'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, which was published in the Thai Government Gazette on 27 May 2019. This law was said to go into effect on 27 May 2020. However, in May 2020, the Thai Cabinet through a Royal Decree has deferred the enforcement of certain data protection provisions of the PDPA until 31 May 2021.
The PDPA aims to guarantee protection of individuals' personal data, and impose obligations on businesses that deal with the collection, usage, and disclosure of personal data. The PDPA is largely based on the GDPR, and therefore, there are several similarities between the two, such as the legal provisions for processing of personal data, data subject requests, and other security measures requirements.
SECURITI.ai enables organizations to comply with the Thai PDPA regulations through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities and AI-driven process automation.
See how our comprehensive PrivacyOps platform helps you comply with various sections of PDPA.
Simplify your DSR request format by building web forms customized for your brand image to accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.
PDPA Section: 23, 30
Data subjects need to be notified about their data privacy rights and organizations are required to simplify the initiation of verified DSR requests. The automation of the delivery and generation of secure data access reports will greatly reduce the risk of compliance violations and reduce the workforce required to comply with all the requests.
PDPA Sections: 23, 30, 31
Organizations are required to disclose the information to the data subjects within a limited time frame of receiving a verifiable data request. This will be free of charge, and delivered through a secure centralized portal.
PDPA Sections: 35, 36
Seamlessly fulfill data rectification requests with the help of automated data subject verification workflows across all appearances of a subject’s personal data.
PDPA Section: 33
Quickly fulfill data subject’s’ erasure requests through automated and flexible workflows.
PDPA Sections: 23, 32, 34
Build a framework for objection and restriction of processing handling based on business requirements, with the help of collaborative workflows.
PDPA Sections: 37(1)(3), 39, 40
Keep track of risks involved by continuously monitoring and scanning data against non-compliance to subject rights, security controls or data residency. Surface new Personal Data categories, types and data flow risks on a continuous basis.
PDPA Sections: 39, 40(3)
Discover personal information stored across all your systems within the organization and link them back to a unique data subject. Visualize personal data sprawl and identify compliance risks.
PDPA Sections: 19, 20, 25, 26
Automatically scan the organization’s web properties and categorize tags and cookies.Also build customizable cookie banners, collect consent and provide a preference center.
PDPA Sections: 19, 20, 24, 25, 26, 27
Track consent revocation of the data subjects to prevent the processing or transfer of data without their consent. Demonstrate consent compliance to regulators and data subjects.
PDPA Sections: 37, 39, 40
With the help of our multi-regulation, collaborative, readiness and privacy impact assessment system you can measure your organization's posture against PDPA requirements, identify the gaps and address the risks. Seamlessly being able to expand assessment capabilities across your vendor ecosystem to maintain compliance against PDPA requirements.
PDPA Sections: 39, 40(3)
Keep track of data flows in your organizations, trace this data , catalog the collection of data and transfer data and document business process flows internally and to service providers or 3rd parties.
PDPA Sections: 37(2), 39
Track, manage and monitor privacy and security readiness for all your service providers from a single interface. Collaborate instantly, automate data requests and deletions, and manage all vendor contracts and compliance documents.
PDPA Section: 37(4)
Automates compliance actions and breach notifications to concerned stakeholders in relation to security incidents by leveraging a knowledge database on security incident diagnosis and response.
Access: Data subjects have the right to know what data has been collected about them and how that data is being processed. They can request to access and obtain a copy of their personal data from controllers and processors
Port: Data subjects have the right to request the transfer of personal data from one electronic processing system to another in a readable format and the transmitted can be used or disclosed by automatic means.
Rectification: Data subjects have the right to make changes to inaccurate data. Data subjects have a right to request the rectification of their inaccurate data and have incomplete data stored about themselves completed.
Erasure: Data subjects have a right to erasure available where the controller or processor must delete the data of the data subjects if the data subjects withdraw their consent, or where data is no longer necessary for the purpose it was collected or processed for, or where data was collected unlawfully.
Consent: Personal data cannot be processed without obtaining explicit consent from the data subject.
Under the PDPA, the data controller will have to guarantee the rights of the data subjects.
A violation of the PDPA may result in civil liability, criminal liability, and administrative fines.
Under the PDPA, the maximum penalty that can be awarded is a fine of Baht five million and imprisonment for a term not exceeding one year depending on the violation type.
PDPA contains no detailed rules regarding the use of automated processing of individuals’ personal data for decision making.
PDPA does not apply to foreign public authorities, international organizations and public entities including those that are engaged in duties with respect to the prevention and suppression of money laundering, forensic sciences, or cybersecurity.