The Thailand Personal Data Protection Act, 2019 (PDPA) is the latest among the list to be added for having a comprehensive data protection law. The Act is quite much influenced from the General Data Protection Regulation (GDPR).
The Cabinet of Parliament of the Kingdom of Thailand approved the Royal Decree that organisations established under the Royal Decree are exempted from the applicability of the data protection act.
It should also be noted that the PDPA requires its businesses to comply with the principle of data minimisation, i.e., data should be limited to the extent that is required to fulfil the purpose.
Applicability and scope
The PDPA applies to any person or entity that collects, uses, or discloses the personal data of an individual.
The PDPA has both territorial and extra-territorial application. As for the territorial scope of the PDPA, the PDPA applies to the gathering, use, and/or disclosure of private data by a private data controller or data processor that's in Thailand. Furthermore, the PDPA has extra-territorial applicability over entities outside Thailand that collect, use, and/or disclose personal data of information subjects who are in Thailand in two circumstances:
- where the activities of collection, use, and disclosure are associated with the offering of products or services to the individuals who are in Thailand, regardless of whether the payment is created by the individuals; or
- where the activities of collection, use, and disclosure are associated with the monitoring of the individual's behaviour, where the behaviour takes place in Thailand.
The PDPA like Indian PDPB distinguish between general personal data and sensitive personal data.
The following are the exemptions under the law:
- data collected for private purposes or household purposes
- Data collected by government agencies associated with national security, money laundering and cybersecurity
- Medias subject to moral standards and public interest purposes
- Data collected by the Members of Parliament and Judiciary
- Data collected by credit bureaus
The PDPA excludes 2 styles of personal data namely, personal data of a decedent, and business data like contact details, and title or address of the business.
According to Section 6 of the law, personal data is any information regarding someone, which directly or indirectly enables the identification of such an individual. This includes names, address, email address, telephone number, ID number or another number that identifies a selected person, and others.
Although there's no definition within the PDPA, the law implies that sensitive data is any personal data related to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Criminal records
- Trade union memberships
- Genetic data
- Biometric data
- Health records
- Sexual orientation or preferences
Data Subject Rights
- Right to be Informed- The personal data controller shall inform the data subject, prior to or at the time of the collection of the personal data, of the required details (e.g. the purpose of the gathering, the information retention period, and also the rights of the individual), except in cases where the individual already knows of such details.
- Right to access- The data subject has the right to access or request a copy of his/her personal data that the data controller collects, uses, and discloses.
- Right to rectification- The data subject has the right to have incomplete, inaccurate, misleading, or not up-to-date his/her personal data that the data controller collects, uses, and discloses rectified.
- Right to erasure- The data subject has the right to request the data controller to delete or de-identify his/her personal data that the data controller collects, uses, and discloses, except where data controller isn't obligated to try to do so if the data controller must retain such data so as to fit a legal obligation or to establish, exercise, or defend legal claims.
- Right to object/opt-out- The data subject has the right to object to certain collection, use, and disclosure of his/her personal data such as objecting to direct marketing.
- Right to data portability- The data subject has the right to obtain the personal data that the data controller holds about him/her, in a structured, electronic format, and to send or transfer such data to a different data controller.
- Right not to be subject to automated decision making- The data subject has the right to restrict the use of his/her personal data in certain circumstances.
- Right to withdraw consent- The data subject has the right to withdraw his/her consent at any time for the purposes that he/she has consented to the collecting, using, and disclosing of his/her personal data.
- Right to lodge complaint- The data subject has the right to lodge a complaint to the competent authority where he/she believe that the collection, use, and disclosure of his/her personal data is unlawful or non-compliant with the PDPA.
Controller and Processor Obligations
- Data Processing notification- The data controller must inform the data subject, prior to or at the time of the collection of the personal data, of the required details (e.g. the purpose of the gathering, the information retention period, and therefore the rights of the individuals), except in cases where the information subject already knows of such details. Nonetheless, there's currently no registration requirement.
- Cross border data transfer- Under the PDPA, cross-border transfer requirements are only vaguely defined which increases compliance risks. The PDPA will require one of three conditions for international transfers:
- Transfer to a country that has established strong data protection measures that comply with the guidelines defined by the Personal Data Protection Committee
- A pre-existing contract between the data owner and the controller
- Data Processing Records- The data controller and the data processor must prepare and maintain records of personal data processing activities for the data subject and the Office of the Personal Data Protection Committee, and it can be either in a written or electronic form. The rules and methods of the records of processing activities will be set forth in further sub-regulation.
- Data Protection Impact Assessment- There is no direct provision of the PDPA that requires the data controller to carry out a Data Protection Impact Assessment ('DPIA'). However, the data controller must acknowledge the level of risk and severity of the personal data collect, use, and disclosure which may adversely affect to the rights and freedoms of the natural persons.
- Data Protection Officer Appointment- It’s mandatory to appoint a Data Protection Officer under the law. The Data Protection Officer is required if conditions under the PDPA (and the future sub-regulations) are met. For example, the appointment of a DPO is required if the core activity of the personal data controller or personal data processor is the collection, use, or disclosure of sensitive personal data.
- Data Breach Notification- The data controller is required to notify the PDPC of the personal data breach without delay and, where feasible, within 72 hours after having become aware of it. In case the personal data breach is likely to result in a high risk to the rights and freedoms of the persons, the data controller is required to notify data subject of the breach incident and the remedial measures without undue delay.
- Data Retention- When collecting personal data, the personal data controller needs to inform the data subject prior to or at the time of the collection of personal data of the period that the personal data will be retained. If it is not possible to specify such retention period, the expected data retention period according to which the data retention standard needs to be specified.
- Minor’s Data- If the data subject is a minor (under 20 years of age), the data controller may need to:
- Obtain parental consent for minors between 0 - 10 years;
- Obtain only minor's consent for minors who are older than 10 but younger than 20 years of age for an act for which minors are competent to give consent; or
- Obtain both parental consent and minor consent for minors who are older than 10 but younger than 20 years for an act for which minors are not competent to give consent.
- Special categories of personal data- The data controller is required to obtain explicit consent before collecting sensitive personal data, unless an exemption applies. The data controller may collect personal data related to criminal records only when the collection is under the control of an authorised official authority or as otherwise prescribed in the further sub-regulation by the Personal Data Protection Committee.
- Controller and Processor Contracts- The personal data controller should put in place an agreement to control the activities carried out by the personal data processor on behalf of the personal data controller, and such an agreement should set out the obligations of the personal data processor in accordance with the requirements under the PDPA. In case the personal data controller and the personal data processor fail to comply with its obligations under the PDPA, liabilities would include civil liability with punitive damages, criminal, and administrative penalties.
- Information on the purpose of collection, use, or disclosure of personal data
- Notification if the user is obliged to provide their personal data for compliance with law or contract or entering a contract, if applicable
- The personal data to be collected and the retention period
- The categories of persons or entities to which the collected personal data may be disclosed.
- Your information, address, and the contact channel details or your representative or data protection officer, if applicable, and
- The rights of the data subject.
Preparing for Compliance
Given the short grace period for compliance, it is essential that organizations start reviewing their personal data related activities (i.e., customer data, supplier data, employee data, billing and payment documents, etc.) now and take the necessary steps to ensure compliance with all the PDPA policies come May 27, 2020. Several of these steps include:
- Data mapping to understand how your company collects, processes, transmits, and stores data, which includes identifying the legal basis to collect and use personal data
- Reviewing internal policies, agreements, and practices related to personal data
- Implementing data management processes and operating systems
- Updating existing privacy notices and creating relevant legal documents
- Ensuring employees and personnel are fully trained on the relevant requirements of the PDPA
- Conducting a gap assessment to identify the current levels of compliance
- Having processes in place that exercise the rights of individuals relating to their personal data
Due to the similarities between the PDPA and the GDPR, organizations already subject to the GDPR should be well-placed for compliance. However, GDPR compliance will not guarantee compliance with the PDPA. And with significant penalties for noncompliance and less than a year until the deadline, organizations that handle the personal data of data owners of Thailand should not wait to start working on compliance.
Enforcement and penalties
Enforcement of the PDPA will fall under the power of a Personal Data Protection Committee (PDPC), established to enforce compliance. The PDPC will generate the guidelines for implementing a data protection framework.
If found noncompliant with the laws organizations can face both civil and criminal penalties. Maximum fines under the PDPA will be substantial (though not as severe as the GDPR), with each offense having the potential to incur administrative fines of up to TBH 5 million ($165,000 USD) and criminal fines of up to TBH 1 million ($33,000 USD). The PDPA also grants the court the authority to award punitive damages of up to twice the amount of actual damages and imprisonment up to one year. In addition, data owners are now able to bring their own class-action lawsuits.
Penalties can be imposed on the following conditions:
- Disclose to another person the personal data obtained while performing the duties under this Act
- Disclose sensitive personal data without data subject’s consent or for a purpose other than what the consent has been given for a personal benefit or in a way that may cause them damage, or
- Transfer sensitive personal data to a country without adequate personal data protection standards for a personal benefit or in a way that may cause damage to data subjects.