Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
The government of Thailand has passed its first-ever data protection law, the Personal Data Protection Act (PDPA), which came into effect on June 1st, 2022. Like the European Union’s General Data Protection Regulation (GDPR), Thailand’s PDPA ensures an appropriate level of security of data subjects' personal information and grants them several protections and rights.
With a few exceptions, Thailand's PDPA applies to any legal entity collecting, using, or disclosing a natural (and alive) person's personal data.
The PDPA applies to personal data collected, used, and disclosed by a data controller or data processor in Thailand, irrespective of whether the collection, use, or disclosure occurs in Thailand or elsewhere.
If a Data Controller or a Data Processor is outside of Thailand, the PDPA shall apply to the collection, use, or disclosure of personal data of data subjects who are in Thailand, where the activities of such data Controller or data processor are the following activities:
The PDPA does not apply to the following;
Any information on a natural person which can be used to identify that person, either explicitly or implicitly. Information about deceased people isn’t considered personal data. Personal data includes name, address, phone number, customer ID, age, gender, height, username, password, and IP address.
The PDPA does not define sensitive personal data. However, any personal data relating to the following can be considered sensitive personal data:
An authority that determines the means and purpose of collecting, using, and sharing personal data.
Any individual or party that gathers, uses, or shares personal information as directed by the data controller.
The data controller shall not collect, use, or disclose personal data unless the data subject has given consent prior to or at the time of such collection, use, or disclosure, except in certain circumstances.
A request for consent shall be explicitly made in a written statement or via electronic means unless it cannot be done by its nature. Any such request must be in clear and plain language, informing users of the purposes of their information processing.
Data subjects have the right to withdraw their consent at any time, and the option of withdrawal of consent should be made as easy as giving consent.
A data subject’s consent is not needed where data is being processed for any public interest purpose, to suppress a danger to a person’s life, body, and health, for the performance of a contract to which a data subject is a party to or for compliance with any law.
The PDPA prescribes different consent requirements for processing minors’ personal data. The PDPA prescribes data where the age of the minor is under 10, his/her personal data can only be processed after obtaining consent from parents or guardians.
The Data Controller must provide the following information to the Data Subject prior to or at the time of the collection of personal data unless the data subject is already aware of such details.
The PDPA requires data controllers to have suitable security measures to protect stored personal data from unauthorized access, loss, misuse, modification, edit, or disclosure. Such security measures must be reviewed regularly. Businesses are required to establish personal data security measures, including administrative safeguards, technical safeguards, and physical safeguards for gaining access to or managing the use of personal data.
The data controller must notify the PDPC of a personal data breach as soon as possible, preferably within 72 hours of becoming aware of it, except where the personal data breach is unlikely to result in a risk to individuals' rights and freedoms.
If a personal data breach poses a high risk to data subjects’ rights and freedoms, in that case, the data controller is required to notify the data subject of the breach and the corrective steps as soon as possible. The data processor is responsible for notifying the data controller of any personal data breaches.
Under the PDPA, data controllers and data processors, including their representatives, are required to appoint a DPO in the following circumstances.
The PDPA makes no explicit provision requiring the data controller to conduct a Data Protection Impact Assessment ('DPIA'). Nonetheless, the PDPA requires the data controller to assess the level of risk and degree of personal data collection, processing, and disclosure that may jeopardize the rights of data subjects.
The data controller and data processor must establish and keep written or electronic records of personal data processing activities. The PDPA provides an exception from this obligation for small organizations.
The record of processing activities must include:
The PDPA prescribes the following obligations for the data processors. To stay compliant with the PDPA, data processors must:
Under the PDPA, the data processor, who fails to comply with (1.) for the collection, use, or disclosure of the personal data, is regarded as the data controller for the collection, use, or disclosure of such personal data.
The PDPA requires that the destination country or any international organization that receives personal data from data controllers and processors in Thailand have an adequate data protection standard. The cross-border data transfer requirements may be exempted in the following situations:
Furthermore, on the basis of having a Personal Data Protection Policy as prescribed under Section 29 of the PDPA, the data controller or data processor can only transfer personal data abroad to the same affiliated businesses or in the same group of undertakings in case where there are appropriate safeguards in place with effective legal remedies that ensure the data subjects' rights as prescribed by the PDPC.
Under the PDPA, data subjects have the following rights:
Data subjects have a right to access and obtain a copy of their personal data from data controllers. This right must be acted upon without delay and shall not exceed one month from the date of the receipt of the data subject’s request.
Data subjects have a right to receive their personal data from controllers and processors in a readable format. The data controller shall arrange such personal data to be in a format that is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means.
Under the PDPA, data subjects shall have the right to object to the processing of their personal data:
Data subjects have a right to erasure available where the controller must delete the data of the data subjects if the data subjects withdraw their consent and the data controller has no legal ground to collect, use, or disclose the personal data, or where the personal data is no longer necessary for the purpose, it was collected or processed for where data was collected unlawfully.
Data subjects also have a right to request the restriction of the use of personal data. This right applies where the data subject opposes erasure or destruction of the personal data but still objects to further processing and thus requests the restriction of the processing of personal information in certain situations, such as when data is no longer needed for the purpose it was acquired.
Data subjects have a right to request the rectification of their inaccurate data and have incomplete data stored about themselves completed.
Under the PDPA, the Personal Data Protection Committee ('PDPC') is in charge of designing and issuing future sub-regulations. Previously, the PDPC was represented by the Ministry of Digital Economy and Society ('MDES').
The PDPC has the following authority and responsibilities:
A violation of the PDPA may result in civil liability, criminal liability, and administrative fines. For example, a data controller may be liable to pay compensation to the data subject for the damage suffered by the data subject.
The amount of such compensation shall include all necessary expenses incurred by the data subject to preventing or suppressing damages. Under the PDPA, the maximum penalty that can be awarded is a fine of Baht five million and imprisonment for a term not exceeding one year, depending on the type of the violation.
To comply with Thailand’s PDPA, organizations must:
Thailand's Personal Data Protection Act is a welcome endeavor in the legislative privacy landscape, especially in light of recent technological advancements and issues stemming from COVID-19. It shows that governments are beginning to see data privacy as a fundamental human right.
In today's digital economy, it's past time for national and multinational corporations to recognize data privacy as a human right, not merely a consumer right, and ensure that their privacy policies comply with all applicable laws.
Businesses must employ robotic automation to operationalize compliance and prevent falling behind in an ever-growing technological network.
Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Thailand’s PDPA and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.