Overview of Thailand’s Personal Data Protection Act (PDPA)

1. Introduction

The government of Thailand has passed its first-ever data protection law, the Personal Data Protection Act (PDPA), which came into effect on June 1st, 2022. Like the European Union’s General Data Protection Regulation (GDPR), Thailand’s PDPA ensures an appropriate level of security of data subjects' personal information and grants them several protections and rights.

2. Who Needs to Comply with the Law

a. Material Scope

With a few exceptions, Thailand's PDPA applies to any legal entity collecting, using, or disclosing a natural (and alive) person's personal data.

b. Territorial Scope

The PDPA applies to personal data collected, used, and disclosed by a data controller or data processor in Thailand, irrespective of whether the collection, use, or disclosure occurs in Thailand or elsewhere.

If a Data Controller or a Data Processor is outside of Thailand, the PDPA shall apply to the collection, use, or disclosure of personal data of data subjects who are in Thailand, where the activities of such data Controller or data processor are the following activities:

1. The offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject;
2. The monitoring of the data subject’s behavior, where the behavior takes place in Thailand.

c. Exceptions

The PDPA does not apply to the following;

1. Operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties concerning the prevention and suppression of money laundering, forensic science, or cybersecurity;
2. Trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
3. The processing for personal benefit or household activity;
4. The processing for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for the public interest;
5. The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use, or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case, maybe; and
6. Operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.

3. Definitions of Key Terms

a. Personal Data

Any information on a natural person which can be used to identify that person, either explicitly or implicitly. Information about deceased people isn’t considered personal data. Personal data includes name, address, phone number, customer ID, age, gender, height, username, password, and IP address.

b. Sensitive Personal Data

The PDPA does not define sensitive personal data. However, any personal data relating to the following can be considered sensitive personal data:

• Race
• Ethnic Origin
• Political Opinions
• Cult
• Religious Beliefs
• Philosophical Beliefs
• Sexual Behavior
• Criminal Records
• Health Data
• Disability
• Trade Union Information
• Genetic Data
• Biometric Data

c. Data Controller

An authority that determines the means and purpose of collecting, using, and sharing personal data.

d. Data Processor

Any individual or party that gathers, uses, or shares personal information as directed by the data controller.

4. Obligations for Organizations Under Thailand’s PDPA

a. Consent Requirements

The data controller shall not collect, use, or disclose personal data unless the data subject has given consent prior to or at the time of such collection, use, or disclosure, except in certain circumstances.

A request for consent shall be explicitly made in a written statement or via electronic means unless it cannot be done by its nature. Any such request must be in clear and plain language, informing users of the purposes of their information processing.

Data subjects have the right to withdraw their consent at any time, and the option of withdrawal of consent should be made as easy as giving consent.

A data subject’s consent is not needed where data is being processed for any public interest purpose, to suppress a danger to a person’s life, body, and health, for the performance of a contract to which a data subject is a party to or for compliance with any law.

Consent Requirement for Minors

The PDPA prescribes different consent requirements for processing minors’ personal data. The PDPA prescribes data where the age of the minor is under 10, his/her personal data can only be processed after obtaining consent from parents or guardians.

b. Data Processing Notification Requirements

The Data Controller must provide the following information to the Data Subject prior to or at the time of the collection of personal data unless the data subject is already aware of such details.

1. The reason for collecting personal data for use or disclosure, including the reason for collecting personal data without the consent of the data subject;
2. Notification of the circumstances in which the data subject must submit personal information to comply with a law, a contract, or enter into a contract, including notification of the potential consequences if the data subject fails to provide the requested personal information;
3. The personal information that will be gathered and how long it will be kept. The anticipated data retention duration in accordance with the data retention standard must be given if the retention period can't be determined;
4. The types of people or entities who may receive the collected personal data;
5. Where appropriate, information on the data controller's representative or data protection officer, including their name, address, and phone number.

c. Security Requirements

The PDPA requires data controllers to have suitable security measures to protect stored personal data from unauthorized access, loss, misuse, modification, edit, or disclosure. Such security measures must be reviewed regularly. Businesses are required to establish personal data security measures, including administrative safeguards, technical safeguards, and physical safeguards for gaining access to or managing the use of personal data.

d. Data Breach Requirements

The data controller must notify the PDPC of a personal data breach as soon as possible, preferably within 72 hours of becoming aware of it, except where the personal data breach is unlikely to result in a risk to individuals' rights and freedoms.

If a personal data breach poses a high risk to data subjects’ rights and freedoms, in that case, the data controller is required to notify the data subject of the breach and the corrective steps as soon as possible. The data processor is responsible for notifying the data controller of any personal data breaches.

e. Data Protection Officer Requirement

Under the PDPA, data controllers and data processors, including their representatives, are required to appoint a DPO in the following circumstances.

1. Either the data controller or the data processor is a public authority, as specified by the PDPC;
2. The activities of a data controller or data processor relating to the collection, use, or disclosure require regular monitoring of the personal data or the system on a large scale; or
3. The primary activity of the data controller or the data processor is collecting, using, or disclosing certain categories of personal data (sensitive personal data).

f. Data Protection Impact Assessment

The PDPA makes no explicit provision requiring the data controller to conduct a Data Protection Impact Assessment ('DPIA'). Nonetheless, the PDPA requires the data controller to assess the level of risk and degree of personal data collection, processing, and disclosure that may jeopardize the rights of data subjects.

g. Record of Processing Activities

The data controller and data processor must establish and keep written or electronic records of personal data processing activities. The PDPA provides an exception from this obligation for small organizations.

The record of processing activities must include:

• The information of the data controller;
• The purposes of the processing;
• the rights and means to access the data subjects' personal data, including conditions of access and person(s) authorized to access such data;
• The details of collected personal data;
• The retention period of the personal data; and
• Explanation of appropriate security measures.

h. Third-Party Processing Requirements

The PDPA prescribes the following obligations for the data processors. To stay compliant with the PDPA, data processors must:

1. Only act in accordance with the data controller's instructions when it comes to the collecting, using, or disclosing of personal data, unless doing so would violate the law or any requirements of the PDPA;
2. Provide the data controller notice of any unauthorized or illegal loss, access to, use, alteration, correction, or disclosure of personal data and implement the necessary security measures to prevent those actions;
3. Prepare and keep track of all activities involving the processing of personal data in compliance with the guidelines and procedures established by the PDPC.

Under the PDPA, the data processor, who fails to comply with (1.) for the collection, use, or disclosure of the personal data, is regarded as the data controller for the collection, use, or disclosure of such personal data.

i. Cross-border data transfer Requirements

The PDPA requires that the destination country or any international organization that receives personal data from data controllers and processors in Thailand have an adequate data protection standard. The cross-border data transfer requirements may be exempted in the following situations:

1. Where it is for compliance with the law;
2. Where the consent of the data subject has been obtained, provided that the data subject has been informed of the inadequate personal data protection standards of the destination country or international organization;
3. Where it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
4. Where it is for compliance with a contract between the data controller and other persons or juristic persons for the interests of the data subject;
5. Where it is to prevent or suppress a danger to the life, body, or health of the data subject or other persons, when the data subject is incapable of giving consent at such time;
6. Where it is necessary for carrying out the activities in relation to the substantial public interest.

Furthermore, on the basis of having a Personal Data Protection Policy as prescribed under Section 29 of the PDPA, the data controller or data processor can only transfer personal data abroad to the same affiliated businesses or in the same group of undertakings in case where there are appropriate safeguards in place with effective legal remedies that ensure the data subjects' rights as prescribed by the PDPC.

5. Data Subject Rights

Under the PDPA, data subjects have the following rights:

5.1 Right to Access

Data subjects have a right to access and obtain a copy of their personal data from data controllers. This right must be acted upon without delay and shall not exceed one month from the date of the receipt of the data subject’s request.

5.2 Right to Portability

Data subjects have a right to receive their personal data from controllers and processors in a readable format. The data controller shall arrange such personal data to be in a format that is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means.

5.3 Right to Object

Under the PDPA, data subjects shall have the right to object to the processing of their personal data:

• When their personal data is collected without consent due to tasks carried out in the public interest, or based on a legitimate interest pursued by the data controller or third party;
• The processing of personal data is for direct marketing purposes; and
• The processing of personal data is for scientific, historical, or statistical research purposes.

5.4 Right to Erasure

Data subjects have a right to erasure available where the controller must delete the data of the data subjects if the data subjects withdraw their consent and the data controller has no legal ground to collect, use, or disclose the personal data, or where the personal data is no longer necessary for the purpose, it was collected or processed for where data was collected unlawfully.

5.5 Right to Restriction of Processing

Data subjects also have a right to request the restriction of the use of personal data. This right applies where the data subject opposes erasure or destruction of the personal data but still objects to further processing and thus requests the restriction of the processing of personal information in certain situations, such as when data is no longer needed for the purpose it was acquired.

5.6 Right to Rectification

Data subjects have a right to request the rectification of their inaccurate data and have incomplete data stored about themselves completed.

6. Regulatory Authority

Under the PDPA, the Personal Data Protection Committee ('PDPC') is in charge of designing and issuing future sub-regulations. Previously, the PDPC was represented by the Ministry of Digital Economy and Society ('MDES').

The PDPC has the following authority and responsibilities:

• To ensure PDPA compliance, determine procedures or strategies for operations relating to personal data protection;
• Encourage and assist in the safeguarding of personal information;
• Provide notices or instructions under the PDPA; and
• Notify and establish rules/guidelines that personal data controllers and processors must follow and adhere to.

7. Penalties for Non-compliance

A violation of the PDPA may result in civil liability, criminal liability, and administrative fines. For example, a data controller may be liable to pay compensation to the data subject for the damage suffered by the data subject.

The amount of such compensation shall include all necessary expenses incurred by the data subject to preventing or suppressing damages. Under the PDPA, the maximum penalty that can be awarded is a fine of Baht five million and imprisonment for a term not exceeding one year, depending on the type of the violation.

8. How an Organization Can Operationalize the Law

To comply with Thailand’s PDPA, organizations must:

• Evaluate if they meet Thailand's PDPA jurisdictional requirements, such as whether they hold personal data about Thais;
• Analyze their data inventories and categorize data storage that contains personal information about Thais;
• Make it transparent how personal data is processed by using official policies and privacy notices;
• Develop a solid framework for dealing with data subject requests;
• Analyze risks and vulnerabilities by conducting a data protection impact assessment;
• Hire an experienced data protection officer who is well-versed in Thailand's PDPA and can respond to data subject requests quickly;
• Create a solid consent framework that handles consent obligations quickly;
• Allow Thais to exercise their rights when an organization sells or uses their personal data;
• Embrace technical and organizational security measures to protect their data processing processes; and
• Examine their data handling practices and any agreements thoroughly.

9. How Can Securiti Help

Thailand's Personal Data Protection Act is a welcome endeavor in the legislative privacy landscape, especially in light of recent technological advancements and issues stemming from COVID-19. It shows that governments are beginning to see data privacy as a fundamental human right.

In today's digital economy, it's past time for national and multinational corporations to recognize data privacy as a human right, not merely a consumer right, and ensure that their privacy policies comply with all applicable laws.

Businesses must employ robotic automation to operationalize compliance and prevent falling behind in an ever-growing technological network.

Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with Thailand’s PDPA and other privacy and security standards worldwide. Examine how it functions. Request a demo right now.