Personal data privacy is a global hot problem that is quickly becoming a priority for Thailand’s leaders. They understand that changes to their organizations’ procedures must be carefully planned and well-considered. There is no alternative method to manage and secure personal data in order to assure compliance and demonstrate accountability.
The Personal Data Protection Act (PDPA) has certain requirements that are similar to those found in the GDPR. These include standards for data controllers and processors, as well as equivalent legal bases for processing personal data. The PDPA and the GDPR, on the other hand, have some major distinctions, including lower monetary penalties and the addition of criminal penalties of up to one year in prison. The Thai PDPA also establishes the Personal Data Protection Committee (‘PDPC’) to create and issue data protection sub-regulations, among other things.
Does the Thai PDPA Apply to Your Organization?
The Thai PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural, living person with exceptions such as when the activity is performed as part of household activity.
The Thai PDPA applies to processing activities conducted by a data controller or data processor that is based in Thailand.
Regarding the extra-territorial scope of the PDPA, the law applies to organizations outside of Thailand when their processing activities relate to offering goods or services to individuals in Thailand or when monitoring the behavior of individuals where the behavior has taken place in Thailand.
Data that falls under the material scope of the PDPA includes general personal data such as name, date of birth, email address, etc. Furthermore, specific requirements and exemptions apply to the processing of certain types of personal data, such as racial, sexual, and health data. See above for further examples.
PDPA Data Subject Rights
The Thai PDPA outlines several rights to data subjects that closely resemble to those found in the GDPR. Furthermore, the Thai PDPA requires organizations to inform the data subjects of their rights prior to or at the time of the collection of their personal data.
Following are the rights of a Data Subject under the PDPA-
- Right to be informed
The data controller must inform the data subject with details of the processing activity such as the purpose of the collection, data retention periods, etc.
- Right to access
The data subject has the right to access or request a copy of their personal data collected, used, and disclosed by the data controller.
- Right to rectification
The data subject has the right to correct- incomplete, inaccurate, misleading, or outdated personal data held by the data controller.
- Right to erasure
The data subject has the right to request the data controller to delete or de-identify their personal data. There are some exceptions to this right whereby data controllers are required to retain the data to comply with a legal obligation or to establish, exercise, or defend legal claims.
- Right to object/opt-out
The data subject has the right to object to the collection, use, and disclosure of their personal data in certain circumstances such as for direct marketing purposes.
- Right to data portability
The data subject has the right to obtain the personal data that the data controller holds about them in a structured electronic format and to send or transfer such data to another data controller.
- Right not to be subject to automated decision making
The Thai PDPA does not explicitly provide for the right not to be subject to automated decision-making. However, the subject has the right to restrict the use of their personal data in certain circumstances.
Few Steps to Thai PDPA Compliance
- Appoint and empower a Data Protection Officer (‘DPO’)
Section 41 of the PDPA requires organizations to appoint a DPO in certain circumstances whose responsibilities include informing and advising the organization of their obligations, monitoring the performance of the data controller and data processors, and acting as a point of contact.
- Implement Data Subject Rights Request (DSAR) processes
The PDPA provides data subjects with specific rights relating to the collection and use of their personal data. Implementing an automated DSAR process can help streamline the intake and fulfill DSARs and can help manage, track, and report on the requests your organization receives.
- Monitor and measure personal data risks
Developing internal processes to monitor potential risk to personal data is critical for organizations looking to comply with the PDPA and for avoiding the monetary penalties ranging up to THB 5 million (approx. €129,000). By monitoring potential risks across the data ecosystem, organizations can identify gaps in compliance efforts, reduce the risk of data breaches, and assist in the fulfillment of data subject rights.
- Optimize data collection and survey risk across your business
Section 39 of the PDPA requires businesses to maintain records of data collected and specify the purpose for its use. Implementing PDPA-specific Privacy Impact Assessments (PIAs) helps organizations to comply with the data minimization and purpose limitation principles specified in the PDPA and helps to understand risk across processing activities.
Implementation & Conclusion :
The National Digital Economics and Society Committee approved plans to establish a platform that complies with the Personal Data Protection Act in November 2021. For Thai digital start-ups, the platform would also make government services available online.
Thailand’s Prime Minister indicated that the new government platform will assist in easing the state sector’s overall budgetary load. It will also improve the security of online transactions and aid to the growth of the digital economy.
The DES Ministry has been preparing 29 laws linked with the PDPA over the past two years of the PDPA’s delay, with 10 being treated as a priority. The enforcement of the PDPA is scheduled to take place on 1st June 2022, while the Personal Data Protection Committee was finalized on 18th January 2022.
To summarise, the Thai PDPA focuses on balancing between fairness and protection, while also ensuring that it does not discourage innovation or new business because data is the future and offers opportunity. The PDPA will be enforced against those who abuse the flow of personal data, whereas it will support those who properly handle personal data to facilitate their business.