Thailand's PDPA

"To pass on our deep understanding of IT risk and control to the society"

Essential Information of PDPA

Thailand's Personal Data Protection Act B.E. 2562 ("PDPA") was announced and published in the Royal Thai Government Gazette on May 27th, 2019, to protect data privacy and stipulate the compliance liabilities. Nevertheless, PDPA allows a 1-year transition period for the compliance planning (i.e. deadline to implement all compliance measures is May 27th, 2020). Under PAPA, personal data means any information relating to a person that enables the identification of such person, whether directly or indirectly, but not including the information of the deceased person. The liabilities under PDPA include (i) fine up to THB 5 million, (ii) imprisonment up to 1 year, and (iii) compensation for actual damages plus punitive damages up to 2 times of such actual damages. Please note that the director(s) and a responsible person(s) could also be liable in the event an offender is a juristic person.

The PDPA applies and enforces to any persons or juristic persons having the power and duties to make a decision regarding the collecting, using, or disclosing of personal data that is in Thailand (so-called "Data Controller") and (b) a person or a juristic person who operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a Data Controller, whereby such person or juristic person is not the Data Controller (or so-called "Data Processor") regardless of whether such collection, use, or disclosure takes place in Thailand or not.

However, in the event that a Data Controller or a Data Processor is outside Thailand, the PDPA shall apply only where the activities of such Data Controller or Data Processor are (1) the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject OR (2) the monitoring of the data subject's behavior, where the behavior takes place in Thailand. In addition, if the personal data is sensitive personal information, e.g. racial, political, disability and biometric data, and large amount, a local representative – without any limitation liability – shall be designated in writing to act on behalf of the Data Controller with respect to the collection, use or disclosure of the personal data according to the purposes of the Data Controller.

Key Compliance of PDPA

The key compliances under the PDPA are summarized as follows:

  1. Notification & Consent: the data subject shall be informed about the purpose of the collection, use, disclosure, retention period, categories of such personal data, and the right of the data subject. The request for consent shall be clearly presented by using plain language without any misleading to the data subject. Parental holder's or custodian's consent must be obtained in the event the data subject is a minor. The consent of the data subject – freely given and withdrawable – shall be obtained prior to any collection, use, disclosure and/or transfer of personal data.
  2. Collection and Use of Personal Data: The personal data shall be collected, used or disclosed according to the purpose notified to the data subject prior to or at the time of such collection. In the event the personal data is sent or transferred to a foreign country, the destination country or international organization that is receiving such personal data shall have an adequate data protection standard.
  3. Right of Data Subject: The data subject shall be entitled to request access and obtain a copy of the personal data related to him/her or to request the disclosure of the acquisition of the personal data obtained without his/her consent. Subject to certain conditions, the data subject shall have the right to object and/or request the Data Controller to erase or destroy the personal data or anonymize the personal data to become anonymous data.
  4. Protection and Compliance: The Data Controller and Data Personal Controller shall:

Data Controller

  • Provide appropriate security measures for preventing unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of personal data.
  • Put in place the examination system for erasure or destruction of the Personal Data when the retention period ends, or when the personal data is irrelevant or beyond the purpose necessary for which it has been collected.
  • Notify of any personal data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of the persons.

Data Processor

  • Carry out the activities related to the collection, use, or disclosure of personal data only pursuant to the instruction given by the Data Controller.
  • Provide appropriate security measures for preventing unauthorized or unlawful loss, access to, use, alteration, correction or disclosure, of personal data, and notify the Data Controller of the personal data breach that occurred.
  • Prepare and maintain records of personal data processing activities in accordance with the rules.

Data Protection Officer

  • The Data Controller and the Data Processor shall designate a data protection officer if regular monitoring of the personal data and system is required and/or the activity of the Data Controller or the Data Process is related to sensitive personal data.
  • The duties of the Data Protection Officer are:
  1. providing advice to the Data Controller or the Data Processor including the employees or service providers of the Data Controller or of the Data Processor with respect to compliance with this PDPA,
  2. investigate the performance of the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or of the Data Processor with respect to the collection, use, or disclosure of the personal data for compliance with PDPA,
  3. coordinate and cooperate with the Personal Data Protection Committee in the circumstances where there are problems with respect to the collection, use, or disclosure of the personal data undertaken by the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or of the Data Processor with respect to the compliance with PDPA; and
  4. keep the personal data known or acquired in the course of his or her performance of duty confidential.

Our PDPA Services

Together with our key partner, Solutionistic Co., Ltd., a leading company in the IT risk and control with several past experiences from the Big 4, we have a new vision of PDPA service where we integrate both legal and IT services and focus on the "Real solution that fits" with "Optimistic" attitude that answers the need of our clients. We value our professionalism and quality service to ensure that our clients will receive the best experience with us.

Our approached services include:

Phase : 1

Planning

  • Establish working group and management group
  • Planning
  • Request for information

Phase : 2

Data and IT Mapping

  • Define personal identifiable information
  • Perform data flow mapping and analysis

Phase : 3

Assessment

  • Perform PDPA impact assessment
  • Develop implementation plan

Phase : 4

Implementation

  • Develop and update necessary policies, procedures and technology to support implementation plan
  • Conduct Thai PDPA Training and prepare material

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.