'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on August 18, 2020 AUTHOR PRIVACY RESEARCH TEAM
The government of Thailand has passed its first-ever data protection law, the Personal Data Protection Act (PDPA) that came into effect in May 2020. Like the European Union’s General Data Protection Regulation (GDPR), the PDPA ensures an appropriate level of security of personal information of users and grants them several protections and rights.
The PDPA protects the collection, use or disclosure of the personal information by data controllers or data processors that are in Thailand regardless of whether such collection, use or disclosure takes place in Thailand or not. It also applies to the collection, use or disclosure of the personal data by data controllers or data processors that are outside Thailand, where such collection, use or disclosure relates to the offering of goods or services to data subjects in Thailand, whether or not the payment is made by the data subject or where the data subject’s behaviour is being monitored in Thailand. The law, however, does not apply to foreign public authorities, international organizations and public entities including those that are engaged in duties with respect to the prevention and suppression of money laundering, forensic sciences, or cybersecurity.
The PDPA requires data controllers and processors to obtain the free consent of users by way of an explicit written request before processing their information. Any such request must be in clear and plain language informing users of the purposes of the processing of their information. Data subjects have the right to withdraw their consent at any time and the option of withdrawal of consent should be made as easy as giving consent. A data subject’s consent is not needed where data is being processed for any public interest purpose, to suppress a danger to a person’s life, body and health, for the performance of a contract to which a data subject is a party to or for the purpose of compliance with any law.
Under the PDPA, data subjects have the following rights:
While most of the provisions of the PDPA in relation to data subjects’ rights are based on the content of the GDPR, certain changes can be observed. Some of the notable differences concerning data subjects’ rights between the two regulations are as follows:
Under the PDPA, data controllers and processors are required to adopt appropriate security measures to prevent any data loss or security incident. However, in case of any personal data breach that is likely to result in a risk to the rights and freedoms of persons, the data controller must notify the Office of the Personal Data Protection Committee without delay and where feasible, but within 72 hours, after having become aware of the breach. Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must inform the affected individual without any delay of the personal data breach along with the remedial measures that can be taken.
The law requires that the destination country or international organization that receives personal data from controllers and processors in Thailand have an adequate data protection standard. This requirement may be exempted where any cross-border transfer complies with any law, or the transfer is necessary for the performance of a contract to which the data subject is a party to, or where the consent of data subject has been obtained provided that he or she has been informed of the inadequate protection standards of the destination country.
A violation of the PDPA may result in civil liability, criminal liability and administrative fines. For example, a data controller may be liable to pay compensation to the data subject for the damage suffered by the data subject. The amount of such compensation shall include all necessary expenses incurred by the data subject for the prevention or suppression of damages. Under the PDPA, the maximum penalty that can be awarded is a fine of Baht five million and imprisonment for a term not exceeding one year depending on the type of the violation.
In light of the recent technological changes and challenges arising out of COVID-19, Thailand’s Personal Data Protection Act is a welcome initiative in the privacy legal landscape. It indicates that governments have started recognizing data privacy as an individual’s basic human right. In today’s era of the digital economy, it is high times that transnational and multinational companies accept data privacy as an individual’s human right and not just as a consumer right and ensure that their privacy policies are fully compliant with applicable laws.
SECURITI.ai is the leader in AI-powered PrivacyOps and data governance. Similar to DevOps for software, PrivacyOps re-imagines how to efficiently implement privacy management throughout an organization. SECURITI.ai is a recognized innovator in this market, having been awarded "Most Innovative Startup" at RSA Conference 2020, and Leader in the Forrester Wave: Privacy Management Software. SECURITI.ai's PrivacyOps solution uniquely combines real-time data intelligence harnessing bot and AI technology with full workflow automation of all the major privacy compliance functions.