Overview of Thailand’s Personal Data Protection Act (PDPA)

1. Introduction

The government of Thailand has passed its first-ever data protection law, the Personal Data Protection Act (PDPA), which came into effect on June 1st, 2022. Like the European Union’s General Data Protection Regulation (GDPR) and most privacy laws, Thailand’s PDPA ensures an appropriate level of security of data subjects' personal information and grants them several protections and rights.

2. Who Needs to Comply with the Law

A. Material Scope

With a few exceptions, Thailand's PDPA applies to any legal entity collecting, using, or disclosing a natural (and alive) person's personal data.

B. Territorial Scope

The PDPA applies to personal data collected, used, and disclosed by a data controller or data processor in Thailand, irrespective of whether the collection, use, or disclosure occurs in Thailand or elsewhere.

If a Data Controller or a Data Processor is outside of Thailand, the PDPA shall apply to the collection, use, or disclosure of personal data of data subjects who are in Thailand, where the activities of such data Controller or data processor include:

1. the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject; or
2. the monitoring of the data subject’s behavior, where the behavior takes place in Thailand.

C. Exceptions

The PDPA does not apply to the following;

1. operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties concerning the prevention and suppression of money laundering, forensic science, or cybersecurity;
2. trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
3. the processing for personal benefit or household activity;
4. the processing for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for the public interest;
5. the House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use, or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case, maybe; and
6. operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.

3. Definitions of Key Terms

A. Personal Data

Any information on a natural person which can be used to identify that person, either directly or indirectly. Information about deceased people isn’t considered personal data. Personal data includes name, address, phone number, customer ID, age, gender, height, username, password, and IP address.

B. Sensitive Personal Data

Under the PDPA, any collection of personal data pertaining to the following is prohibited except with the explicit consent of the data subject.

• Race
• Ethnic Origin
• Political Opinions
• Cult
• Religious Beliefs
• Philosophical Beliefs
• Sexual Behavior
• Criminal Records
• Health Data
• Disability
• Labour Union
• Genetic Data
• Biometric Data

Additionally, any data which may affect the data subject in the same way as prescribed by the regulator could be deemed as sensitive personal data.

C. Data Controller

An authority that determines the means and purpose of collecting, using, and sharing personal data.

D. Data Processor

Any individual or party that gathers, uses, or shares personal information as directed by the data controller.

4. Obligations for Organizations Under Thailand’s PDPA

A. Consent Requirements

The data controller shall not collect, use, or disclose personal data unless the data subject has given consent prior to or at the time of such collection, use, or disclosure, except in circumstances where the data is being processed in the following manner:

• For public interest purpose,
• To suppress a danger to a person’s life, body, and health or,
• For the performance of a contract to which a data subject is a party to or for compliance with any law.

A request for consent shall be explicitly made in a written statement or via electronic means unless it cannot be done by its nature. Any such request must be in clear and plain language, informing users of the purposes of their information processing. The data subject’s consent must always be freely given.

Data subjects have the right to withdraw their consent at any time, and the option of withdrawal of consent should be made as easy as giving consent.

Consent Requirement for Minors

The PDPA prescribes different consent requirements for processing minors’ personal data. The PDPA prescribes data where the age of the minor is under 10, his/her personal data can only be processed after obtaining consent from parents or guardians.

B. Data Processing Notification Requirements

The Data Controller must provide the following information to the Data Subject prior to or at the time of the collection of personal data unless the data subject is already aware of such details.

1. the reason for collecting personal data for use or disclosure, including the reason for collecting personal data without the consent of the data subject;
2. notification of the circumstances in which the data subject must submit personal information to comply with a law, a contract, or enter into a contract, including notification of the potential consequences if the data subject fails to provide the requested personal information;
3. the personal information that will be gathered and how long it will be kept. The anticipated data retention duration in accordance with the data retention standard must be given if the retention period can't be determined;
4. the types of people or entities who may receive the collected personal data;
5. where appropriate, information on the data controller's representative or data protection officer, including their name, address, and phone number.

C. Security Requirements

The PDPA requires data controllers to have suitable security measures to protect stored personal data from unauthorized access, loss, misuse, modification, edit, or disclosure. Such security measures must be reviewed regularly. Businesses are required to establish personal data security measures, including administrative safeguards, technical safeguards, and physical safeguards for gaining access to or managing the use of personal data.

D. Data Breach Requirements

The data controller must notify the PDPC of a personal data breach as soon as possible, preferably within 72 hours of becoming aware of it, except where the personal data breach is unlikely to result in a risk to individuals' rights and freedoms.

If a personal data breach poses a high risk to data subjects’ rights and freedoms, in that case, the data controller is required to notify the data subject of the breach and the corrective steps as soon as possible. The data processor is responsible for notifying the data controller of any personal data breaches.

E. Data Protection Officer Requirement

Under the PDPA, data controllers and data processors, including their representatives, must appoint a DPO in the following circumstances.

• Either the data controller or the data processor is a public authority, as specified by the PDPC;
• The activities of a data controller or data processor relating to the collection, use, or disclosure require regular monitoring of the personal data or the system by reason of having large scale personal data; or
• The primary activity of the data controller or the data processor is related to the processing of sensitive personal data.

The Thailand Personal Data Protection Committee (PDPC) has issued a Notification on the Appointment of Data Protection Officers (DPO), effective from December 13, 2023, as part of the regulatory framework established by PDPA. The Notification has clarified the criteria for determining whether a processing activity requires regular monitoring of the personal data and involves large-scale personal data which is as follows:

• The core activity of the organization must be taken into account.
• The core part of the data controller or data processor’s activities consists of tracking, monitoring, analyzing, or predicting the behavior, attitude or profile of individuals, and
• The core activities generally involve the processing of personal data in a systematic manner on a usual or regular basis.
• The number of data subjects, the types of personal data processed, the data retention period and the scope of the use of personal data are factors that can determine whether the activities are involved with a large scale of personal data.

To assist organizations in compliance, the PDPC has provided two forms:

• An assessment form or checklist for DPO appointment and;
• A notification form for the formal appointment of a DPO.

Organizations engaged in relevant processing activities should promptly review and appoint a DPO using the provided forms. Comprehensive documentation supporting the DPO appointment, including orders or letters, is recommended. Additionally, any ancillary duties assigned to the DPO should align with the duties stipulated by the PDPA.

F. Data Protection Impact Assessment

The PDPA makes no explicit provision requiring the data controller to conduct a Data Protection Impact Assessment ('DPIA'). Nonetheless, the PDPA requires the data controller to assess the level of risk and degree of personal data collection, processing, and disclosure that may jeopardize the rights of data subjects and review data security measures when necessary and when a new technology is adopted.

G. Record of Processing Activities (RoPA)

The data controller and data processor must establish and keep written or electronic records of personal data processing activities.

The record of processing activities must include:

• the information of the data controller;
• the purposes of the processing;
• the rights and means to access the data subjects' personal data, including conditions of access and person(s) authorized to access such data;
• the details of collected personal data;
• the retention period of the personal data; and
• explanation of appropriate security measures.

Data controllers and processors can be exempted from preparing the RoPA if they meet specific small enterprise criteria which includes:

• small or medium-sized enterprises;
• community enterprises;
• cooperatives;
• foundations, religious organizations, associations, or non-profit organizations;
• social enterprises;
• condominium juristic persons; and
• family businesses or businesses operated by the data controller, who is an individual.

However, this exemption does not apply if the data handling poses risks to data subjects' rights, is not occasional, or involves sensitive data

H. Third-Party Processing Requirements

The PDPA prescribes the following obligations for the data processors. To stay compliant with the PDPA, data processors must:

1. only act in accordance with the data controller's instructions when it comes to the collecting, using, or disclosing of personal data, unless doing so would violate the law or any requirements of the PDPA;
2. provide the data controller notice of any unauthorized or illegal loss, access to, use, alteration, correction, or disclosure of personal data and implement the necessary security measures to prevent those actions;
3. prepare and keep track of all activities involving the processing of personal data in compliance with the guidelines and procedures established by the PDPC.

According to the PDPA, if the data processor doesn't follow the rules outlined in (1) for collecting, using, or sharing personal data, they're treated as if they were the data controller for that specific data collection, use, or sharing.

I. Cross-border data transfer Requirements

Cross-border data transfer comes into play when data is sent from Thailand to another country physically or through a computer system or network. For example, it constitutes a cross border transfer of data when a server located in Thailand, processes and transmits data to a cloud service provider based in another country for processing, use or disclosure. Generally, there are certain legal requirements that a data controller or processor needs to comply with when sending or transferring data abroad.

The PDPC’s notification, Criteria on Protection of Personal Data transferred to third countries pursuant to Section 28 of the PDPA (2023), outlines that the following scenarios of data transfer do not qualify as cross-border data transfer and; therefore, the requirements of cross-border data transfer would not apply to them:

• when personal data is passing through a system (such as an email server) without being accessed or altered.
• When data is stored temporarily or permanently on a cloud server located abroad where no third party has access to it.

March 24th, 2024 is the enforcement date for the PDPC’s notifications on cross-border transfers of personal data - Criteria on Protection of Personal Data transferred to third countries pursuant to Section 28 of the PDPA (2023).

The key requirement of cross-border transfer of data under the PDPA  is that the destination country or any international organization that receives personal data from data controllers and processors in Thailand must have an adequate data protection standard. Assessing the adequacy of protection standards involves careful consideration of the following factors:

• Before transferring personal data to a foreign country or an international organization, ensure that the destination country or international organization has legal measures or mechanisms in place that mirror Thailand's personal data protection laws.
• Assess whether there is a designated agency or organization responsible for enforcing data protection laws in the destination country. Having an established regulatory body ensures that the data protection framework is actively monitored and enforced.
• Verify if there are legal remedies available for data owners in the destination country, providing individuals with recourse in case of data protection violations.

The adequacy requirement for cross-border data transfer may be exempted in the following situations:

• where it is for compliance with the law;
• where the consent of the data subject has been obtained, provided that the data subject has been informed of the inadequate personal data protection standards of the destination country or international organization;
• where it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
• where it is for compliance with a contract between the data controller and other persons or juristic persons for the interests of the data subject;
• where it is to prevent or suppress a danger to the life, body, or health of the data subject or other persons, when the data subject is incapable of giving consent at such time;
• where it is necessary for carrying out the activities in relation to the substantial public interest.

Two main mechanisms are available to a data controller or data processor to transfer personal data abroad to non-adequate countries:

• Binding Corporate Rules: Affiliated companies within the same corporate group can transfer personal data across borders. This is permissible after a thorough review and certification of their personal data protection policy, known as Binding Corporate Rules (BCR) approved by the regulatory authority. BCRs acts as an internal code of conduct for data protection within the corporate group.
• Appropriate Safeguards: Appropriate safeguards ensure data subjects have effective legal remedies and their rights can be enforced and include the following:
  • Model contractual clauses
  • Certification ensuring appropriate safeguards having legal enforceability under Thai law
  • Legally binding instruments between government agencies of Thailand and overseas countries
  • Code of conduct

The notifications of the Personal Data Protection Committee (the “PDPC”) on cross-border transfers of personal data  published in Thailand’s royal gazette on December 25th, 2023 - Criteria on Protection of Personal Data transferred to third countries pursuant to Section 29 of the PDPA (2023) outlines the following required elements for the Model Contractual Clause to achieve appropriate safeguards:

• ASEAN Model Contractual Clauses for Cross-Border Data Flows.
• Standard Contractual Clauses for the Transfer of Personal Data to Third Countries under GDPR.
• Standard contractual terms for sending or transferring personal data abroad by agencies or international organizations as specified by the Commission.

These Model Contractual Clauses contain essential elements such as notifying data subjects, limiting data transfers, specifying responsibilities, ensuring security, and implementing effective remedial actions.

Businesses are given flexibility for revisions/amendments to the Model Contractual Clauses, allowing them to tailor the clauses to their specific needs within certain boundaries. Data controllers and processors can choose between BCR and Model Contractual Clauses based on their normal business operations. March 24th, 2024 is the enforcement date of the notifications of the Personal Data Protection Committee (the “PDPC”) on cross-border transfers of personal data - Criteria on Protection of Personal Data transferred to third countries pursuant to Section 29 of the PDPA (2023)

5. Data Subject Rights

Under the PDPA, data subjects have the following rights:

5.1 Right to Access

Data subjects have a right to access and obtain a copy of their personal data from data controllers. This right must be acted upon without delay and shall not exceed 3O days from the date of the receipt of the data subject’s request.

5.2 Right to Portability

Data subjects have a right to receive their personal data from controllers and processors in a readable format. The data controller shall arrange such personal data to be in a format that is readable or commonly used by means of automatic tools or equipment and can be used or disclosed by automated means.

5.3 Right to Object

Under the PDPA, data subjects shall have the right to object to the processing of their personal data:

• When their personal data is collected without consent due to tasks carried out in the public interest, or based on a legitimate interest pursued by the data controller or third party;
• the processing of personal data is for direct marketing purposes; and
• the processing of personal data is for scientific, historical, or statistical research purposes.

5.4 Right to Erasure

Data subjects have a right to erasure available where the controller must erase, destroy or anonymize the data of the data subjects if the data subjects withdraw their consent and the data controller has no legal ground to collect, use, or disclose the personal data, or where the personal data is no longer necessary for the purpose, it was collected or processed for where data was collected unlawfully.

5.5 Right to Restriction of Processing

Data subjects also have a right to request the restriction of the use of personal data. This right applies where the data subject opposes erasure or destruction of the personal data but still objects to further processing and thus requests the restriction of the processing of personal information in certain situations, such as when data is no longer needed for the purpose it was acquired.

5.6 Right to Rectification

Data subjects have a right to request the rectification of their inaccurate data and have incomplete data stored about themselves completed.

6. Regulatory Authority

Under the PDPA, the Personal Data Protection Committee ('PDPC') is in charge of designing and issuing future sub-regulations. Previously, the PDPC was represented by the Ministry of Digital Economy and Society ('MDES').

The PDPC has the following authority and responsibilities:

• To ensure PDPA compliance, determine procedures or strategies for operations relating to personal data protection;
• Encourage and assist in the safeguarding of personal information;
• Provide notices or instructions under the PDPA; and
• Notify and establish rules/guidelines that personal data controllers and processors must follow and adhere to.

7. Penalties for Non-compliance

A violation of the PDPA may result in civil liability, criminal liability, and administrative fines. For example, a data controller may be liable to pay compensation to the data subject for the damage suffered by the data subject.

The amount of such compensation shall include all necessary expenses incurred by the data subject to preventing or suppressing damages. Under the PDPA, the maximum penalty that can be awarded is a fine of Baht five million and imprisonment for a term not exceeding one year or both, depending on the type of the violation.

8. How an Organization Can Operationalize the Law

To comply with Thailand’s PDPA, organizations must:

•   Evaluate if they meet Thailand's PDPA jurisdictional requirements, such as whether they hold personal data about Thais;
•   Analyze their data inventories and categorize data storage that contains personal information about Thais;
•   Make it transparent how personal data is processed by using official policies and privacy notices;
•   Develop a solid framework for dealing with data subject requests;
•   Analyze risks and vulnerabilities by conducting a data protection impact assessment;
•   Hire an experienced data protection officer who is well-versed in Thailand's PDPA and can respond to data subject requests quickly;
•   Create a solid consent framework that handles consent obligations quickly;
•   Allow Thais to exercise their rights when an organization sells or uses their personal data;
•   Embrace technical and organizational security measures to protect their data processing processes; and
•   Examine their data handling practices and any agreements thoroughly.

9. How Can Securiti Help

Thailand's Personal Data Protection Act is a welcome endeavor in the legislative privacy landscape, especially in light of recent technological advancements and issues stemming from COVID-19. It shows that governments are beginning to see data privacy as a fundamental human right.

In today's digital economy, it's past time for national and multinational corporations to recognize data privacy as a human right, not merely a consumer right, and ensure that their privacy policies comply with all applicable laws.

Businesses must employ robotic automation to operationalize compliance and prevent falling behind in an ever-growing technological network.

Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Thailand’s PDPA and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.