PDPA Key Provisions
(1) Notice & Consent: Controllers and Processors must obtain consent from each Data Subject prior to or at the time of any collection, use or disclosure of person data. The intended purpose of the data collection must also be notified to the data subject.
Organisations are permitted to use personal data collected before the effective date of the PDPA for the purposes for which the data was collected. To do so, organisations through their Data Controllers must notify its data subjects of its intention to do so and permit data subjects to opt-out. This process is likely to be costly for large organisations that hold vast volumes of personal data, such as healthcare service providers, telecommunications services, financial institutions and government departments.
(2) Limitations to Collection, Use and Disclosure:
a: Purpose limitation.
The Controller cannot collect, use or disclose personal data for any purpose other than the intended purpose as notified to and consented by the data subject.
The Controller cannot collect, use or disclose more personal data that is necessary to achieve the intended purpose.
c: Source limitation.
Personal data may only be collected directly from the data subject, subject to only a few exceptions.
d: Retention limitation.
The Controller cannot keep personal data for longer that is necessary to achieve the intended purpose.
e: Transfer limitation.
(3) Access, Correction and Portability:
The Controller must ensure that personal data is up to date, accurate and not misleading by allowing the data subject to access to and ask the
Controller to correct his or her personal data collected by the Controller. The Controller must ensure that each data subject can obtain his or her personal data in a format possible to be used with ease by other Controllers.
The Controller must provide appropriate security measures to prevent any loss, access, use, modification or disclosure of personal data without authorization.
The Controller must disclose personal data of a data subject for him or her to examine and verify.
Compliance with the Thailand PDPA cannot be bought via a template. Data privacy needs to be built from the ground up with a framework that delivers on all aspects or your operations.