The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was published on 27 May 2019 in Thailand’s Government Gazette and became effective the following day. However, most of the operational provisions, including provisions relating to the rights of a data subject, the obligations of a data controller and the penalties for non-compliance, will become effective on 27 May 2020, 1 year after the PDPA is published.
The PDPA is under the supervision of the Ministry of Digital Economy and Society and the main supervising authority of the PDPA is the Office of Data Protection Committee (Office).
We have summarized some of the key features of the PDPA below.
Definition of Personal Data
“Personal Data” means any information relating to a Person, which enables the identification of a Person, whether directly or indirectly, but does not include the information of deceased Persons.
“Person” means a natural person.
Application of PDPA
The PDPA applies to the collection, usage and disclosure by a data controller or a data processor located in Thailand, even if the collection, usage and disclosure of the Personal Data is undertaken outside of Thailand.
The PDPA also applies to data controllers and data processors located outside Thailand, but only in the following cases:
- When goods or services are offered to data subjects in Thailand, regardless of whether there is payment or not; or
- When monitoring of data subjects’ behavior is taken place in Thailand.
Lawful bases for collection, usage and disclosure of Personal Data
The collection, usage and disclosure of the Personal Data has to be in accordance with one of the six lawful bases listed below. In all other cases, consent for the collection, usage and disclosure of the Personal Data from the data subject will be required.
The lawful purposes are:
(1) for the preparation of historical documents or archives for public interest, or relating to research or statistics, in which suitable measures to safeguard the data subject’s rights and freedoms are put in place and in accordance with any notification prescribed by the Office;
(2) for preventing or suppressing danger to a person’s life, body or health;
(3) where it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
(4) where it is necessary for the performance of a task carried out in the public interest by the data controller, or in order to exercise the official authority vested in the data controller;
(5) for the legitimate interests of the data controller or any other persons, except where such interests are overridden by the fundamental rights of the data subjects with respect to their Personal Data; or
(6) where it is necessary to comply with any laws to which the data controller is subject.
To constitute a valid consent, the following criteria must be satisfied:
- the consent must be explicitly made in a written statement or via electronic means;
- the data subject must be informed of purpose of the collection, use, or disclosure of the Personal Data;
- the request for consent must be clearly distinguishable from other content provided to the data subject;
- the form of the request for consent must be easily accessible and intelligible;
- the request for consent must be in clear and plain language; and
- the request for consent must not be deceptive or misleading to the data subject in respect to its purposes.
A data controller must provide the data subject with a privacy notice prior to or by the time the Personal Data is collected. The notice must include the following information:
- the Personal Data to be collected;
- the purpose of the collection, usage or disclosure of the Personal Data, including the lawful basis relied on;
- whether the data subject must provide his or her Personal Data, including the consequence where the data subject does not provide the Personal Data;
- the period for which the Personal Data will be retained and, if it is not possible to specify a retention period, the expected data retention period according the data retention standard;
- the categories of Persons or entities to whom the Personal Data may be disclosed;
- the contact details of the data controller, and where applicable, contact details of the data controller’s representative or data protection officer; and
- the rights of the data subject, which include the right to withdraw consent, the right to access and obtain a copy of the Personal Data, the right to request for the transfer of the Personal Data in machine readable formats to other data controllers, the right to object to the collection, usage and disclosure of the Personal Data, the right to request for deletion, the right to request for suspension of use, the right to have Personal Data maintained accurately, and the right to file complaints.
A data controller is required to notify the Office of any data breach affecting Personal Data within 72 hours after becoming aware of it. If the breach is likely to pose a high risk to the rights and freedom of the data subject, the data subject must also be notified without delay.
A data controller has a duty to keep Personal Data secure, including the following:
- ensuring that there are appropriate security measures in place to prevent the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data;
- preventing the recipient of the Personal Data (e.g. a data processor) from using or disclosing such Personal Data unlawfully or without authorization; and
- ensuring that there is a system to destroy the Personal Data once the retention period expires.
Cross Border Data Transfer
In the event that a data controller sends or transfers Personal Data to a foreign country, the destination country that receives such Personal Data shall have adequate data protection standards, unless an exemption is met (e.g. a consent from the data subject is obtained for the transfer of the Personal Data to a country which the data protection standard that is not adequate, or the transfer is for compliance with the law). The guideline on adequate data protection standard is yet to be issued.
A violation of the PDPA could result in civil liability, criminal liability and administrative fines.
For example, a data controller who collects, uses or discloses the Personal Data without consent from the data subject (where consent is required) will be liable for administrative fines of not exceeding THB 3 million.
How do you prepare ahead the PDPA becoming effective?
The PDPA allows a data controller to continue to use such Personal Data which is collected prior to 27 May 2020.
However, the data controller must:
(i) provide an opportunity to the existing data subjects to object to the continuous use of their Personal Data. This can be done by publicizing a consent withdrawal method, so that the data subjects can notify the data controller if they no longer want the data controller to use their Personal Data; and
(ii) if no objection is received, only use such Personal Data for the original purpose which it is collected.
Steps to be taken to prepare for compliance with the PDPA before it becomes fully effective
We have set out below a quick guide for compliance with the PDPA before 27 May 2020.
Step 1: Determine whether the PDPA applies to your organization and activities.
Step 2: If PDPA applies, then you should take the following steps:
- map your data flow (e.g. what data does the organization collect and how is the data being used?)
- In relation to existing Personal Data, provide an opportunity to the existing data subjects to object to the continuous use of their Personal Data, and only use such Personal Data for the original purposes. However, if the data controller have not, in the past, provided a privacy notice with the information set out above to its data subjects, the data controller must provide a privacy notice to inform the data subjects of such information by 27 May 2020.
- In relation to future collection and use of Personal Data, identify the legal basis for collection, usage or disclosure in order to determine if consent from the data subjects is required. You will need to provide a privacy notice and request for consent (if required) to your customers, business partners or any other parties, from which you will be receiving Personal Data.
- Comply with other duties of the data controller under the PDPA.