- Biological Inventions
- Brand Valuation
- Competition Law
- Constitutional Law
- Consumer Law
- Copyright Infringement
- Copyright Litigation
- Corporate Law
- Digital Right Management
- Educational Conferences/ Seminar
- Fashion Law
- Hi Tech Patent Commercialisation
- Hi Tech Patent Litigation
- Intellectual Property
- Intellectual Property Protection
- IP Commercialization
- IP Licensing
- IP Litigation
- IP Practice in India
- IPAB Decisions
- Legal Issues
- Media & Entertainment Law
- News & Updates
- Patent Act
- Patent Commercialisation
- Patent Filing
- patent infringement
- Patent Licensing
- Patent Litigation
- Patent Marketing
- Patent Opposition
- Patent Rule Amendment
- Pharma- biotech- Patent Commercialisation
- Pharma/Biotech Patent Litigations
- Section 3(D)
- Social Media
- Sports Law
- Telecom Law
- Trademark Litigation
The PDPA is largely based on the GDPR, and therefore, there are several similarities between the two. For example, both texts have similar provisions regarding the legal basis of processing, as both list consent, performance of a contract, legal obligations, legitimate interests, or vital interests as a legal basis. In addition, the PDPA mirrors the GDPR’s extraterritorial applicability and applies to data controllers and data processors outside of Thailand if they process personal data of data subjects in Thailand and offer goods and services to, or monitor behaviour of the data subjects. Moreover, both texts empower data subjects with several rights, including the right to erasure, the right to be informed, the right to object, the right to data portability, and the right to access. Nevertheless, there are some key differences between the PDPA and the GDPR. In particular, unlike the GDPR, the PDPA does not apply to certain public authorities, and the definition of ‘personal data’ in the GDPR is much more detailed, as it specifically includes IP addresses and cookie identifiers, whilst there is no mention of these in the PDPA. Furthermore, although the PDPA states that a data subject has the right to anonymise their personal data, unlike the GDPR, the PDPA does not define anonymised or pseudonymised data. Other examples of divergences can be found in the provisions relating to cross-border data transfers, and penalties. Whilst both the GDPR and the PDPA provide for monetary and administrative penalties in case of non-compliance, violations of the PDPA could also result in imprisonment for a term not exceeding one year.
The PDPA’s scope and requirements are deep and complex, and it takes time for companies to become fully compliant. This means companies should act now, taking a programmatic risk-based approach to data protection so they’re able to demonstrate progress and accountability to the regulators and to society.
The PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural (and alive) person, with certain exceptions (e.g., exception of household activity). The PDPA covers the collection, use, disclosure, and/or transfer of personal data, with certain exceptions (e.g., exception of household activity).
The PDPA has both territorial and extra-territorial application. As for the territorial scope of the PDPA, the PDPA applies to the collection, use, and/or disclosure of personal data by a personal data controller or a personal data processor that is in Thailand, regardless of whether such collection, use, or disclosure takes place in Thailand or not. Furthermore, the PDPA has extra-territorial applicability over entities outside Thailand that collect, use, and/or disclose personal data of data subjects who are in Thailand in two situations:
- where the activities of collection, use, and disclosure are related to the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject; or
- where the activities of collection, use, and disclosure are related to the monitoring of the data subject’s behaviour, where the behaviour takes place in Thailand.
Personal Data Protection Commission (PDPC)
The Personal Data Protection Committee (‘PDPC’) is responsible for drafting and issuing future sub-regulations under the PDPA. The PDPC has the following power and duties, including, but not limited to:
- determine measures or approaches for operations in relation to personal data protection to ensure PDPA compliance;
- promote and support the protection of personal data;
- issue notifications or orders pursuant to the PDPA; and
- announce and establish rules/guidelines for personal data controllers and personal data processors to follow and comply with.
The PDPC consists of:
- The chairperson, appointed based on knowledge, skills, and experience;
- The vice-chairperson, who is the permanent secretary of the Ministry of Digital Economy and Society;
- Five commission members, designated based on their positions in certain government agencies (as prescribed under the PDPA); and
- Nine honorary commission members appointed based on knowledge, skills, and experience in personal data protection, consumer protection, technology and telecommunication, social science, law, health, finance, or other relevant fields.
As the vice-chairperson and the five commission members are appointed to the PDPC based on their positions, the January 18 announcement appointing the chairperson and the nine honorary commission members completes the formation of the PDPC.
The PDPA requires compliance with the principle of the data minimisation, i.e. the collection of personal data must be limited to the extent that is necessary in relation to the lawful purpose of the data controller. In addition, the data controller shall ensure that the personal data remains accurate, up-to-date, complete, and not misleading. With the PDPA becoming fully enforceable, data collectors and users need to ensure systems are compliant with the necessary requirements. For any and all businesses dealing with personal data that have not yet taken the appropriate steps in order to comply with the PDPA when it goes live, the time is now to appoint data controllers and processors and ensure they are prepared to adequately handle all procedures and requests that may come their way.
Author: Tanya Saraswat- a student of Narsee Monjee Institute of Management Studies (NMIMS), in case of any queries please contact/write back to us via email firstname.lastname@example.org or at Khurana & Khurana, Advocates and IP Attorney.