPC has issued regulations specifying the procedures and requirements for personal data breach notification.
Personal data breaches can include:
- access by an unauthorized third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission, and
- loss of availability of personal data.
How Do I become PDPA Compliant?
To ensure full compliance with the PDPA, companies should undertake the following points:
Review the data collection and the data protection levels in your company
You may need to undertake data mapping to see what data you have about customers, users, employees, and others.
Important areas to consider are:
- What type of information is collected?
- What is the purpose of personal data collection, usage, and disclosure?
- Who is the data collected from? users; clients; suppliers; business contacts or other people;
- Does your company have Internal Policies regarding data breach practices or a privacy framework/policy?
- Do you ask/seek any consent from the data subject?
- Where do you store the data? How is it protected?
- Who do you share it with? Any contract in place?
Improve your consent forms, privacy policy, and internal measures to comply with the PDPA
The data controller and data processor must ensure full compliance with the PDPA and provide appropriate security measures to prevent unauthorized access to personal data.
Make sure you have appropriate records for the PDPA regulator
When the PDPA is fully enforced, a data controller and a data processor must maintain records to enable the data subject and the Office of the Personal Data Protection Committee to check upon.
Train your employees
To ensure compliance, you must ensure that all employees are fully trained and familiar with the PDPA. Therefore, it is highly recommended to share any information relating to your internal policies, the details of the PDPA, and penalties for breaching it, throughout your organization.
If you do not have any of these safeguards in place or would like to have your practices reviewed to ensure compliance, our legal experts are ready to help.
Our experienced lawyers and experts will be able to provide the following services to you to ensure full compliance with the PDPA:
Drafting or reviewing the following items:
1) PDPA consent (general and direct marketing consent)
2) Privacy Policy or Personal Data Collection Statement and purpose limitation in English or Thai (One language only – translation can be provided with an additional fee).
Reviewing your Terms and Conditions (T&C) to mitigate foreseeable risks (e.g. age of users/customers for validity of data privacy consent and disputes that may occur from your features in relation to PDPA or other law)
Preliminary analysis of your internal procedures to see if it complies with the PDPA.
Drafting or Reviewing a Privacy Policy for employees and candidates includes proper consent and provides contractual clauses to be added to any employment agreements.
What Are The Penalties for Non-Compliance With The PDPA?
Non-compliance with the PDPA provisions should be taken seriously. It involves heavy fines and penalties (Administrative fines up to THB 5 million, Criminal penalties up to THB 1m and/or 1-year imprisonment), not to mention that it would squander the faith and trust existing and potential customers may have placed on you.
The penalties can take the form of:
Civil penalties
Civil penalties may be sought against an offending party when a data controller or data processor fails, intentionally or negligently, to comply with the PDPA’s requirements.
Should a data subject encounter such a situation, they can claim actual compensation from the data controller or the data processor. Examples of actual compensation all actual expenses spent by the data subject used to prevent or avoid such damage.
Additionally, should the data controller/processor be found to be in breach of the PDPA, the court can sentence the data controller or data processor to pay punitive damages to the data subject in addition to the actual compensation.
Punitive damages are limited and must not exceed two times the actual compensation amount.
The statute of limitations for claiming civil compensation due to breaches of the PDPA is three years from the acknowledgment of the breach and the identification of offenders by the data subject or ten years from a wrongful act by the data controller or data processor.
Criminal penalties
Breaches of the PDPA can result in criminal penalties being enforced due to the following actions:
Scenario 1
If the data controller:
- uses or discloses personal data without the consent of the data subject where consent is legally required or
- receives personal data from another data controller and uses or discloses this personal data for purposes other than the purposes previously informed to the disclosing data controller or
- sends or transfers sensitive personal data to a foreign country that does not have an adequate data protection standard without other legal exceptions.
If the scenario above is found to have occurred, these actions must have been made in a manner that is likely to cause the data subject to suffer any damage, impair the person’s reputation, or expose the person to be scorned, hated, or humiliated. If this is true, the data controller could face a punishment of imprisonment for up to six months, or a fine up to 500,000 Baht, or both.
If the data controller commits any of these acts to receive unlawful benefits (for themselves or others), the data controller may be imprisoned for up to one year or fined up to one million Baht, or both.
Scenario 2
If any person obtains the personal data of the data subject as a result of performing duties under the PDPA and then discloses this personal data to any other unauthorized person, they may face a punishment of imprisonment up to six months or a fine up to 500,000 Baht, or both.
However, there are certain circumstances in which these actions are permitted. For example, where the disclosure of the information is in the interest of investigation procedures, court proceedings, or the data subject provided written consent.
Administrative penalties
Administrative penalties may apply to the data controller, the data processor, or anyone violating the PDPA’s provisions.
Administrative penalties consist of a monetary fine of up to five million Baht.
The Personal Data Protection Committee (PDPC), has the power to issue administrative fines by considering the following:
- the level of severity of non-compliance,
- the business side of the data controller or the data processor,
- or other relevant circumstances as deemed suitable by the PDPC.
Administrative penalties may be enforced for the following breaches of the PDPA:
An administrative fine of up to one million Baht can be issued for the following:
- The data controller does not inform the data subject before or at the time of the collection about the following requirements: purpose of the collection, retention period, and categories of persons to whom the collected personal data may be disclosed.
- the data controller does not record information in the record of processing activities (ROPA); or
- the data controller or processor does not appoint the data protection officer (DPO) where the PDPA requires it.
An administrative fine of up to three million Baht can be issued for the following breaches:
- the data controller processes personal data other than for the purpose informed to the data subject;
- the data controller collects, uses, and/or discloses personal data without the consent of the data subject;
- the data controller does not inform the Office of Personal Data Protection Committee of any breaches within 72 hours of becoming aware of the incident;
- the data processor does not inform the data controller about any known breaches.
An administrative fine of up to five million Baht can be issued for the following breaches;
- the data controller collects, uses, and/or discloses sensitive personal data without the explicit consent from the data subject or without another applicable legal basis; or
- the data controller or the data processor sends or transfers the sensitive personal data to a foreign country with adequate data protection standards and does so without the legally required consent of the data subject.
Our Thoughts
Thailand’s Personal Data Protection Act brings significant changes to the data protection landscape in the country, which must be adhered to. Organizations must now navigate complex requirements to protect personal data and comply with the PDPA. By understanding the key provisions and obligations under the PDPA, organizations can take proactive steps to protect personal data, gain the trust of their customers, and avoid potential penalties. Our team of legal experts is ready and available to help check your company’s compliance with the PDPA and help you with any adjustments required.