Thailand PDPA
Thailand first privacy law.
What is PDPA?
The Personal Data Protection Act of Thailand is the first privacy law of the country, fully enforced as of June 2022, after a series of postponements via royal decree between 2019 when it was first published and this year.
Compared to other data privacy laws of the world, it stands out through its extraterritorial scope offering protection to any Thailand-based data subject, regardless of their nationality.
Covered organizations that collected data prior to June of this year may continue to do so if the collection purpose has not changed, but they have to publish a consent withdrawal option and inform data subjects so they can opt-in or out of collection. If the collection purpose has changed, further consent will now be required.
What is Personal Information and what are other key definitions?
Thailand’s PDPA offers only a few key definitions such as ‘personal data’ which means “any information relating to a Person, which enables the identification of such a Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.”
Although it does not offer specifically a definition of what could be deemed ‘sensitive personal data,’ the law does mention several types of personal data that have a special protection regimen, namely “personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data.”
Along the same lines, PDPA defines ‘data controller’ as “a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data,” and a ‘data processor’ as “a Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller.”
Who has to comply with the PDPA?
PDPA applies to any data collected and processed about data data subjects in Thailand, regardless of whether the actual collection, use, or disclosure of the personal data takes place in Thailand or not.
This means that if you are located outside Thailand but collect, use, or disclose personal data of data subjects located in Thailand, you have to comply with the regulation if your organization fits into one of the following activities:
- “the offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject;
- the monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.”
Who is excluded from PDPA compliance?
There are several types of data or institutions where compliance with the regulation is not required, such as:
- the collection, use, or disclosure of Personal Data by a Person who collects such Personal Data for personal benefit or household activity of such Person only;
- operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity;
- a Person or a juristic person who uses or discloses Personal Data that is collected only for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for public interest;
- The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case may be;
- trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
- operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.
In addition to this, there are instances where consent is not required when collecting personal data such as when:
- it is for the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject's rights and freedoms are put in place and in accordance with the notification as prescribed by the Committee;
- it is for preventing or suppressing a danger to a Person’s life, body or health;
- it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
- it is necessary for the performance of a task carried out in the public interest by the Data Controller, or it is necessary for the exercising of official authority vested in the Data Controller;
- it is necessary for legitimate interests of the Data Controller or any other Persons or juristic persons other than the Data Controller, except where such interests are overridden by the fundamental rights of the data subject of his or her Personal Data;
- it is necessary for compliance with a law to which the Data Controller is subjected.
How can I keep my organization PDPA compliant?
Compliance with Thailand’s data privacy law is fairly straightforward if you follow these guidelines:
- do not collect, use, or disclose personal data if you don’t have prior consent, unless exceptions apply;
- do not collect, use, or disclose personal data for any other purpose than the one you confirmed to the data subject before or during collection;
- limit the collection to “to the extent necessary in relation to the lawful purpose of the Data Controller”;
- before collecting personal data you must inform the data subject of the following details:
- the purpose of collection;
- a notification of the fact that the collection is necessary in order to comply with a law or in order to enter a contract, if any of these apply, as well as of the possible consequences of the data subject not providing his personal data;
- what personal data will be collected and for how long;
- the categories of Persons or entities to whom the collected personal data may be disclosed;
- information, address, and the contact channel details of the Data Controller, where applicable, of the Data Controller's representative or data protection officer;
- the rights of the data subject, as confirmed by the text of the law;
- unless exceptions outlined in Section 25 apply, you cannot collect personal data from any other source, apart from the data subject directly;
- any collection of personal data pertaining to the sensitive personal data as outlined above, is forbidden without express consent from the data subject, unless the exceptions stated in the text of the law apply;
- if you intend to transfer personal data to a foreign country, the destination country must have an “adequate data protection standard” and the transfer will have to be carried out in accordance with the rules prescribed by the Personal Data Protection Committee whose responsibilities include “to announce and establish criteria for providing protection of Personal Data which is sent or transferred to a foreign country;”
- you must ensure that the data you collected remains “accurate, up-to-date, complete, and not misleading;”
- you are required to provide “appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety;”
- you must have a system in place for the erasure or destruction of personal data whose retention period has ended, which has become irrelevant, or when this has been requested by the data subject;
- in the event of a data breach you are required to inform the regulating authority of this within 72 hours, where feasible, and if this is bound to affect the data subject you must also inform them of the breach and of the remedial measures to be taken;
- if your organization is located outside Thailand you are required to designate in writing a representative who must be in the Kingdom of Thailand and be authorized to act on your behalf without any limitation of liability with respect to the collection, use or disclosure of the Personal Data according to the purposes of your organization;
- last but not least, you must designate a data protection officer (DPO) in the following circumstances:
- you are a public authority;
- your activities in the collection, use, or disclosure of the personal data require a regular monitoring because of the high volume of data being collected, used or disclosed;
- your core activity is the collection, use, or disclosure of the personal data
What data access rights does PDPA grant?
Thailand’s PDPA grants individuals the following data subject access rights:
- Right to access
- Right to know
- Right to correct
- Right to delete
- Right to object to processing
- Right to data portability
There are no special conditions to any of these rights and no differences to the way these have to be granted when compared to other data privacy laws, such as, for example, the GDPR, after which it has been modeled.
PDPA Thailand compliant website with Clym
How to address data subject access requests under PDPA?
DSARs have to be handled following the below guidelines, outlined in the text of the law:
- once a data subject access request is made, you must verify it and ensure that there are no grounds for refusal;
- the law states that valid grounds for refusal mean that “it is permitted by law or pursuant to a court order” and where “such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others;”
- if this is not the case, you must fulfill the request “without delay, but shall not exceed thirty days from the date of receiving such request;”
- you must arrange that the data is “in the format which is readable or commonly used by means of automatic tools or equipment, and can be used or disclosed by automated means.”
Enforcement and penalties
Thailand law mentions two types of penalty for violations of the regulations, criminal liability and administrative fines.
For criminal liability, the penalties include:
- imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
- imprisonment for a term not exceeding one year, a fine not exceeding Baht one million, or both.
- imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
In the case of administrative fines, these can range from 500,000 baht (approx. $13,000) to 5 million baht (approx. $130,000).
Data Subject Rights - GDPR vs. PDPA
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
Thailand PDPA
- Right to access
- Right to know
- Right to correct
- Right to delete
- Right to object to processing
- Right to data portability
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message