Personal Data Protection Law (PDPA) requirement for Companies doing business in Thailand
Europe has applied the General Data Protection Regulation (GDPR) that leads global trends on data protection. Thailand decided to follow global trends by the enactment of the Personal Data Protection Act B.E. 2562 (or PDPA 2019) on 27 May 2019. Due to the pandemic, the Effective Date of Thailand’s PDPA is postponed until further notice.
If you have never heard of PDPA before, you should pay attention to this article.
First, we would like to start with the penalties to show how important is this law.
1) Penalties for Non-Compliance:
The PDPA 2019 imposes penalties for non-compliance/ failure to comply with the provisions of this Act.
The Data Controller or the Data Processor who violates the law could face administrative fines of up to 5 million baht.
The Data Controller or the Data Processor who violates the law could face criminal penalties. (fines of up to 1 million baht and imprisonment up to one year).
The Data Controller or the Data Processor, whose operation in relation to Personal Data violates with provisions of this Act, shall compensate the data subject for such damages. Regardless of whether such operation is performed intentionally or negligently…(Section 77 of the Act).
The law also states that compensation of the damage includes all necessary expenses. Especially, the expenses incurred by the data subject for the prevention of the damages likely to occur. And also that was spent to suppress or stop the damages occurred.
More importantly, punitive damages may be awarded by the Thai court in addition to the actual damage. But it shall not be exceeding two times of actual damage amount.
2) Who needs to comply with this law:
The law is written to be extraterritorial. It means that it applies to data controllers regardless of their location. Therefore, where ever you are you need to comply with this law. PDPA 2019 applies even when you are offering goods/services to owner of the data subject in Thailand (Section 5 of the Act).
3) When it all started:
Preparation Period for PDPA 2019 Compliance: All companies that collect or process the personal data of data subjects in Thailand must be completely compliant with the PDPA 2019 by May 27, 2020. Owing to the pandemic, the effective date of the PDPA in Thailand has been postponed until further notice. Are you ready for this?
4) What is the restriction on the Collection and Use of Data?
Personal data is a very broad term for any data from which a person can be identified. But potentially extending to any data held by a company in the course of its business.
Examples include: Name, address, telephone number, password, e-mail address, credit card number, financial details, IP address, ID card number.
-Consent from data subjects (online or in writing) is required before processing their personal data (or at the time of use). It is, however, subject to such exceptions. A request for consent shall be made specifically in a written declaration or by electronic means unless it cannot be made by its nature.
EXPRESS CONSENT IS REQUIRED
“The data controller shall not collect, use or disclose personal data, unless the data subject has given consent prior to or at the time of such collection, use or disclosure.”
In requesting consent from the data subject, the Personal Data Controller shall also inform the purpose of the collection. Such request for consent shall be presented in an easily accessible and intelligible form and statements. In this regard, the PDPA Committee may require data subject’s consent in accordance with the form and statements as prescribed by the Committee.
For storing personal data and sensitive personal data there is a requirement to arrange sufficient security measures.
Please keep in mind that in case of any data leakage, you need to notify the Office of the Personal Data Protection Committee within 72 hours. You also need to notify the data owner.
Sensitive personal data refers to any information about an individual’s:
Racial or ethnic origin, political opinions, cult, religious, philosophical beliefs, sexual behavior, criminal records, health data, disability, trade/labor union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner. The collection of sensitive personal data is prohibited. But except where: it is to prevent or suppress a danger to life, body or health of the Person, where the data subject is incapable of giving consent by whatever reason. Or it is carried out in the course of legitimate activities with appropriate safeguards by the foundations, associations or any other not-for-profit bodies (Section 26 of the Act).
|“Personal Data” refers to any information relating to a Person, which enables the identification of such Person.||“Data Controller” refers to a person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.|
|“Data Processor” means a person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.||Your independent service providers who have access to personal data of your company’s users/customers pursuant to the orders given by or on behalf of your company are considered as a Data Processor.|
|KEY OBLIGATIONS UNDER THE PDPA||Data Controller||Data Processor|
|• Collect, use, disclose when consent obtained
• Data Transfer
• Data subject’s rights
• Action to prevent others from unauthorized use/disclosure
• Data retention period/system
|• Process under data controller’s instruction only;
• Provide appropriate security measures for preventing unauthorized access to Personal Data or Breach;
• Prepare and maintain records of personal data processing activities.
|Between 2 parties:
• Appropriate security measures/system
• Data breach notification
• Data processing agreement
So let’s put it this way, you should now check within your organization if you collect any data without data subject’s consent. Also, data that is considered as “sensitive personal data”.
Exemption under PDPA 2019
This Act shall not apply to unidentifiable information, personal benefit or household activity of such Person only; Public authorities related to national security, money laundering and cyber security; Activities of Mass media, fine arts, or literature; the House of Representatives, the Senate, the Parliament and their committee; Trial and adjudication of courts and work operations of officer in legal proceedings; Operations of data undertaken by a credit bureau company.”
Rights of Data Subjects
In addition, the PDPA grants data subjects various rights over data held by others that relates to them. It includes, right of access, right to erasure, right to object, and the right to data portability.
Data controllers must ensure that they honor and guarantee those rights as part of their services/operations.
How to Deal with this law?
1. Communicate within your organization about this law and penalty, especially for the relevant people.
2. Take this moment to review your systems and organization.
• What type of information is collected? Please recheck the level of data protection in your company;
• Who is Data Collected from? users; clients; suppliers; business contacts or other people;
• Does your company have Internal Policies regarding data breach practice, privacy framework/policy?
• Do you ask / seek any consent from data subject?
• Where do you store it? How is it protected?
• Who do you share it with? Any contract?
3. Improve your consent form/ question and internal measures to comply with this new law;
4. Ensure that employees are fully trained and complied the PDPA.
You may have question about the personal data which was collected before the enforcement of the PDPA.
You as the personal data controller can continue to use such personal data, if:
• It is in accordance with the objectives previously notified by the data subject.
• You need to provide that how the data owner can withdraw its consent to use the personal data.
• However, it is better to consult with our specialist.
How can we help you?
The practical effect of the PDPA and its consequences on business are not known yet as this law will enter into force shortly. What is sure, however, is that the breach of the PDPA may not only carry Administrative, Civil and Criminal Liability but also reputational damage. Indeed, customers are more and more concerned about data breach.
Still have questions or need advice or exclusive training on PDPA? We can help you get compliant. Training can be done both in Thai or English language.
PDPA Expert Lawyer