When the General Data Protection Regulation (“GDPR”) was first enacted, there was a massive scramble by companies to meet the requirements as quickly as possible. Now the GDPR is fully in force and companies are in full compliance, the GDPR is widely considered to be a huge success. As a result, other countries have taken note and used it as the basis for their own data protection legislation.
In Thailand’s case, the GDPR has become the basis for the Personal Data Protection Act B.E. 2562 (“PDPA”) which was enacted on the 27th of May 2019. However, due to the current pandemic and issues with the appointment of a Personal Data Protection Committee, the full roll out of the legislation has been postponed until further notice.
If your company is a data controller or data processor either located in or has operations in Thailand, you will be subject to the PDPA (this is subject to the data that has been collected being used or disclosed in Thailand).
Since the PDPA is based upon the GDPR, there are naturally many similarities between them. For example:
1. Both the GDPR and PDPA apply to the processing of personal data. Personal data refers to any information relating to an identified or identifiable natural person.
2. Both the GDPR and PDPA have extraterritorial applicability. Under the GDPR, non-EU data controllers and processors must comply with the GDPR when they process data from individuals in the EU for the following specific goals:
– the offering of goods or services to such data subjects in the European Union; or
– the monitoring of their behavior as far as their behavior takes place within the European Union.
Thailand’s PDPA also follows the same pattern, even if the company in question is located outside Thailand, it will still need to comply with the PDPA.
3. Both the GDPR and PDPA have similar exceptions and clauses on the lawful basis of processing. These exceptions and clauses refer to consent, contractual basis, legal obligations and legitimate interest or vital interests as a basis.
The PDPA also mirrors the GDPR’s rights for the data subjects. The data controller has to confer the following rights on individuals or data subjects:
- The right to be informed when and where their data is being used.
- The right to rectify their data.
- The right to data portability.
- The right to access their data.
- The right to object to their date being used.
- The right to restriction of their data.
- The right for their data to be erased or forgotten.
The good news is that if you comply with the GDPR, it is more than likely that you will also be compliant to the PDPA. It is also important to note that there are some differences between the GDPR and the PDPA. Examples include:
With regards to the GDPR, any organization that fails to comply with the regulations can be fined up to a maximum of 4 % of their worldwide annual revenue, or €20 million, whichever is greater.
In comparison, the PDPA explicitly states that administrative fines can reach a maximum of 5 Million THB. The PDPA also confers criminal liability onto companies. Failure to comply with the legislation can result in imprisonment of up to a year (along with a fine). The PDPA also has no limit for damages.
The GDPR does not offer any exceptions for public authorities and law-making institutions. It does however offer exceptions for competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or penalties.
The PDPA on the other hand does offer exceptions for law makers and public authorities. The PDPA does not apply to the following bodies:
(1) Public authorities who maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity;
(2) The House of Representatives, the Senate, and the Parliament, including any committees appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose Personal Data under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case may be;
(3) trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
(4) operations of data undertaken by a credit bureau company and its members.
It is clear to see that the PDPA’s exceptions are broader than that of the GDPR.
3. Anonymous Data
Although the GDPR does not address the right to anonymize their personal data, a data subject has the right to anonymize his or her personal data under the PDPA.
While the GDPR allows users who are 16 or above to provide consent without their parent’s / guardian’s permission, the PDPA on the other hand states that if the individual is under the age of 10, consent must be obtained from the legal guardian over the child. Furthermore, the PDPA states that for all individuals aged between 10 – 20, where their personal data is required, consent must be obtained from the individual and his/her legal guardian over the child unless it falls under the stated exceptions.
5. Compliance Templates
In accordance with the GDPR your company is required to complete the Record of Processing Activity (ROPA). However, if your company is located in Thailand (or outside Thailand but offers goods or services in Thailand or the data subject whose data is collected, used or disclosed is located in Thailand), you will also need to complete the equivalent form under the PDPA as well.
While we have covered the key aspects of GDPR and PDPA here, there are other important areas that you need to consider and be aware of. If you are unsure as to whether your company needs to follow the PDPA or you aren’t sure about any details, please contact us and our team of experts will be able to help you.
Find more information about PDPA here.