PDPA Thailand’s New Data Protection Law
What is the PDPA 7 Key Factors
A summary of the seven key things you should know about the PDPA key points is as follows:
(1) Personal Data. The PDPA governs any data of an alive person that could identify that person directly or indirectly. For example, any personal data of an individual handled by the company, including customer data, employee data, data of directors, shareholders, contractors, suppliers, seminar and market survey participants, and data involving customer complaints and inquiries would be subject to the PDPA.
(2) Players. The Personal Data Protection Committee will be established to set out further sub-regulations and protect the rights of the data subjects. Any entities collecting, using, disclosing and/or transferring personal data will be required to comply with the PDPA as a data controller and/or a data processor (which have different roles and obligations).
(3) Applicability. The PDPA has extraterritorial applicability. Thus, data controllers and data processors both in and outside of Thailand could be subject to the PDPA.
(4) Legal basis. In order to collect, use, disclose and/or transfer personal data, the data controller has to rely on legal basis, which could be consent or other exemptions (e.g., vital interest, public interest, legal obligations, and legitimate interest).
(5) Personnel. The data controller and the data processor could be required to appoint a data protection officer and a representative in Thailand, which subject to future sub-regulations.
(6) Rights of data subjects. The data controller has to guarantee the rights of the data subjects.
(7) Penalties. The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class action lawsuit. The director of a company could also be subject to penalties under the PDPA.
Who Does the PDPA Apply To
The Data Administrator shall only obtain the data directly from the data subject.
The Data Administrator must inform the data subject of the purpose of collecting the data, what data is to be collected, and to
whom the data will be disclosed.
Additionally, the request for consent must be clearly separated from other messages. The message must be delivered in a format
which is easily accessible and understandable, using language that is easy to understand. The message should not be misleading or
cause data subjects to misunderstand the purpose of collecting the data. The Commission may require the Data Administrator to
request consent from the data subject in accordance with any announcement that the board may make from time to time.
The Thailand PDPA does not provide a specific definition of “sensitive data.” However, according to the PDPA, it is prohibited to
collect information related to ethnicity, political opinions, religious beliefs, sexual orientation, criminal history, health information,
disability, trade union information, genetic data, biological data or any other information that affects the data subject in the same
way, unless there are specific laws which stipulate otherwise, e.g. for the protection of health or physical condition of the data
The PDPA does allow, in some limited circumstances, for an exemption to the requirement to obtain consent from the data
subject where the data is collected from another Person who is not the data subject.
In obtaining consent from the owner of the Personal Data, the Data Administrator must take into account the absolute
independence of the owner of the personal information in giving the consent. In entering into a contract, including to provide any
services, there must not be any condition for consent to be granted to collect, use or disclose personal information that is not
necessary or relevant to entering into such contract or services.
What is the Scope of the PDPA
Scope of Applicability
The PDPA shall not apply to personal or household activities.
In terms of territory, the PDPA will apply to:
• Any Data Controller or Data Processor residing in Thailand, regardless
of whether or not the acquisition, usage or disclosure of the data is
carried out in Thailand;
• in the case that the Data Controller or the Data Processor resides
outside of Thailand, if the subject of the aforesaid activities is data
belonging to a person residing in Thailand, the PDPA shall apply only
a: goods or services are being offered to such persons,
regardless of whether any payment is involved; and
b: behavior surveillance activities of such persons take place
Are Data Processing Officers (DPOs) a Requirement
Common duties: Data Protection Officers (“DPO”)
Similar to the GDPR, both the Data Controller and the Data Processor are
required to appoint DPOs to inspect their handling of Personal Data. The
types of organizations that are required to have a DPO are:
• a governmental body designated by the Commission;
• an organization wherein the activities of the Data Controller/Data
Processor consist of collecting, using and disclosing Personal Data by
virtue of the organization’s nature, or it requires routine monitoring due
to the large scale of Personal Data being controlled or processed.
However, the threshold of such scale remains to be prescribed by
subordinated regulations; and
• an organization of which the core activities involve collecting, using and
disclosing sensitive Personal Data.
What qualifications does a DPO need to have? Do I need to hire them?
Their qualifications are to be announced by subordinated regulations.
However, considering that their duties are, for example, to provide advice to
the Data Controller and the Data Processor in matters of compliance with
PDPA and be the “contact persons” of the organization with regards to
personal data protection matters, expertise and specialization in personal
data protection matters is crucial.
A DPO can be an internal staff of the Data Controller or the Data Processor,
or they can be an outsourced person.
What are the requirements for data processing?
Other than ensuring that the Personal Data’s owners are accorded to their
rights discussed in the topic above, a Data Controller is also required to
perform the following:
• implement suitable measures to prevent loss, unauthorized access,
alteration or disclosure of Personal Data. However, what shall count as
“suitable measures” will be prescribed by the subordinated regulations,
which are yet to be issued;
• ensure that a third party who is not a Data Controller that acquires the
Personal Data does not use or disclose the Personal Data wrongfully, or
• maintain written records relating to processing activities, that can be
inspected by data owners;
• delete Personal Data when the storage period expires, or the Personal
Data is no longer relevant, exceeds the scope of necessity or consent is
• notify the commission within 72 hours in case of a data breach, except
in cases where such breach will not have a detrimental effect to the
rights of the individual. If the breach will adversely affect the Personal
Data owner, the Personal Data owner must also be notified and be
presented with compensation measures.
Specific Duties for Data Processor
Other than the Data Processor’s duty not to use Personal Data in manners
that are not lawfully instructed by the Data Controller, the PDPA also
requires the Data Processor to:
• implement suitable measures for preventing loss, unauthorized access,
alteration or disclosure of Personal Data; and
• maintain written records for processing activities that can be inspected
by the data owners.
What are the penalties?
If the Data Controller or the Data Processor carries on any action that does
not comply with the PDPA and such action damages the Personal Data
owner, regardless of whether such noncompliance was carried on
intentionally or negligently, the Data Controller and Data Processor shall be
liable for actual damages arising therefrom, except where they can prove
that (i) the damages were a result of force majeure, or by actions of the data
owner; or (ii) the noncompliant act was a carried out in order to comply with
an official’s lawful order.
Under the PDPA, the court is also empowered to order the Data Controller
or the Data Processor to pay “punitive damages” in addition to actual
damage. Such punitive damages shall not exceed two times the actual
damages owed. Factors that the court will take into consideration when
considering whether to order the punitive damages are, for example,
financial status of the Data Controller or the Data Processor, and/or the
extent of participation/involvement of the Data Controller or Data Processor
in the act that resulted in causing such damage.
Failure to comply with the PDPA may result in penalties being imposed on
both the entity and any directors who collaborate to commit the offence or do
not reasonably manage to prevent such offence. Such penalties include both
fines and imprisonment.
Administrative penalties in the case of violation of the PDPA shall not be in
excess of THB 500,000, or not in excess of THB 5 million, depending on the
severity and type of violation.
Relentless Your PDPA Partner of Choice
Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.
Relentless PDPA Service What's Included?
Our PDPA Service Includes the Following
- PDPA Assessment
- Dedicated DPO
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Risk Assessments
- Data Breach Support
The latest country to follow in the EU’s data protection footsteps, Thailand is gearing up for the arrival of its first bill to protect individuals’ personal data rights, but what does this mean for your business? Relentless’ global data privacy experts have the answers.Thailand’s relationship with the concept of privacy has always been a curious one to say the least. For years, the idea that individuals have a right to privacy was a key part of the country’s national constitution, albeit one without any kind of law or regulation forcing businesses to uphold that right.