Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, published in the Thai Government Gazette on 27 May 2019. This law was said to go into effect on 27 May 2020. However, in May 2020, the Thai Cabinet, through a Royal Decree, deferred the enforcement of specific data protection provisions of the PDPA until 31 May 2021. After three years of delays, Thailand's PDPA went into effect on June 1st, 2022.
The PDPA aims to protect individuals' personal data and impose obligations on businesses to collect, use, and disclose personal data. The PDPA is primarily based on the EU’s GDPR. Therefore, there are several similarities, such as the legal provisions for processing personal data, data subject requests, and other security measures requirements.
Securiti enables organizations to comply with the Thai PDPA regulations through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities, and AI-driven process automation.
See how our comprehensive PrivacyOps platform helps you comply with various sections of Thailand’s PDPA.
Simplify your DSR request format by building web forms customized for your brand image to accept verified data subject rights requests. Automate the initiation of fulfillment workflows when verified requests are received.
PDPA Sections: 23, 30
Data subjects need to be notified about their data privacy rights, and organizations are required to simplify the initiation of verified DSR requests. Automating the delivery and generation of secure data access reports will significantly reduce the risk of compliance violations and the workforce required to comply with all the requests.
PDPA Sections: 23, 30, 31
Organizations must disclose the information to the data subjects within a limited time frame of receiving a verifiable data request. This will be free of charge and delivered through a secure, centralized portal.
PDPA Sections: 35, 36
Seamlessly fulfill data rectification requests with the help of automated data subject verification workflows across all appearances of a subject’s personal data.
PDPA Section: 33
Quickly fulfill data subject's erasure requests through automated and flexible workflows.
PDPA Sections: 23, 32, 34
Build a framework for objection and restriction of processing handling based on business requirements with the help of collaborative workflows.
PDPA Sections: 37(1)(3), 39, 40
Keep track of risks involved by continuously monitoring and scanning data against non-compliance to subject rights, security controls, or data residency. Surface new Personal Data categories, types, and data flow risks continuously.
PDPA Sections: 39, 40(3)
Discover personal information stored across all your systems within the organization and link them back to a unique data subject. Visualize personal data sprawl and identify compliance risks.
PDPA Sections: 19, 20, 25, 26
Automatically scan the organization’s web properties and categorize tags and cookies. Also, build customizable cookie banners, collect consent and provide a preference center.
PDPA Sections: 19, 20, 24, 25, 26, 27
Track consent revocation of the data subjects to prevent the processing or transfer of data without their consent. Demonstrate consent compliance to regulators and data subjects.
PDPA Sections: 37, 39, 40
With the help of our multi-regulation, collaborative, readiness, and privacy impact assessment system, you can measure your organization's posture against PDPA requirements, identify the gaps and address the risks. Seamlessly expand assessment capabilities across your vendor ecosystem to maintain compliance against PDPA requirements.
PDPA Sections: 39, 40(3)
Keep track of data flows in your organizations, trace this data, and catalog data collection and transfer. Document business process flows internally and to service providers or 3rd parties.
PDPA Sections: 37(2), 39
Track, manage, and monitor privacy and security readiness for all your service providers from a single interface. Collaborate instantly, automate data requests and deletions, and manage all vendor contracts and compliance documents.
PDPA Section: 37(4)
Automates compliance actions and breach notifications to concerned stakeholders concerning security incidents by leveraging a knowledge database on security incident diagnosis and response.
Right to be Informed: Data subjects have a right to be informed regarding how their personal data is being collected and used. Businesses are required to inform data subjects of any data they may have of them and any data processing that is taking place.
Right to Access: Data controllers and processors have a legal obligation to provide data subjects with access to and copies of their personal data. This right must be honored without delay and no later than one month after receiving the data subject's request.
Right to Data Portability: Data subjects also have the right to ask for data to be sent from one controller to another in a readable format that can be used or disclosed automatically.
Right to Rectification: Data subjects have the right to have erroneous data corrected and incomplete data about themselves rectified.
Right to Erasure: Data subjects have a right to erasure available where the controller or processor must delete the data of the data subjects if they withdraw their consent, where data is no longer necessary for the purpose it was collected or processed for, or where data was collected unlawfully.
Right to Object/opt-out: When data subjects' data is gathered without their consent, their data is processed for direct marketing purposes, or their data is processed for scientific, historical, or statistical research, they will have the right to object.
The PDPA is Thailand's first data protection legislation.
Under the PDPA, the data controller will have to guarantee the rights of the data subjects.
A violation of the PDPA may result in civil liability, criminal liability, and administrative fines, ranging from a few thousand Thai baht to 5 million Thai baht.
PDPA contains no detailed rules regarding the use of automated processing of individuals’ personal data for decision making.
PDPA does not apply to foreign public authorities, international organizations, and public entities, including those engaged in duties concerning the prevention and suppression of money laundering, forensic sciences, or cybersecurity.
PO Box 13039,
Coyote CA 95013