Thailand PDPA

Who is excluded from PDPA compliance? 

There are several types of data or institutions where compliance with the regulation is not required, such as: 

• the collection, use, or disclosure of Personal Data by a Person who collects such Personal Data for personal benefit or household activity of such Person only;
• operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity;
• a Person or a juristic person who uses or discloses Personal Data that is collected only for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for public interest;
• The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case may be;
• trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
• operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.

In addition to this, there are instances where consent is not required when collecting personal data such as when: 

• it is for the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject's rights and freedoms are put in place and in accordance with the notification as prescribed by the Committee;
• it is for preventing or suppressing a danger to a Person’s life, body or health;
• it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; 
• it is necessary for the performance of a task carried out in the public interest by the Data Controller, or it is necessary for the exercising of official authority vested in the Data Controller;
• it is necessary for legitimate interests of the Data Controller or any other Persons or juristic persons other than the Data Controller, except where such interests are overridden by the fundamental rights of the data subject of his or her Personal Data;
• it is necessary for compliance with a law to which the Data Controller is subjected.
  
  

How can I keep my organization PDPA compliant? 

Compliance with Thailand’s data privacy law is fairly straightforward if you follow these guidelines: 

• do not collect, use, or disclose personal data if you don’t have prior consent, unless exceptions apply;
• do not collect, use, or disclose personal data for any other purpose than the one you confirmed to the data subject before or during collection;
• limit the collection to “to the extent necessary in relation to the lawful purpose of the Data Controller”;
• before collecting personal data you must inform the data subject of the following details: 
• the purpose of collection;
• a notification of the fact that the collection is necessary in order to comply with a law or in order to enter a contract, if any of these apply, as well as of the possible consequences of the data subject not providing his personal data;
• what personal data will be collected and for how long;
• the categories of Persons or entities to whom the collected personal data may be disclosed;
• information, address, and the contact channel details of the Data Controller, where applicable, of the Data Controller's representative or data protection officer;
• the rights of the data subject, as confirmed by the text of the law;
• unless exceptions outlined in Section 25 apply, you cannot collect personal data from any other source, apart from the data subject directly;
• any collection of personal data pertaining to the sensitive personal data as outlined above, is forbidden without express consent from the data subject, unless the exceptions stated in the text of the law apply;
• if you intend to transfer personal data to a foreign country, the destination country must have an “adequate data protection standard” and the transfer will have to be carried out in accordance with the rules prescribed by the Personal Data Protection Committee whose responsibilities include “to announce and establish criteria for providing protection of Personal Data which is sent or transferred to a foreign country;”
• you must ensure that the data you collected remains “accurate, up-to-date, complete, and not misleading;”
• you are required to provide “appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety;”
• you must have a system in place for the erasure or destruction of personal data whose retention period has ended, which has become irrelevant, or when this has been requested by the data subject;
• in the event of a data breach you are required to inform the regulating authority of this within 72 hours, where feasible, and if this is bound to affect the data subject you must also inform them of the breach and of the remedial measures to be taken;
• if your organization is located outside Thailand you are required to designate in writing a representative who must be in the Kingdom of Thailand and be authorized to act on your behalf without any limitation of liability with respect to the collection, use or disclosure of the Personal Data according to the purposes of your organization;
• last but not least, you must designate a data protection officer (DPO) in the following circumstances:
• you are a public authority;
• your activities in the collection, use, or disclosure of the personal data require a regular monitoring because of the high volume of data being collected, used or disclosed; 
• your core activity is the collection, use, or disclosure of the personal data
   

What data access rights does PDPA grant? 

Thailand’s PDPA grants individuals the following data subject access rights: 

• Right to access

• Right to know 

• Right to correct 

• Right to delete 

• Right to object to processing

• Right to data portability

There are no special conditions to any of these rights and no differences to the way these have to be granted when compared to other data privacy laws, such as, for example, the GDPR, after which it has been modeled.

How to address data subject access requests under PDPA?

DSARs have to be handled following the below guidelines, outlined in the text of the law: 

• once a data subject access request is made, you must verify it and ensure that there are no grounds for refusal;
• the law states that valid grounds for refusal mean that “it is permitted by law or pursuant to a court order” and where “such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others;”
• if this is not the case, you must fulfill the request “without delay, but shall not exceed thirty days from the date of receiving such request;”
• you must arrange that the data is “in the format which is readable or commonly used by means of automatic tools or equipment, and can be used or disclosed by automated means.”
  
  

Enforcement and penalties

Thailand law mentions two types of penalty for violations of the regulations, criminal liability and administrative fines. 

For criminal liability, the penalties include:  

• imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
• imprisonment for a term not exceeding one year, a fine not exceeding Baht one million, or both.
• imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.

In the case of administrative fines, these can range from 500,000 baht (approx. $13,000) to 5 million baht (approx. $130,000).

Data Subject Rights - GDPR vs. PDPA