Thailand’s Personal Data Protection Act or PDPA

Thailand’s Personal Data Protection Act or PDPA

Thailand’s Personal Data Protection Act or PDPA for short is a comprehensive data privacy law that was passed by the Thai government in 2019. As one of the many nations around the globe to implement personal data protection laws following the passing of the EU’s General Data Protection Regulation or GDPR, the PDPA is the first consolidated data protection law to be passed in the country of Thailand. As such, the PDPA places various requirements and restrictions on how businesses, organizations, and individuals can go about collecting, processing, using, and disclosing the personal data or information of Thai citizens.

What is the scope and application of the PDPA?

The PDPA applies to any “person or legal person that collects, uses, or discloses the personal data of a natural (and alive) person, with certain exceptions (e.g. exception of household activity)”. Furthermore, the PDPA also data controllers or data processors who collect, use, or disclose the personal data of individuals residing within Thailand. What’s more, the PDPA also contains provisions related to extraterritorial applicability over business entities and organizations outside of Thailand under the following circumstances:

  • Where the activities of collection, use, and disclosure of personal data or information are in relation to the offering of goods or services to data subjects residing in Thailand, irrespective of whether payments are made directly by said data subjects.
  • Where the activities of collection, use, and disclosure of personal data or information are in relation to the monitoring of a data subject’s behavior, when said behavior takes place within Thailand.

How is the term “personal data” defined under the PDPA?

Under the PDPA, personal data is categorized by two separate terms, “general personal data” and “sensitive personal data”. Both of these data types have different requirements and exemptions under the PDPA. Moreover, the PDPA also provides specific definitions for the terms “data controller” and “data processor”, while other forms of data such as health data or biometric data are not applicable under the PDPA. The definitions provided by the PDPA are as follows:

  • General personal data– “Any information relating to a natural person, which enables the identification of such a person, whether directly or indirectly, but not including information of deceased persons”.
  • Sensitive personal data– “: Any personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner as to be prescribed by the PDPC”.
  • Data controller– “A person or legal person who operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a personal data controller, whereby such person or legal person is not a personal data controller”.
  • Data Processor– “A person or legal person having the power and duties to make decisions regarding the collection, use, or disclosure of the personal data”.

What are the requirements of business entities within and outside of Thailand under the PDPA?

Under the PDPA, there are a variety of requirements and restrictions that individuals, business entities, and organizations both within and outside of Thailand must adhere to. These requirements include:

  • Data processing notification– Data controllers are required to inform data subjects prior to or at the point of collection of all required details, i.e. the purpose of the collection, except in cases where a data subject already knows or has already been informed of such details.
  • Data processing records– Data controllers and data processors are required to maintain records of all data processing activities, which can be either in electronic or written form. These processing records must be presented to both data subjects as well as the Office of the PDPC.
  • Data protection impact assessment– Data controllers are required to acknowledge the level of risk and severity associated with personal data they collect, use, and disclose, and the ways in which these risks could adversely affect the rights and freedoms of natural persons.
  • Data protection officer appointment– Under the PDPA, business entities and organizations are also required to appoint a data protection officer or DPO under certain circumstances. For example, the appointment of a DPA is mandatory if the core activity of a data controller or data processor is to collect, use, or disclose the sensitive personal data of data subjects.
  • Data breach notifications– Data controllers are required to notify the Office of the PDPC when data breaches occur without delay, and when feasible, within 72 hours of having become aware of the said data breach. In instances where a data breach is likely to pose significant harm or risks to associated data subjects, data controllers are also required to notify said data subjects, as well as provide remedial measures in relation to the breach without undue delay.
  • Data retention– When collecting the personal data of data subjects, data controllers are required to inform said data subjects prior to or at the time of collection in regards to the period of time in which their data will be retained. If it is not possible to provide data subjects with a specific time period, the expected data retention period must instead be specified, according to a specific data retention standard.
  • Children’s data– When collecting data from data subjects under the age of 20, data controllers may need to obtain parental consent for minors aged between 0 to 10 years old, obtain the consent of minors who are older than 10 but younger than 20 for an act in which minors are deemed competent to give consent, and obtain parental consent for minors who are older than 10 but younger than 20 for acts in which minors are not deemed competent to give consent.
  • Special categories of personal data– When collecting the sensitive personal data of data subjects, data controllers are required to obtain explicit consent from said data subjects, unless there is an exemption that applies. To this point, data controllers are only permitted to collect personal data related to criminal records when said collection is handled by an authorized official authority or is otherwise prescribed by other provisions in the PDPA.
  • Controller and processor– When controlling and processing personal data, data controllers and data processors are responsible for putting agreements in place for the means of outlining the activities carried out by both respective parties. Such an agreement must set out specific obligations of data processors in accordance with the provisions of the PDPA.

What are the rights of data subjects under the PDPA and how are these rights enforced?

Under the PDPA, data subjects are afforded a variety of rights in regards to the personal data and information they provide to data controllers and data processors. These rights include:

  • The right to be informed.
  • The right to access.
  • The right to rectification.
  • The right to erasure.
  • The right to object or opt-out.
  • The right to data portability.
  • The right not to be subject to automated decision-making.
  • The right to withdraw consent.
  • The right to lodge a complaint.

In terms of enforcement and penalties relating to the violation of the PDPA, the law is enforced by the Office of the PDPC, and data controllers or processors who fail to comply with the PDPA are subject to civil liabilities including punitive damages, in addition to other criminal and administrative penalties. These penalties include monetary fines of up to THB 5 million ($160,214), as well as criminal penalties that can include up to 1 year of imprisonment, a fine of up to THB million ($32042), or both.

While many data privacy regulations around the world are less restrictive than the EU’s widely known General Data Protection Regulation or GDPR, the PDPA is in many ways one of the more stringent privacy regulations in terms of extraterritorial application. As such, Thai citizens have the peace of mind that their personal data rights are not infringed upon, even dealing with individuals, business entities, and organizations who are not physically located within Thailand. In this way, the data privacy rights of Thai citizens can be upheld at all times.