Thailand’s main data privacy law is the Personal Data Protection Act (PDPA), which was passed into law in 2019 and fully implemented in June 2022.
It sets out key principles regarding the processing of personal data and the appointment of the Personal Data Protection Commission (PDPC) as the responsible regulator.
PDPC has the following privileges: Implement and enforce the PDPA. issue its implementing rules and regulations; Establish policies and direction for personal data protection. Conduct investigations in response to complaints. Issue enforcement orders against data controllers and data processors who violate the PDPA.
As of November 2023, PDPC has issued 21 implementing rules, regulations, and guidelines under the PDPA.
Key principles of PDPA
(1) Categories of personal data.
Under the PDPA, personal data means any information about an individual that allows the individual to be identified, directly or indirectly, but does not include information about a deceased person. The PDPA governs the processing of her two categories of personal data: (i) general personal data, and (ii) sensitive personal data (SPD). SPD states that “race, ethnic origin, political opinions, cults, religious or philosophical beliefs, sexual behavior, criminal history, health data, disability, trade union information, genetic data, biometric data, or influence “Personal Data regarding other data you may provide.” We treat data subjects in the same way. ”
(2) Processing of personal data.
“Processing” of personal data under the PDPA refers to the collection, use, and disclosure of personal data. Personal data is collected only when necessary and stored only for as long as necessary for that purpose.
The Data Controller shall, prior to or at the time of collecting the General Personal Data, inform the Data Subject of the purpose for which the General Personal Data is being collected by providing the Data Controller with a Privacy Notice containing at least the following: Must be notified. Details of the data controller and its data protection officer (DPO). Third parties to whom personal data may be disclosed. Data subject rights and when and how such rights can be exercised.
The collection, use, or disclosure of SPD without the data subject’s explicit consent, for any reason, is prohibited to prevent a risk to the life, limb, or health of any person for whom the data subject is unable to give consent. or prohibited with some exceptions such as suppression. .
Processing of personal data is lawful only if it is carried out in accordance with the legal requirements under the PDPA. If the processing of personal data is based on the data subject’s consent, he or she may withdraw consent at any time by notifying the data controller or data processor of such withdrawal.
When processing personal data, data controllers and data processors must maintain the integrity and confidentiality of personal data.
The data controller or data processor must keep a complete record of personal data processing activities for inspection by or submission to the PDPC.
(3) Cross-border data transfers.
Personal data may not be transferred to a jurisdiction or international organization that lacks adequate data protection, unless: (i) the data subject has given his/her explicit consent after being informed of the lack of adequate data protection; (ii) the cross-border transfer of personal data is necessary pursuant to a contract between the transferor and the recipient in the destination country or receiving international organization;
PDPC encourages companies within the same group to implement binding internal rules governing intra-group data transfers to ensure that group companies adopt the same high standards of data protection.
(4)DPO.
From 13 December 2023, data controllers and data processors will be required to appoint a DPO if their core activities involve: (i) Processing of personal data on a large scale that requires regular monitoring of personal data or systems such as tracking, monitoring, analysis or prediction of behavior or attitudes, systematic processing of personal data, membership programs, credit scores; ring, fraud protection, data processing by network service providers or carriers, and behavioral advertising. or (ii) process SPD regardless of the size of the personal data.
Failure to appoint a DPO may result in an administrative fine not exceeding 1 million Baht (US$28,300).
Protection of minors
If you wish to collect personal data from a minor under the age of 10, you must obtain parental consent.
If the minor is over the age of 10 but is not practicing law by marriage or lacks legal capacity, consent must be obtained from both the minor and the legal guardian.
Compliance requirements
The key compliance programs companies should implement under the PDPA include:
- Establish and maintain a data privacy policy that fully complies with data processing requirements under the PDPA.
- Enter into a data processing or data transfer agreement between the data controller and the data processor.
- Create a data protection impact assessment to identify data privacy risks and measures to mitigate such risks.
- Obtain explicit consent from the data subject before or at the time of collection, use or disclosure of personal data and maintain a record of such consent, unless an exception applies.
- Establish mechanisms to protect and facilitate data subjects’ exercise of rights such as: Right to access personal data. Right to withdraw consent at any time. The right to rectify, delete, restrict or object to the processing of your personal data. Right to data portability. Right to lodge a complaint with the PDPC Office.and
- Appoint a DPO when required for core activities to ensure compliance with the PDPA and act as a liaison between data subjects and the PDPC.
data breach
A data breach notification must be submitted to PDPC within 72 hours of becoming aware of the breach if it may pose a risk to the rights and freedoms of data subjects. The notification must include the nature of the breach, details of the data controller’s contact person or DPO, possible consequences, and steps taken or to be taken to mitigate potential adverse effects.
If a data breach is likely to pose a high risk to the rights and freedoms of data subjects, a data breach notification with remedial action must be provided to both the PDPC and the data subjects without delay.
Where a data breach involves multiple data subjects, the data controller shall provide specific information to each subject via public media, social media, electronic means or other means accessible to the data subjects and the general public. or may notify you generally.
Penalties under the PDPA
Data controllers and data processors who fail to comply with compliance requirements or violate restrictions or prohibitions under the PDPA may be subject to administrative fines, criminal liability, and civil liability.
The maximum administrative fine is 5 million baht. Criminal liability includes imprisonment of up to one year and/or a fine of up to Baht 1 million for each violation.
Civil liability is compensation for actual damages and punitive damages paid to injured data subjects upon court order.
Penalties imposed by the PDPC or the courts will depend on the nature, severity and duration of the breach, the number of data subjects affected, and the mitigation measures taken at the time and after the breach occurs.
The information provided in this article does not constitute legal advice. This is of a general nature and may not apply to your particular situation. You should seek specific advice before acting on the information provided.
Roplus Co., Ltd.
Unit 1401, 14th floor, Abdulrahim Place
990 Rama IV Road, Bangkok 10500, Thailand
Phone number: +662 636 0662 (international)
Phone: 02 636 0662 (local call)
www.lawplusltd.com