Personal Data Protection in Thailand

The PDPA is largely based on the GDPR, and therefore, there are several similarities between the two. For example, both texts have similar provisions regarding the legal basis of processing, as both list consent, performance of a contract, legal obligations, legitimate interests, or vital interests as a legal basis. In addition, the PDPA mirrors the GDPR’s extraterritorial applicability and applies to data controllers and data processors outside of Thailand if they process personal data of data subjects in Thailand and offer goods and services to, or monitor behaviour of the data subjects. Moreover, both texts empower data subjects with several rights, including the right to erasure, the right to be informed, the right to object, the right to data portability, and the right to access. Nevertheless, there are some key differences between the PDPA and the GDPR. In particular, unlike the GDPR, the PDPA does not apply to certain public authorities, and the definition of ‘personal data’ in the GDPR is much more detailed, as it specifically includes IP addresses and cookie identifiers, whilst there is no mention of these in the PDPA. Furthermore, although the PDPA states that a data subject has the right to anonymise their personal data, unlike the GDPR, the PDPA does not define anonymised or pseudonymised data. Other examples of divergences can be found in the provisions relating to cross-border data transfers, and penalties. Whilst both the GDPR and the PDPA provide for monetary and administrative penalties in case of non-compliance, violations of the PDPA could also result in imprisonment for a term not exceeding one year.

Thailand’s Personal Data Protection Act BE 2562 (PDPA) was set to come into full effect on 1 June 2021 to bring significant changes to the current data protection regulatory environment in Thailand. This creates challenges for organisations doing business in Thailand both before and after the deadline. The full enforcement of the PDPA has been previously postponed, and many businesses had expressed concern that another extension would be forthcoming before the current enforcement date. However, the successful establishment of the PDPC is a fundamental prerequisite to enforcement and indicates that the effective date of the PDPA on June 1, 2022.

The PDPA’s scope and requirements are deep and complex, and it takes time for companies to become fully compliant. This means companies should act now, taking a programmatic risk-based approach to data protection so they’re able to demonstrate progress and accountability to the regulators and to society.

The PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural (and alive) person, with certain exceptions (e.g., exception of household activity). The PDPA covers the collection, use, disclosure, and/or transfer of personal data, with certain exceptions (e.g., exception of household activity).

Application

The PDPA has both territorial and extra-territorial application. As for the territorial scope of the PDPA, the PDPA applies to the collection, use, and/or disclosure of personal data by a personal data controller or a personal data processor that is in Thailand, regardless of whether such collection, use, or disclosure takes place in Thailand or not. Furthermore, the PDPA has extra-territorial applicability over entities outside Thailand that collect, use, and/or disclose personal data of data subjects who are in Thailand in two situations:

  • where the activities of collection, use, and disclosure are related to the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject; or
  • where the activities of collection, use, and disclosure are related to the monitoring of the data subject’s behaviour, where the behaviour takes place in Thailand.

Personal Data Protection Commission (PDPC)

The Personal Data Protection Committee (‘PDPC’) is responsible for drafting and issuing future sub-regulations under the PDPA. The PDPC has the following power and duties, including, but not limited to:

  1. determine measures or approaches for operations in relation to personal data protection to ensure PDPA compliance;
  2. promote and support the protection of personal data;
  3. issue notifications or orders pursuant to the PDPA; and
  4. announce and establish rules/guidelines for personal data controllers and personal data processors to follow and comply with.

The PDPC consists of:

  • The chairperson, appointed based on knowledge, skills, and experience;
  • The vice-chairperson, who is the permanent secretary of the Ministry of Digital Economy and Society;
  • Five commission members, designated based on their positions in certain government agencies (as prescribed under the PDPA); and
  • Nine honorary commission members appointed based on knowledge, skills, and experience in personal data protection, consumer protection, technology and telecommunication, social science, law, health, finance, or other relevant fields.

As the vice-chairperson and the five commission members are appointed to the PDPC based on their positions, the January 18 announcement appointing the chairperson and the nine honorary commission members completes the formation of the PDPC.

Conclusion

The PDPA requires compliance with the principle of the data minimisation, i.e. the collection of personal data must be limited to the extent that is necessary in relation to the lawful purpose of the data controller. In addition, the data controller shall ensure that the personal data remains accurate, up-to-date, complete, and not misleading. With the PDPA becoming fully enforceable, data collectors and users need to ensure systems are compliant with the necessary requirements. For any and all businesses dealing with personal data that have not yet taken the appropriate steps in order to comply with the PDPA when it goes live, the time is now to appoint data controllers and processors and ensure they are prepared to adequately handle all procedures and requests that may come their way.

Author: Tanya Saraswat- a student of Narsee Monjee Institute of Management Studies (NMIMS),  in case of any queries please contact/write back to us via email chhavi@khuranaandkhurana.com or at Khurana & Khurana, Advocates and IP Attorney.

Leave a Reply Cancel reply

Archives

  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • Exit mobile version