IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
Thailand's Personal Data Protection Act (the "PDPA") is a comprehensive data privacy law that aims to protect the privacy of Thailand’s citizens. The PDPA was said to go into effect on 27 May 2020. However, the PDPA went into effect on June 1st, 2022, after being postponed due to the pandemic.
The PDPA does not explicitly cover an employer's handling of personal information about employees. Data controllers are defined as "a person or juristic person who has the right and duty to make decisions regarding collecting, using, or disclosing personal data" under Section 6 of the PDPA.
Employers would be subject to the PDPA's requirements since they make decisions about collecting, using, and disclosing employees’ personal data.
Employers have several obligations under the PDPA:
According to Section 19 of the PDPA, an employer shall not collect, use, or disclose personal data on employees unless the employee has given consent before or at the time of the collection, use, or disclosure.
Unless it is impossible by nature, a request for consent must be given expressly in a written statement or via technological means. According to Section 26 of the PDPA, an employer shall not acquire the following sensitive personal data without the employee's specific consent:
However, the PDPA provides few exceptions regarding the consent and data collection requirements. Employers can process employees’ personal data when there is a legitimate reason, such as a medical emergency or for workers’ compensation claims, public interest, to meet contractual obligations, or to ensure employment protection.
As of now, the PDPA does not define employment protection as an exception for the above requirement. Employers must notify employees prior to collecting their personal data, even where consent is not required. Employers should consider the following to stay compliant with the PDPA:
The PDPA does not provide any retention period. However, it requires employers to ensure that they inform employees regarding their personal data retention period.
In Thailand, organizations usually retain the data of their employees for ten years under the Labor Protection Act. Employers should ensure that they don’t retain any unnecessary personal data of their employees or job applicants.
Section 28 of the PDPA addresses the transfer of employee information to third parties, whether in Thailand or abroad. The PDPA states that the destination country and third parties should have adequate data protection standards.
The transfers shall be carried out in accordance with the requirements for the protection of employees’ personal data. It is advised that the employer must obtain consent from the employee before transferring any data and ensuring that the third party has adequate security measures to protect the employees’ data.
Employers must take appropriate security measures to prevent unauthorized losses, alterations, or disclosure of employees' personal data. The PDPA requires that employers implement a system to destroy personal data when the retention period is over, when the data is no longer necessary or when the employee requests its destruction.
Any personal data breach must be reported to the Office of the Personal Data Protection Committee without delay and, where feasible, within 72 hours after the employer has become aware of it.
Under the PDPA, employees are entitled to a number of rights that the employer needs to honor in order to stay compliant. These rights are as follows:
Employees have the right to access the personal data that the employer collects, uses, and discloses.
The employer shall inform the employee about any collection, processing or storage of data prior to or at the time of the collection of the personal data.
The employee has the right to request the employer to delete any stored data, except where the employer is not obligated to do so.
Employees have the right to rectify incomplete or inaccurate personal data that the employer has stored.
The employee has the right to withdraw their consent at any time for the purposes that they have consented to the processing of their personal data.
In order to achieve compliance, HR management needs to honor the obligations mentioned above. This can be done in the following ways:
Manual approaches have a slew of drawbacks, including high prices and the possibility of human error. In today's automated and digitally connected world, firms must use automation to comply with privacy laws such as Thailand's PDPA.
Securiti’s Sensitive Data Intelligence Solution enables organizations to discover, analyze, and protect large datasets. It offers organizations a 360-degree solution to all their compliance needs. Request a demo of Securiti’s Sensitive Data Intelligence solution and start your journey to PDPA compliance.
To assist you in complying with the PDPA's requirements, Securiti also provides automatic data mapping, DSR rights fulfillment, data breach management, and added security controls.
Anas Baig is a Product Marketing Manager with a proven track record in the cybersecurity industry. He has been a prominent contributor to numerous esteemed publications, including Infosecurity Magazine, CSO Online, Tripwire, Security Affairs, Network Computing, Security Boulevard, and several other renowned cybersecurity blogs.His in-depth knowledge and extensive experience in the industry make him a trusted source for cutting-edge insights and information in the ever-evolving world of cybersecurity.
Get all the latest information, law updates and more delivered to your inbox
September 14, 2023
UPDATE: The Personal Data Protection Bill 2019 has been withdrawn by the Indian government after over three years of discussion. The Bill had attracted...
August 11, 2023
Employee data protection is becoming increasingly important for organizations that are aiming to comply with global privacy laws. This puts pressure on the HR...
July 14, 2023
Quebec's data protection authority, the Commission d'accès à l'information (CAI), recently published a consultation on the collection of consent in relation to personal data...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
info@securiti.ai
300 Santana Row Suite 450. San Jose,
CA 95128