The Thailand Personal Data Protection Act (PDPA) is the latest piece of legislation which offers data protection regulations against the misuse of personal data that has been collected from individuals in Thailand. The PDPA was greatly influenced by the European Union's General Data Protection Regulation (GDPR) which set a new standard for data protection regulations around the world.

Objectives of the PDPA

  • The objective of the PDPA is to protect all personal data, such as people's educational background, financial status, health records, criminal records, work records and other personal data such as fingerprints, voice, identification card number or numerical data of other documents. The law prevents people from using this data for any kind of benefit without express consent from the data subject.

The PDPA imposes penalties for non-compliance with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages.

Could you or your business be subjected to the PDPA?

If the answer to any of the following questions is yes, then your business is subjected to the rules set out in the PDPA.

  • Do you or your business process personal data?
  • Do you or your business monitor the behavior off individuals located in Thailand?
  • Do you or your business offer goods and services to people located in Thailand?

A business falls under the scope of the PDPA if it collects personal data and offers and promotes its services to individuals located within Thailand.

Note that according to the PDPA, the data collectors and processors do not need to be located within the kingdom of Thailand.

Exemptions under PDPA

  • Data collected for private purposes
  • Data collected by government agencies related to national security, money laundering and cybersecurity
  • Medias subject to ethical standards and public interest purposes
  • Data collected by Members of Parliament and Judiciary
  • Data collected by credit bureaus

The PDPA excludes 2 types of personal data namely, personal data of a deceased person, and business data such as contact details, and title or address of the business.

Like the GDPR, the PDPA has an extraterritorial reach which means that even without having offices in the kingdom, companies offering goods and services to Thai data subjects or monitoring any behavior that takes place within Thailand will need to comply with the PDPA and appoint a representative within the kingdom. The representative is responsible for all acts done by the data collector and processors which they represent.

Consent from the data owner

  • The PDPA states that data owners' consent only be sought honestly, and in good faith. The PDPA also empowers data subjects to revoke their consent at any time, subject to the requirements of applicable laws and other agreements, but such revocation cannot affect the previous collection, usage, or disclosure of personal data that had been legally consented.
  • Data controllers have the obligation to ensure that proper security measures are implemented to protect personal data against loss, alteration, or modification. Data collectors would also be obligated to ensure that the data used or disclosed (when permissible) is correct, complete, and current.
  • If a data controller wishes to use or disclose personal data, it is necessary to seek the data owner's consent in writing.
  • Subject to certain exceptions, it would also be necessary to seek consent in writing to transfer personal data overseas, and a process would be established for consideration of whether the intended recipient country's personal data protection laws provide sufficient protection against the misuse of personal data.
  • Deemed consent (implied consent) is also applicable according to the PDPA. In situations where the data subjects have voluntarily submitted their information to the data controller. For example, if a person would like to subscribe to receive newsletters or updates via email, that person can opt-in by providing his or her email to data controller. By giving his or her email, it is deemed that that person would like to receive such newsletters or updates via email. If person no longer wishes to receive such updates, it is the duty of the data controller to provide a measure for unsubscribing (opt-out measure)

In conclusion, the PDPA offers protection against the misuse of collected personal data from individuals in Thailand. It has an extraterritorial reach due to the fact that of data collectors and processors are outside the kingdom of Thailand, they have to appoint representatives within the kingdom, and those appointed representatives will be wholly responsible for the acts committed by the data collectors and processors. It also states that the data collectors and processors must receive consent from the data subject for them to use their personal data in any way. However, there are certain exceptions of some operations that do not require consent in the collecting and processing of personal data which are stipulated in Article 4 of the PDPA and are mentioned above.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.