The Personal Data Protection Act (PDPA) is the principal data protection regulation in Thailand. This act grants individuals several rights regarding their personal data and places several responsibilities on businesses that handle the personal information of Thai citizens.
If you do business in Thailand or handle the personal information of Thai citizens, this article will help you understand the Thailand Personal Data Protection Act and how to comply with it.
Let’s dive in.
The Thailand Personal Data Protection Act (PDPA) is a comprehensive set of regulations issued by the Thai government to protect the personal information of Thai citizens. The act came into effect on May 27, 2019, with a grace period for businesses until June 1, 2022.
It regulates the collection, use, and disclosure of personal information of individuals by organizations. The Personal Data Protection Committee will oversee the enforcement of the law and is also responsible for publishing guidelines and standards for data processors to comply with the law.
Scope of the Act
The Thailand Personal Data Protection Act applies to the collection, use, or disclosure of personal data by a data controller within Thailand, regardless of whether the processing occurs within the country.
It also extends its reach beyond Thailand’s border if the data processors collect, use, or disclose the personal data of Thai citizens for offering goods or services within Thailand or monitoring the behavior of individuals within the country.
Limitations of the Act
The Thailand PDPA does not apply if the personal data is:
- collected for personal use or household purposes,
- collected for the operation of public authorities to maintain national security,
- used for mass media, fine arts, literature, or public interests,
- collected, used, or disclosed by the House of Representatives, the Senate, the Parliament, or their committees within their duties and powers,
- used for court proceedings, legal execution, and other criminal justice operations,
- collected by credit bureau companies governed by law.
- Personal Data: Personal Data refers to any information related to an individual that can be used to directly or indirectly identify an individual. It excludes information related to deceased individuals.
- Data Controller: A Data Controller refers to a legal person who has the power to make decisions regarding the collection, use, or disclosure of personal data.
- Data Processor: A Data Processor is a legal person who collects, uses, or discloses personal data on behalf of the Data Controller.
- Person: Person refers to any living person.
- Committee: The Committee refers to the Personal Data Protection Committee, which is responsible for the enactment of the Personal Data Protection Act.
- Competent Official: A competent Official refers to any person appointed by the Minister to implement acts under the PDPA.
- Secretary-General: Secretary-General refers to the Secretary-General of the Personal Data Protection Committee.
- Minister: The Minister refers to the Minister of Government who is in charge under this Act.
Thailand’s Personal Data Protection Act grants the following rights to data subjects regarding the processing of their personal data.
Right to Access
Individuals have the right to access and obtain copies of their personal data held by organizations. They also have the right to know how their data was obtained if it was collected without their consent.
Right to Receive or Transfer Data
Individuals have the right to receive or transfer their personal data in readable format. They can also request the organizations to provide the personal data directly to other organizations or to themselves, if technically feasible.
Right to Object
Individuals have the right to object to the collection, use, or disclosure of their Personal Data in certain circumstances, such as when consent was not obtained or for direct marketing purposes.
Right to Delete or Anonymize
Individuals have the right to request the deletion or anonymization of their personal data if the consent is withdrawn, it is no longer necessary for the purpose for which it was collected, or it was collected unlawfully. A Request for deletion can also be made if there is an undeniable objection by the individual.
Right to Restrict
Individuals have the right to restrict the use of their personal data under specific circumstances and to withdraw their consent for processing personal data.
Right to Correct
Individuals have the right to ensure that their personal data held by organizations is accurate and up-to-date. They can request the correction of their personal data.
The following are the major principles of Thailand’s PDPA for businesses handling personal data of Thai citizens
Purpose Limitation of Data Minimization
Data Controllers should only collect the necessary information required for the lawful purpose it was intended. Limit the use of personal data to what is necessary to fulfill the specific purpose.
Inform Users of Data Collection
Data Controllers must inform users that they collect their personal data, why it is collected, how long it will be retained, and who all have access to it.
Obtain Consent From Users
Data Controllers must obtain prior consent from data subjects before processing their personal data. The consent is not necessary for specific cases, such as for fulfilling a legal or contractual obligation to protect the life of an individual, for scientific or historical research, or for other legitimate purposes.
Children’s Personal Data
When handling personal data of children under 10 years of age, data controllers should obtain consent from their parents or legal guardians. For minors over 10, the consent of parents or guardians is required for any act a minor is not allowed to consent to under Thai civil and commercial code.
Sensitive Personal Data
Data controllers must obtain explicit consent from users for collecting sensitive personal data such as racial or ethnic origin, political opinions, health data, etc.
Control Over Data Collection
Data Controllers must collect personal data directly from the data subjects. However, collection from other sources is allowed under specific conditions and requires informing the data subject promptly.
Cross-Border Data Transfer
Data Controllers cannot transfer the personal data of Thai citizens outside the country unless:
- the foreign country have similar data protection laws equivalent to the PDPA,
- the concerned individuals have consented to the data transfer,
- the transfer is necessary for the fulfillment of a legal contract,
- it is to prevent danger to someone’s life or health,
- it is necessary for carrying out activities of public interest.
The Personal Data Protection Committee is responsible for overseeing the enactment of the Personal Data Protection Act in Thailand.
Below are the key responsibilities of the Personal Data Protection Committee:
- Create a master plan: Create a comprehensive plan that aligns with the national policies and strategies for protecting the personal data of individuals.
- Implement the plan: Help government agencies and private sectors in implementing the activities outlined in the master plan.
- Establish guidelines for PDPA: Introduce guidelines and regulations for protecting personal data and comply with PDPA.
- Issue rules and notifications: Issue notifications and rules to facilitate the implementation of the PDPA.
- Regulate cross-border data transfer: Determine the requirements for protecting the personal data transferred to foreign countries.
- Guide Data Controllers and Processors: Provide guidance for Data Controllers and Processors to protect the personal data of Thailand citizens.
- Provide recommendations to the Cabinet: Provide recommendations to the Cabinet on enacting or implementing the laws related to Personal Data Protection.
- Review PDPA regulations: Recommend the Cabinet to review the PDPA regulations every five years.
- Provide consultation to agencies: Provide consultation services to the government and private agencies to ensure compliance with PDPA.
- Make decisions on PDPA compliance issues: Analyze and make decisions on the issues arising from the enactment of the PDPA
- Promote public awareness: Promote public awareness of personal data protection.
- Support research and development: Provide support to research and development of technologies related to personal data protection.
- Other related duties: Perform other duties as stipulated by the PDPA or other relevant laws.
Here are some general guidelines to comply with PDPA for your business:
- Understand the act: Understand the scope and requirements of the act and your role as a Data Processor or Data Controller.
- Minimize the data collection: Do a complete audit of your data collection practices. Then, ensure that you are collecting only what is necessary for the purpose.
- Inform users about data collection: Inform users that you collect their data, why it is collected, how long it will be retained, and who all have access to it.
- Obtain consent from users: Obtain explicit consent from users before collecting, using, or disclosing their personal data. Also, provide granular control options for giving consent and disclose the consequences of not giving consent.
- Special consent requirements: When collecting personal data of children, obtain consent from parents or legal guardians. For sensitive personal data such as racial or ethnic origin, political opinions, health data, etc, businesses should obtain additional consent from users.
- Enable users to exercise their rights: Inform users about their rights over their personal data and provide assistance for exercising their rights.
- Regulate cross-border data transfer: When sharing data with foreign countries, ensure that they have similar data protection regulations and have a lawful purpose for sharing the data.
- Implement proper security measures: Take proper security measures to ensure the safety and security of the personal data of your users.
- Privacy impact risk assessment: Do internal audits and risk assessments to identify and mitigate any potential risks.
- Maintain records of data processing: Keep records of your data processing activities and proof of your compliance measures.
- Review and update your practices: Regularly review and update your data collection practices and stay up-to-date with the latest regulations.
- Establish a data breach response plan: Establish a proactive plan to promptly address data breaches. In case of a data breach, inform the concerned authorities and affected individuals.
If an organization fails to comply with the PDPA guidelines for unlawful purposes, the penalty could be imprisonment for up to one year, a fine up to one million Baht, or both. If the violation results in potential harm, damage to reputation, or humiliation of others, the organization may face imprisonment for up to six months, a fine not up to five hundred thousand Baht, or both.
Frequently Asked Questions on PDPA
When Did PDPA Come Into Effect?
The Thailand Personal Data Protection Act (PDPA) came into effect on May 27, 2019, with a grace period of one year. However, due to the Covid-19 pandemic, the enforcement of the act was extended until June 1, 2022.
What Is Personal Data in Thailand PDPA?
Personal Data refers to any information related to an identified or identifiable individual, such as name, identification number, contact details, biometric data, etc.
What Is PDPC?
The Personal Data Protection Committee (PDPC) is the committee that regulates and implements the Personal Data Protection Act in Thailand. The Committee helps businesses comply with the law and provides recommendations to Government agencies when implementing new regulations.
Do I Need to Obtain Consent for Using Cookies?
Yes. Cookies contain information about your site visitors, so if you use cookies, you need to obtain prior consent from your visitors. You can use a consent management platform to obtain and manage cookie consent on your website.
Check out our GDPR Cookie Consent plugin, a native CMP for WordPress websites.
Conclusion
The Personal Data Protection Act (PDPA) is the principal data protection regulation in Thailand. It regulates organizations processing the personal information of Thailand citizens. The act grants several rights to individuals for protecting their personal data and implements several obligations for businesses to follow.
We hope this article has provided you with information on Thailand’s PDPA and how to comply with it. If you find this helpful, please let us know in the comments.
Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.