An introduction to Thailand’s new Personal Data Protection Act (PDPA)

This article introduces the new Thai PDPA legislation that came into force on 1^st June 2022.

Thailand’s Personal Data Protection Act (PDPA) is the new Thai data protection legislation that came into force on 1^st June 2022. It takes much of its inspiration from the European Union’s GDPR requirements. The Personal Data Protection Commission will enforce the PDPA through the creation of guidelines in-line with the rights created by the legislation.

Organisations operating within and interacting with the Thai jurisdiction should create robust data protection frameworks as a step to ensuring compliance. Surveys carried out on SET (Stock Exchange of Thailand) companies found that, in the days prior to PDPA coming into effect, 70% of them were prepared for the new legislation, with non-capital market businesses struggling with the requirement of recording data processing activities.

PDPA creates data subject rights for subjects that fall under the Thai jurisdiction as follows:

• Right to be informed: The data controller is required to inform the data subject, prior to or at the time of the collection of the personal data, of details such as the purpose of the collections, the data retention period, and the rights of the data subject.
• Right to access: The data subject has the right to access or request a copy of their personal data collected, used, and disclosed by the data controller.
• Right to rectification: The data subject has the right to have incomplete, inaccurate, misleading, or out-of-date personal data held by the data controller rectified.
• Right to erasure: The data subject has the right to request that the data controller delete or de-identify their personal data. The exception is where the data controller is not obligated to do so in order to comply with a legal obligation or to establish, exercise, or defend legal claims.
• Right to object/opt-out: The data subject has the right to object to certain collection, use, and disclosure of their personal data such as objecting to direct marketing.
• Right to data portability: The data subject has the right to obtain the personal data that the data controller holds about them in a structured electronic format and to send or transfer such data to another data controller.
• Right not to be subject to automated decision making: The subject has the right to restrict the use of their personal data in certain circumstances.

Territorial scope

Similarly to GDPR, the Thai PDPA has both territorial and extra-territorial application. It applies to collection, use and disclosure of personal data by data controllers and processors based in Thailand, regardless of whether such collection, use, or disclosure takes place in Thailand or not. Additionally, it also applies to controllers and processors based outside Thailand in two situations:

• Where processing relates to offering of goods or services to the data subjects who are in Thailand.
• Where processing relates to monitoring of data subjects’ behaviour, where the behaviour takes place in Thailand.

What actions must companies take to be PDPA compliant?

Under the new PDPA regulation companies must inform users about how the data is being collected and the purposes for which it is being collected as the rights grant. Companies must publicise at the time of data collection a choice to opt-out of the data collection at any time, including after personal data has been collected (revocation of consent at a later point). Entities at present have an estimated one-year grace period to bring these requirements into effect.

As a starting point, certain steps can be taken to check your organisation’s level of current compliance:

• Data mapping and data gap analysis helps to locate, quantify and categorise existing personal data flowing within the company. Analysis of the data collected is key to being able to pinpoint where failure to comply with PDPA lies. Subsequently, treatment policies and procedures can be implemented if the personal data is not subject to consent guidelines that PDPA requires.
• Personal data protection policy, privacy notices and a consent form should be revised to ensure that PDPA requirements are met.
• For data collected prior to implementation data (1^st June 2022), data collectors are permitted to continue to process the data if the purpose for which it was originally collected remains the same – it is therefore advisable that statements of intent are attached to data collection points so that this remains unambiguous.

From here, an understanding of where to focus compliance action can be built.

From a cross-jurisdictional perspective, local agents and buyers within the Thai market will certainly value external partnerships in greater esteem if those entities are seen to be aware and compliant with the local regulation.

More crucially, any entity looking to operate within the Thai market will have to take compliance actions, as the comparatively harsh (to GDPR) legislation also applies to them–in this sense, cross-jurisdictional data collection is treated with the same rigour as solely internal collectors and processors.

Company presence in the Thai region is not a requirement, therefore. For example, if data is collected within the EU and sent to a branch in Thailand it will be subject to both GDPR and PDPA rules of collection and processing.

Fundamentally, the requirements of recent data protection regulations are very similar, and the actions to be taken are not dissimilar to those of the GDPR compliance period. With a surge in new global data protection regulations, companies that best handle the trend by crafting long-term sturdy data privacy policies will experience less interruption, and no resulting shock allocation of resources to catch-up with new regulations. Actions taken in all jurisdictions should aim to be sustainable and resilient instead of chasing requirements.

The appointment of a DPO is mandatory under the PDPA and the requirements for appointment are similar to the GDPR.

• If the controller or processor is a government agency, the processing activity requires constant review of personal data or system, as it involves processing of large amounts of personal data.
• The core activity of controller or processor involves processing of sensitive personal data.
• Under the PDPA, it is not necessary for a data controller to conduct a DPIA.

Main differences from GDPR

• In PDPA it is not stated whether oral notification of rights is acceptable.
• Applicable instances of legitimate interests are not stated whereas GDPR outlines such conditions.
• There is no specific time frame within which the data controller should act on request as stated under the PDPA .
• The Data controller is not required to institute strategies for data subject identification requesting data deletion.
• PDPA does not consider IP addresses, cookies, radio frequency ID tags as personal information.
• Thai regulation has no definition of pseudonymised information.
• PDPA does not state whether children’s personal data should be protected in a specific manner regarding marketing or social services delivery.
• Thailand’s new regulation does not state requirements for collection/utilisation/sharing of personal data in context of research. Data controllers are expected to ensure that consumer welfare, liberties and privileges are safeguarded.

Penalties

The PDPA prescribes for three types of liabilities: criminal, civil and administrative. Violation of the data privacy law may result in fines ranging from 500,000 Baht (US$15,000) to 5 million Baht (US$165,000) as well as punitive compensations up to twice the amount of the actual damages. If the breach concerned involves sensitive personal data or unauthorised disclosures, the violators can be subjected to criminal penalties including imprisonment of up to one year.

Government’s stance on enforcement

During the transitional period, the Personal Data Protection Committee legal subcommittee in Thailand has stated that enforcement of penalties will be relaxed in the first year of implementation if the violators did not intend to commit the wrongdoing. In case of any violation, it is likely that warnings may be issued. In the initial year, the authorities are focused on ramping up efforts to boost understanding of the law among the related parties and urging them to comply with the guidelines.

Exemption from compliance for Small and Medium Enterprises

The Thai government has issued subordinate legislation to exempt small and medium-sized enterprises from being obliged to comply with the PDPA’s practices on the organising, making, and keeping records of processing activities.