corporate – legal
Are you PDPA compliant?
Thailand’s Personal Data Protection Act or PDPA will come into full effect on June 1st 2022. This is less than 2 months away, so please ensure that your organization is ready and fully compliant with the PDPA before this date.
On May 5th 2021, the Thai Cabinet delayed the enforcement of the PDPA for one year (to June 1st 2022) in order to reduce the impact the PDPA would have on all relevant individuals, Government agencies and businesses of all sizes during the COVID-19 pandemic.
The Government felt that the rules, procedures and conditions that companies must adhere to under the PDPA are very detailed and complex. It also requires advanced technology in order to effectively protect personal data. The enforcement of the Act would create an extra burden for companies who may already be suffering due to the pandemic.
Currently, there are no signs for any further delays in bringing the PDPA into effect. Therefore, companies and individuals must be ready to comply with the PDPA before June 1st, 2022.
Who is protected under Thai PDPA?
The PDPA is extraterritorial scope. This means that even though your company has not been registered as a business in Thailand or does not have an office in Thailand, the PDPA may still apply to you.
The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand. However, when a data controller or data processor is located outside of Thailand, the PDPA will still apply if the data subject whose data is collected, used or disclosed is located in Thailand.
How do I become PDPA compliant?
In order to ensure full compliance with the PDPA, it is important to consider the following points.
Review the data collection and the data protection levels in your company
You may need to undertake data mapping to see what data you have about customers, users, employees and others.
Important areas to consider are:
- What type of information is collected?
- What is the purpose of the personal data collection, usage and disclosure?
- Who is the data collected from? users; clients; suppliers; business contacts or other people;
- Does your company have Internal Policies regarding data breach practice, privacy framework/policy?;
- Do you ask / seek any consent from the data subject?
- Where do you store the data? How is it protected?
- Who do you share it with? Any contract in place?
The data controller and data processor need to ensure full compliance with the PDPA and provide appropriate security measures to prevent unauthorized access to personal data.
Make sure you have appropriate records for the PDPA regulator
When the PDPA is fully enforced, a data controller and a data processor will need to maintain records in order to enable the data subject and the Office of the Personal Data Protection Committee to check upon.
Train your employees
You must ensure that all employees are fully trained and familiar with the PDPA to ensure compliance. Therefore, it is highly recommended to share any information relating to your internal policies, the details of the PDPA and penalties for breaching it, throughout your organization.
How do I become PDPA compliant?
Belaws has a team of experienced lawyers and experts in place to provide the following services to you in order to ensure full compliance with the PDPA.
|Scope of Services||Our fee|
|(a) Drafting or reviewing these following items:
1) PDPA consent (general and direct marketing consent)
This also includes analyzing your customer journey flow to ensure that it complies with the PDPA.
Timeframe: 2 weeks
|From 30,000 THB (for your customers or users)
*This includes online interactions and meetings with your team (maximum 1 hour), if necessary.
|(b) Reviewing your Terms and Conditions (T&C) to mitigate foreseeable risks (e.g. age of users/customers for validity of data privacy consent and disputes that may occur from your features in relation to PDPA or other law)
Timeframe: 2 weeks
|From 20,000 THB|
|(c) Preliminary analysis of your internal procedures to see if it complies with the PDPA.
Background: When you receive personal data from users or customers, it does not mean that you can keep their data forever. You need to provide the method to withdraw consent, specify a ‘retention policy’ which provides a ‘retention period’ and appoint a Data Protection Officer. Also, our PDPA expert needs to make sure that your practice on data collection, transfer and destruction complies with your internal policy.
Our PDPA expert can provide you with recommendations on the above mentioned issues and inform you of how long you can keep the personal data of users, customers and employees.
This shall include an appropriate record, consent and withdrawal and data breach management guidelines.
In summary, this item (c) shall include preliminary analysis on:
– retention policy/period
– practice on data collection, transfer and destruction
– record of data for a regulator
– consent and withdrawal
– data breach management guidelines
Timeframe: 3-4 weeks
|From 50,000 – 70,000 THB for preliminary analysis
(Varies by the complexity of the organization)
*This includes online interaction and meetings with your team (maximum 3 hours) to identify problems and fact findings.
Since some employees can access the personal data of users and other employees (e.g. HR and customer service representatives), controls must be put in place to ensure that the personal data of users and employees is securely stored and distributed only to authorized parties.
Timeframe: 2 weeks
|From 27,000 THB|
|(e) Training or workshops for undertstanding the PDPA Fundamental Points – 3 hours maximum, includes Q&A session (in English or Thai)
You should share information about PDPA law within your organisation, especially to the relevant people who have access to personal data (e.g., IT, customer service, HR).
|From 20,000 THB (Online) and
From 25,000 THB (Onsite)
No maximum participants
*However, if you would like to proceed with items (a) – (d), our PDPA expert is willing to provide one complimentary PDPA training session or workshop at no cost (English or Thai session).
|(f) Full PDPA Compliance Gap Analysis Report
The report shall include gaps and advice on:
– Third party management (IT vendor who can access to personal data)
– Management of Data Subject’s rights
– Data Processing Agreement Template between Data Controller and Data Processor
– Retention limitation
– Web cookies policy
– Data transfer and storage outside Thailand
– Age of users/customers for validity of data privacy consent and other important issues under PDPA
– Do/Do not’s for employees
Our PDPA expert can discuss and finalize topics with you before proceeding.
Timeframe: 4 weeks
|For full ‘ PDPA gap analysis report’ , the additional fee ranges from 80,000 – 150,000 THB (varies by the complexity of the organization and scope of work or topics)|
|(g) Audit of the IT System organizations Data destruction process.
Time frame: 1 week
|From 80,000 THB|
|(h) Preliminary discussion or direct consultation (online meeting).||From 5,000 THB per hour|
Our PDPA expert recommends you consider items (a), (b), (c) and (d) to ensure full readiness and compliance with the PDPA. If you have a limited budget, you can consider items (a) and (d) first. Our PDPA expert can help you handle everything so you do not have to start from scratch.
It is better to consult with experts rather than trying to tackle the PDPA on your own to save time. The PDPAs effective date is just around the corner and full and complete compliance is essential.
For any breaches of the PDPA, there is not only administrative, civil and criminal liability to consider, but also reputational damage. Failure to comply with the PDPA may mean that clients and partners may not want to work with your company in the future.
If you need more information about the PDPA and how to ensure full compliance, you can book a consultation with one of our PDPA experts.
Please note that this article is for information purposes only and does not constitute legal advice.
Up to 1 hour to answer your questions related to trademarks, copyright, patents, website terms and conditions, privacy law, PDPA and general issues related to digital laws in Thailand.
If some research is necessary to answer to your questions, our expert will check and revert to you with complementary elements by email.
This consultation is only for new cases. The service is provided by an expert lawyer fluent in English.
Up to 1 Hour
Online payment (Paypal or Credit card)
Legal consultation can be conducted in English, French or Thai
Legal consultations are handled by Legal experts.
To our newsletter for all the latest legal news
in South East Asia, Belaws updates and
special promotions on our services.
To our newsletter today for all the latest legal news in South East Asia,
Belaws updates and special promotions on our services.
We are open: Monday – Friday
9 am – 6 pm (UTC+7)