Personal Data Protection Act
The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) of Thailand came into force in part on the 28th of May 2019. It establishes a legal framework which protects personal data of individuals and allows businesses to realize economic values from personal data. A one-year grace period up to the 28th May 2020 is currently in place to give businesses time to be prepared for compliance.
- Each organization must appoint a Data Protection Officer (“DPO”) if its core activities involve collection, use and disclosure of personal data or if a DPO is mandated by the regulator.
- Extra-territorial application to Processors and Controllers both in and outside of Thailand if they collect, use or disclose the personal data of a data owner (“Data Subject”) in Thailand.
- Any data breach must be notified to the regulator within 72 hours of the discovery of the breach.
- Criminal and civil liabilities are applicable to offences against the PDPA.
“Personal Data” is any data related to a living individual which enables either direct or indirect identification of said individual.
"Personal Data Controllers" ("Controllers") are natural or juristic persons, who have the power and duty to decide on the collection, use or disclosure of personal data.
"Personal Data Processors" ("Processors") are natural or juristic persons who collect, use or discloses personal data for a Controller.
Authorities in Charge
The PDPA establishes the Personal Data Protection Commission ("PDPC") to enforce the PDPA. It is also establishes the Office of the PDPC ("OPDPC") to act as the secretariat of the PDPC.
- Notice & Consent: Controllers and Processors must obtain consent from each Data Subject prior to or at the time of any collection, use or disclosure of person data. The intended purpose of the data collection must also be notified to the data subject.
- Limitations to Collection, Use and Disclosure:
- Purpose limitation. The Controller cannot collect, use or disclose personal data for any purpose other than the intended purpose as notified to and consented by the data subject.
- Proportionality. The Controller cannot collect, use or disclose more personal data than is necessary to achieve the intended purpose.
- Source limitation. Personal data may only be collected directly from the data subject, subject to only a few exceptions.
- Retention limitation. The Controller cannot keep personal data for longer than necessary to achieve the intended purpose.
- Access, Correction and Portability: The Controller must ensure that personal data is up to date, accurate and not misleading by allowing the data subject to access to and ask the Controller to correct his or her personal data collected by the Controller. The Controller must ensure that each data subject can obtain his or her personal data in a format possible to be used with ease by other Controllers.
- Security: The Controller must provide appropriate security measures to prevent any loss, access, use, modification or disclosure of personal data without authorization.
- Openness: The Controller must disclose personal data of a data subject for him or her to examine and verify.
Offences and Penalties
Offences committed against the PDPA can result in fines of up to THB5,000,000 and/or imprisonment terms up to one year. Injured data subjects can file civil lawsuits against the Controller for actual damages plus punitive damages up to 2 times of the actual damages.
Preparation for Compliance
Businesses should be prepared to comply with the PDPC by:
- Reviewing privacy policies and notices
- Setting up data breach notification procedures
- Reviewing data transfer policies
- Identifying Controllers and Processors
- Reviewing online and offline data security measures
- Appointing a DPO.