Personal data privacy is a global hot problem that is quickly becoming a priority for Thailand’s leaders. They understand that changes to their organizations’ procedures must be carefully planned and well-considered. There is no alternative method to manage and secure personal data in order to assure compliance and demonstrate accountability.
The Personal Data Protection Act (PDPA) has certain requirements that are similar to those found in the GDPR. These include standards for data controllers and processors, as well as equivalent legal bases for processing personal data. The PDPA and the GDPR, on the other hand, have some major distinctions, such as in the PDPA there’s lower monetary penalties as compared to the GDPR and there has been an addition of criminal penalties of up to one year imprisonment in the PDPA. The Thailand’s PDPA also establishes the Personal Data Protection Committee (‘PDPC’) to create and issue data protection sub-regulations, among other things.
Does the Thailand’s PDPA Apply to Your Organization?
The PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural, living person with exceptions such as when the activity is performed as part of household activity.
The PDPA applies to processing activities conducted by a data controller or data processor that is based in Thailand.
Regarding the extra-territorial scope of the PDPA, the law applies to organizations outside of Thailand when their processing activities relate to offering of goods and/orservices to individuals in Thailand or when monitoring the behavior of individuals residing in Thailand.
Data that falls under the material scope of the PDPA includes general personal data such as name, date of birth, email address, etc. Furthermore, specific requirements and exemptions apply to the processing of certain types of personal data, such as racial, sexual, and health data.
Data Subject Rights under the PDPA
The PDPA outlines several rights to the data subjects that closely resemble to those found in the GDPR. Furthermore, the PDPA requires organizations to inform the data subjects of their rights prior to or at the time of the collection of their personal data.
Following are the rights of a Data Subject under the PDPA-
- Right to be informed
The data controller must inform the data subject with details of the processing activity such as the purpose of the collection, data retention periods, etc.
- Right to access
The data subject has the right to access or request a copy of their personal data collected, used, and disclosed by the data controller.
- Right to rectification
The data subject has the right to correct- incomplete, inaccurate, misleading, or outdated personal data held by the data controller.
- Right to erasure
The data subject has the right to request the data controller to delete or de-identify their personal data. There are some exceptions to this right whereby data controllers are required to retain the data to comply with a legal obligation or to establish, exercise, or defend legal claims.
- Right to object/opt-out
The data subject has the right to object to the collection, use, and disclosure of their personal data in certain circumstances such as for direct marketing purposes.
- Right to data portability
The data subject has the right to obtain the personal data that the data controller holds about them in a structured electronic format and can request to send or transfer such data to another data controller.
- Right not to be subject to automated decision making
The PDPA does not explicitly provide for the right not to be subject to automated decision-making. However, the data subject has the right to restrict the use of their personal data in certain circumstances.
Few Steps to Thai PDPA Compliance
- Appoint a Data Protection Officer (‘DPO’)
Section 41 of the PDPA requires organizations to appoint a DPO in certain circumstances whose responsibilities include informing and advising the organization of their obligations, monitoring the performance of the data controller and data processors, and acting as a point of contact with the Personal Data Protection Committee.
- Implement Data Subject Rights Request (DSAR)
The PDPA provides data subjects with specific rights relating to the collection and use of their personal data. Implementing an automated DSAR process can help streamline the intake and fulfill DSARs and can help manage, track, and report on the requests your organization receives.
- Monitor and measure personal data risks
Developing internal processes to monitor potential risk to personal data is critical for organizations looking to comply with the PDPA and for avoiding the monetary penalties ranging up to THB 5 million (approx. €129,000). By monitoring potential risks across the data ecosystem, organizations can identify gaps, reduce the risk of potential data breaches, and assist in the fulfillment of data subjects’ rights.
- Optimize data collection and survey risk across your business
Section 39 of the PDPA requires businesses to maintain records of data collected and specify the purpose for its use. Implementing PDPA-specific Privacy Impact Assessments (PIAs) helps organizations to comply with the data minimization and purpose limitation principles specified in the PDPA and helps to understand risk across processing activities.
Implementation & Conclusion :
The Ministry of Digital Economy and Society has been preparing 29 laws linked with the PDPA over the past two years of the PDPA’s delay, with 10 being treated as a priority. The enforcement of the PDPA is scheduled to take place on 1st June 2022, while the Personal Data Protection Committee was finalized on 18th January 2022.
To summarise, the PDPA focuses on balancing between fairness and protection, while also ensuring that it does not discourage innovation or new business because data is the future and offers opportunity. The PDPA will be enforced against those who abuse the flow of personal data, whereas it will support those who properly handle personal data of the users’ to facilitate their business.