PDPA Law Thailand: Checklist for Compliance
As a business owner, you'll know that cybercrime is continually growing more sophisticated, and you must constantly keep up with protecting your business from various privacy threats.
To combat this, the PDPA Law Thailand was created to ensure that businesses protect their customers' data privacy while remaining compliant with the law.
However, in reality, it's not that simple. The PDPA law in Thailand is confusing and complex at the best of times, and many businesses may struggle to ensure they are fully compliant. To help shed some light on the complex world of personal data protection laws in Thailand, we have put together a checklist that you can use to ensure your business is compliant.
Let's dive right in.
- The PDPA was created to protect how personal data is collected, used, shared and transferred.
- The PDPA applies to any person, business or legal personnel (known as the data controller) who is collecting personal data from Thai data subjects.
- Businesses need to obtain consent before collection, hire a data protection officer, issue data processing notifications, ensure adequate data security, notify the PDPC of data breaches, and more to ensure compliance with the PDPA.
PDPA Law Thailand Explained
The PDPA (Personal Data Protection Act) is enforced by The Personal Data Protection Committee (PDPC) and was created to protect how personal data is collected, used, shared and transferred.
Unlike many other countries, Thailand's PDPA law is one of the newest data protection laws passed in Asia. The law was signed in 2019 but saw a postponement until 2020.
However, it was only later that the law was enforced in June 2022 after waiting for Cabinet approval of a royal decree. Taking a look at the Thailand PDPA closely mirrors the regulations set out by the General Data Protection Regulation (GDPR), and offers the data subject several rights.
Within the PDPA, there are three scopes of application:
- Personal scope
- Territorial scope
- Material scope
We'll talk about these scopes of application in further detail below. To sum up, the major provisions of the PDPA include regulations on obtaining consent, ensuring data subject rights and being transparent with the consumers.
The PDPA aims to provide data privacy to data subjects to ensure that their collected data is used fairly and that they have sufficient privacy and control over their data.
That is why consent is the first major provision of the data protection law. Data controllers must obtain consent first from the data subject and must allow the data subject to withdraw consent at any time.
To give businesses a fair chance at remaining compliant, the PDPC will determine strategies businesses can use to ensure efficient personal data protection. The PDPC provides instructions and can add new rules or guidelines to ensure data protection.
PDPA Law Thailand Scope
It's important that, as a business owner, you fully understand the scope of the PDPA law in Thailand if you want to make sure your business is compliant with the law. You need to pay attention to three areas of scope: personal, territorial and material.
On a personal level, the PDPA applies to any person or legal personnel (the data controller) who is collecting or processing Thai citizen data. The only exception in this case is if this data usage is used for household activities.
The second scope of the PDPA applies to the territorial application, and it is important to know if your business is operating in Thailand or with Thai citizens. If your business offers goods or services to Thai citizens, your business is subject to the PDPA laws.
Even if your business is not based in Thailand, you must remain compliant with the PDPA if you are using, sharing or transferring collected data from data subjects who are in Thailand.
The third scope of the application refers to the material scope and covers both personal and sensitive personal data. While the PDPA does not specifically list what is considered personal and sensitive data, we use a standardized list like the GDPRs.
Personal data includes:
- Phone number
- IP addresses
Sensitive personal data includes:
- Ethnic origin
- Political opinions
- Religious beliefs
- Philosophical beliefs
- Criminal records
- Sexual behavior
- Health data
- Union memberships
- Biometric data
This is the type of personal data that the Thailand PDPA works to protect. However, there are some exceptions to this scope.
These exceptions include:
- Data collected to maintain state security and public safety
- Data collected for the purposes of court cases, legal proceedings, legal execution and other criminal justice procedures
- Data collected for the purpose of personal benefits or household activities
- Data collected for professional ethics or public interest (mass media, fine arts or literature)
- Data collected by and for the House of Representatives, the Senate or the Parliament
- Data collected by credit bureau companies for credit bureau business
Rights Provided Under PDPA Law Thailand
Found in Section 8 of the PDPA in Thailand, there are a number of rights and protections that the data subject has, and the data controller must take care not to violate them. Here are the data subject rights your business needs to be aware of.
Right to be informed
The first right that data subjects have is the right to be informed. Data controllers must ensure that they inform or notify the data subject of the collection of personal data. This information includes the purpose of collection, the period of collection and storage, and the rights of the data subject.
The data controller must receive consent from the data subject before beginning the collection process. Section 19 of the PDPA makes the consent requirements clear for businesses and that consent must be received in a written statement or electronic means.
The PDPA makes provisions for obtaining consent from minors, which is a child under the age of 10. Data controllers must get consent from parents or legal guardians before the collection of minor data.
Right to access
All data subjects have a legal right to access the data collected from your business. The data subject has the right to request a copy of their personal data that was collected, stored, used and transferred.
Data subjects must be provided with several easy and free ways to request their data from businesses. This access must be given without any unreasonable delays and granted within one month from the date the data subject put in the request.
Should your business fail to provide access within one month, the data subject is well within its rights to report your business to the PDPC. You'll want to avoid this, as the PDPC can issue penalties should they deem it necessary.
Right to rectification
Collected data must always remain up-to-date and correct. Otherwise, it makes the whole purpose of collection and use pointless. Data subjects have the right to request that their incorrect or out-of-date data be corrected.
Right to erasure
It is important that all businesses comply with this right should they want to avoid non-compliance penalties. Data subjects have the right to request that all collected, stored, used and shared personal data be deleted or de-identified.
If the purposes of the collected data have changed or consent has been withdrawn, data controllers have to delete this data. The only exception to this is if the data is being used for legal purposes.
Right to object/opt out
Because consent is needed to collect personal data in most cases, this means once the data subject has withdrawn their consent, your business needs to stop collecting, processing and sharing that data.
Right to data portability
This right is one that many businesses may not be aware of but is an important one to take note of. Data subjects have the right to obtain the personal data that was collected. In addition to this, the data controller needs to arrange the data in a format that is readable and commonly used for automatic tools.
Data subjects can request that data controllers send the data in the same format that they use when they are sharing the data with other data controllers.
Right not to be subject to automated decision-making
It is important that your business does not subject data subjects to automated decision-making and profiling should they not wish to or did not give consent to.
In addition to the above rights discussed, data subjects have the right to lodge a complaint if they feel their rights have been violated. These complaints are lodged with the PDPC.
Data subjects also have the right to restrict how and when their collected personal data is used. The only time this does not apply is if the data is being used for the exceptions we discussed earlier.
PDPA Law Thailand Checklist for Applicable Businesses
With so many rules and regulations, how does your business keep up and ensure compliance with Thailand's data protection laws? To help businesses, we have compiled a list of PDPC data controller obligations.
Data processing notification
It is very important that your business notifies the data subject before collecting their data. Businesses will need to let the data subject know exactly what the information will be used for, how and when it will be collected and for how long the information will be stored.
Ensure Proper Consent
The Thailand PDPA has emphasized that businesses and legal individuals dealing with collecting, processing, and storing personal information need to get explicit consent from the data subject to practice data privacy.
This is especially important if your business is collecting and processing the personal data of minors (under the age of 20). For minors younger than ten years old, parental consent is needed to process their information.
Minors older than ten but younger than 20 who are capable of doing so can give their own consent. However, if they are not competent to do this, parental consent is still needed to process their personal data. Non-compliance can result in your business being handed a criminal penalty.
Appoint a DPO
If your business is subject to the Thailand PDPA, then you are required to appoint a Data Protection Officer (DPO). A DPO is a person who will represent the data controller in all things involving the collection, processing and sharing of personal data.
The DPO has a very important job: they have to ensure that the business and all its employees remain compliant with the data protection laws that apply to them.
Your business's DPO will be experienced in implementing security measures to protect collected data from a personal data breach and ensure efficient data privacy. Your DPO will also implement other security measures, like creating rules and guidelines that need to be followed.
You may be wondering if your DPO needs to meet specific requirements. In Thailand, no specific requirements have been issued. However, it is recommended to hire a qualified DPO with data privacy experience and credentials, as unqualified DPOs may cost your business fines and penalties.
Ensure DSARs are Fulfilled
When your business receives a Data Subject Access Request (DSAR), it is important that you fulfill this request within the deadline, which is one month, or you may have to face the PDPC for non-compliance.
A DSAR is a request to exercise any one of the rights listed above, including the right to access, rectify, and opt out among other things.
The PDPA also requires that the DSAR be given to the data subject in a format that is easily readable and can be used on common automation tools.
Ensure Data Minimization is Practiced
The whole purpose of the PDPA is to give data subjects some data privacy, and one way of doing that is by practicing data minimization.
This means only collecting personal data and processing it for the purposes it was intended for. Businesses should only be collecting personal data that is absolutely necessary for its purposes and nothing else.
As soon as your business no longer needs the data, you should stop processing their data and dispose of the data.
Ensure Adequate Protection for Cross Border Data Transfer
Suppose your business is conducting a data transfer of consumer data across borders. In that case, you need to make sure that your business is taking proper measures to make sure the data stays safe and remains unbreached.
To prevent a personal data breach, the PDPA states that data controllers must ensure that the receiving destination has their own form of privacy data laws and meets the standards of the PDPA.
Section 37 of the PDPA states that data controllers are responsible for keeping data subjects' personal information safe. Having a PDO can really help your business to do this.
Notify Commissioner of Data Breaches
Suppose the worst happens, and your business has suffered a personal data breach. Now what? Your business has 72 hours from the time you became aware of the data breach to notify the PDPC. If the personal data breach is likely to cause harm to the data subject, you need to act as soon as possible.
Under the PDPA, a personal data breach is defined as:
- Unauthorized or unlawful loss
- Access to data caused by intent, negligence, willfulness, unlawful act, cyber threat or an accident
If the data subject uses a third party to process the information and suffers a personal data breach, the processor is subject to these same requirements.
Penalties for Non-Compliance
We've covered how to avoid non-compliance, but what happens if your business is found to be non-compliant with the PDPA? If this happens, your business will likely face administrative or criminal penalties.
If your business fails to comply with the PDPA and causes damage to the affected data subject, you may likely receive administrative fines of up to THB 5,000,000 ($150,000), depending on the severity of the violation.
Criminal penalties can be applied if your business violates a law that interferes with societal norms, Thai data subject rights, and the PDPA. For example, not getting consent or transferring data across the border to a destination without appropriate security measures. This can result in imprisonment for up to 1 year or fines up to THB 1,000,000.
As you can see, remaining compliant while your business is involved with the collection, processing, and sharing of personal data of Thai data subjects is so important. Failure to keep up to date with these regulations can be costly.
So, how do you know where to begin? Choose Captain Compliance, a global compliance service, to guide you through the complex world of data protection laws. We offer both corporate compliance and outsourced compliance solutions, like compliance training, to help your business comply with all the PDPA regulations in Thailand.
Get in touch with Captain Compliance today.
Does Thailand comply with the GDPR?
The GDPR is not used in Thailand because they have the PDPA. However, the PDPA mirrors most of the GDPR regulations.
What is the difference between the PDPA and GDPR?
Both are very similar. The biggest difference between the two is that the GDPR has specific rules on how data for research purposes is collected, processed, and shared, whereas the PDPA has no specific rules.
Who is the data protection authority in Thailand?
The data protection authority is the Personal Data Protection Committee (PDPC). They enforce the regulations, make sure businesses remain compliant, and issue a PDPC notification.
Are photos considered personal data under the PDPA?
Photos with an identifiable person are, in fact, still considered personal data under the PDPA and are subject to the same rules about how they are collected, processed, and shared.