'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on September 3, 2021 AUTHOR - Privacy Research Team
Thailand has a comprehensive data privacy regulation, the Personal Data Protection Act (the “PDPA”) that aims to protect the privacy of its citizens. The PDPA was said to go into effect on 27 May 2021. However, in May 2021, the Thai Cabinet through a Royal Decree has deferred the enforcement of certain data protection provisions of the PDPA until 01 June 2022. The PDPA does not specifically address an employer’s handling of employee personal information. As per Section 6 of the PDPA “a person or juristic person has the power and duty to make decisions regarding the collection, use, or disclosure of personal data '' are considered data controllers. Since employers also make decisions regarding the collection, use, or disclosure of personal data of employees, therefore, they would also come under the ambit of PDPA’s obligations.
Under Section 19 of the PDPA, the employer shall not collect, use, or disclose personal data of employees, unless the employee has given consent prior to or at the time of such collection, use, or disclosures. A request for consent shall be explicitly made in a written statement, or via electronic means unless it cannot be done by its nature. Section 26 of the PDPA prescribes that the employer should not collect the following sensitive personal data without the explicit consent of the employee:
However, the PDPA provides few exceptions regarding the consent and data collection requirements. Employers can process employees’ personal data when there is a legitimate reason such as a medical emergency or for workers’ compensation claims, public interest, to meet contractual obligations, or to ensure employment protection. As of now, the PDPA does not define employment protection as an exception for the above requirement. Employers must notify employees prior to collecting their personal data, even where consent is not required. Employers should consider the following in order to stay compliant with the PDPA:
The PDPA does not provide any retention period. However, it requires employers to ensure that they inform employees regarding the retention period of their personal data. In Thailand, organizations usually retain the data of their employees for ten years in accordance with the Labor Protection Act. Employers should ensure that they don’t retain any unnecessary personal data of their employees or job applicants.
Section 28 of the PDPA addresses the transfer of employee information to third parties, whether in Thailand or abroad. The PDPA states that the destination country and third parties should have adequate data protection standards, and the transfers shall be carried out in accordance with the requirements of the protection of employee’s personal data. It is advised that the employer must obtain consent from the employee before transferring any data and ensuring that the third party has adequate security measures to protect the employees’ data.
Employers must take appropriate security measures to prevent unauthorized losses, alterations or disclosure of employees' personal data. The PDPA requires that employers must implement a system to destroy personal data when the retention period is over, when the data is no longer necessary or when the employee requests its destruction.
Any personal data breach must be reported to the Office of the Personal Data Protection Committee without delay and, where feasible, within 72 hours after the employer has become aware of it.
Employees have the right to access the personal data that the employer collects, uses, and discloses.
The employer shall inform the employee about any collection, processing or storage of data prior to or at the time of the collection of the personal data.
The employee has the right to request the employer to delete any stored data, except where the employer is not obligated to do so.
Employees have the right to rectify incomplete or inaccurate personal data that the employer has stored.
The employee has the right to withdraw their consent at any time for the purposes that they have consented to the processing of their personal data.
In order to achieve compliance, HR management needs to honor the aforementioned obligations. This can be done in the following ways:
Manual methods come with a flurry of obstacles such as high costs and the risk of human error. In this day and age, organizations need to incorporate the help of automation to ensure compliance with privacy regulations such as Thailand’s PDPA.
Securiti’s Sensitive Data Intelligence Solution enables organizations to discover, analyze, and protect large datasets. It offers organizations a 360-degree solution to all their compliance needs. Watch a demo of Securiti’s Sensitive Data Intelligence solution and start your journey to PDPA compliance.
Securiti also offers automated data mapping, DSR rights fulfillment, data breach management and security controls to help you comply with the obligations required by the PDPA.