What are the penalties for breaching the PDPA?
As of the 1st of June 2022, Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into full effect. The PDPA regulates how a data controller or a data processor collects, uses, discloses, and/or transfers personal data, and provides a safeguard against abuses of the right to privacy of a data subject.
Failure to comply with the PDPA could result in civil, criminal, and/or administrative penalties handed to the offending party.
What are data controllers and processors?
A Data controller is a person or a juristic person who has the power to make decisions relating to the collection, use, disclosure and/or transfer of personal data.
A Data processor is a person or a juristic person who collects, uses, discloses and/or transfers personal data on behalf of another party who is the data controller.
Civil penalties may be sought against an offending party when a data controller or data processor fails, intentionally or negligently, to comply with the PDPA’s requirements.
Should a data subject encounter such a situation, they can claim actual compensation from the data controller or the data processor. Examples of actual compensation, all actual expenses spent by the data subject used to prevent or avoid such damage.
Additionally, should the data controller/processor be found to be in breach of the PDPA, the court has the ability to sentence the data controller or data processor to pay punitive damages to the data subject in addition to the actual compensation.
Punitive damages are limited and must not exceed two times the amount of the actual compensation.
The statute of limitations for claiming civil compensation due to breaches of the PDPA is three years from acknowledgement of the breach and the identification of offenders by the data subject, or ten years from a wrongful act by the data controller or data processor.
Breaches of the PDPA can result in criminal penalties being enforced due to the following actions:
If the data controller:
- uses or discloses personal data without the consent of the data subject where consent is legally required, or
- receives personal data from another data controller and uses or discloses this personal data for purposes other than the purposes previously informed to the disclosing data controller, or
- sends or transfers sensitive personal data to a foreign country that does not have an adequate data protection standard without other legal exceptions.
If the scenario above is found to have occurred, these actions must have been made in a manner that is likely to cause the data subject to suffer any damage, impair the person’s reputation, or expose the person to be scorned, hated, or humiliated. If this is found to be true, the data controller could face a punishment of imprisonment for up to six months, or fine up to 500,000 Baht, or both.
If the data controller commits any of these acts in order to receive unlawful benefits (for themselves or others), the data controller may be punished with imprisonment up to one year, or fine up to one million Baht, or both.
If any person obtains the personal data of the data subject as a result of performing duties under the PDPA and then discloses this personal data to any other unauthorised person, they may face a punishment of imprisonment up to six months, or fine up to 500,000 Baht, or both.
However, there are certain circumstances in which these actions are permitted. For example, where the disclosure of the information is in the interest of investigation procedures, proceedings by the courts, or the data subject provided written consent.
Administrative penalties may apply to the data controller or the data processor, or any person who violates any of the PDPA’s provisions.
Administrative penalties consist of a monetary fine of up to five million Baht.
The Personal Data Protection Committee (PDPC), has power to issue administrative fines by taking the following into consideration:
- the level of severity of non-compliance,
- the business size of the data controller or the data processor,
- or other relevant circumstances as deemed suitable by the PDPC.
Administrative penalties may be enforced for the following breaches of the PDPA:
An administrative fine of up to one million Baht can be issued for the following:
- The data controller does not inform the data subject prior to, or at the time of the collection about the following requirements; purpose of the collection, retention period, categories of persons to whom the collected personal data may be disclosed to.
- the data controller does not record information in the record of processing activities (ROPA); or
- the data controller or the data processor does not appoint the data protection officer (DPO) where it is required by the PDPA.
An administrative fine of up to three million Baht can be issued for the following breaches:
- the data controller processes personal data other than for the purpose informed to the data subject;
- the data controller collects, uses, and/or discloses personal data without the consent of the data subject;
- the data controller does not inform the the Office of Personal Data Protection Committee of any breaches within 72 hours of becoming aware of the incident;
- the data processor does not inform the data controller about any known breaches.
An administrative fine of up to five million Baht can be issued for the following breaches;
- the data controller collects, uses, and/or discloses sensitive personal data without the explicit consent from the data subject or without another applicable legal basis; or
- the data controller or the data processor sends or transfers the sensitive personal data to a foreign country that does have adequate data protection standards and did so without the legally required consent of the data subject.
Examples of PDPA breaches that you should be aware of
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
How can the Belaws team of experts help you?
For any breaches of the PDPA, there is not only administrative, civil and criminal liability to consider, but also reputational damage. Failure to comply with the PDPA may mean that clients and partners may not want to work with your company in the future.
If you need more information about the PDPA and how to ensure full compliance, you can book a consultation with one of our PDPA experts.
Please note that this article is for information purposes only and does not constitute legal advice.
Our consultations last for a period of 1 hour and are conducted by our expert lawyers who are fluent in English, French and Thai.
Consultations can be hosted via WhatsApp or Video Conferencing software for your convenience. A consultation with one of our experts is undoubtedly the best way to get all the information you need and answer any questions you may have about your new business or project.
Online payment (Paypal or Credit card)
Legal consultation can be conducted in English, French or Thai
Legal consultations are handled by expert lawyers.
Frequently asked questions
What is Thailand Personal Data Protection Act?
The PDPA is a law that prevents the infringement of a data subjects personal information. The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand. However, when a data controller or data processor is located outside of Thailand, the PDPA will still apply if the data subject whose data is collected, used or disclosed is located in Thailand.
Does GDPR apply in Thailand?
The GDPR applies to organisations that have a presence in the EU, notably entities that have an ‘establishment’ in the EU. The GDPR also applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to the offering of goods, or services to individuals in the EU, or to the monitoring of the behaviour of individuals in the EU.
Which countries have the best data protection?
Denmark, Norway and Canada are considered to have the best Data Protection laws along with the EU.
What is the difference between PDPA and GDPR?
The GDPR states specific rules for the processing of personal data for research purposes, including data minimisation and anonymisation. The PDPA does not include specific rules for the collection, use, and disclosure of personal data for such purposes, but requires that ‘suitable measures are put in place.
What is the difference between PDPA and GDPR?
- The GDPR states specific rules for the processing of personal data for research purposes, including data minimisation and anonymisation.
- The PDPA does not include specific rules for the collection, use, and disclosure of personal data for such purposes, but requires that ‘suitable measures are put in place.
Who does Thai PDPA cover?
The PDPA covers all uses or disclosure of personal data obtained by a data controller or data processor within Thailand. Data controller and processors is located outside of Thailand, the PDPA will still apply.
What is personal data protection?
Personal data protection refers to how both public and private entities receive consent from data subjects. Data protection also covers the correct methods for processing, collecting or disclosing personal data.
Who are exempted from PDPA?
The only exemptions to the PDPA is where the disclosure of the information is in the interest of investigation procedures, proceedings by the courts, or the data subject provided written consent.
Who is subject to PDPA?
The PDPA will be applied to any collection, use or disclosure of personal data obtained by a data controller or data processor within Thailand.
Does PDPA apply to individuals?
The PDPA applies to both individuals and companies alike..
To our newsletter for all the latest legal news
in South East Asia, Belaws updates and
special promotions on our services.
To our newsletter today for all the latest legal news in South East Asia,
Belaws updates and special promotions on our services.
We are open: Monday – Friday
9 am – 6 pm (UTC+7)