Thailand’s Government has finally published The Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) in the Government Gazette, and thus has become effective from 27th May 2019. The Act was approved and endorsed by the National Legislative Assembly on 28th February 2019 (“PDPA”), thereafter had been submitted for royal endorsement and subsequent publication in the Government Gazette.

The PDPA’s will provide Thailand with its very first consolidated law to govern data protection in the country. Thailand’s Government has largely drawn concepts from the EU General Data Protection Regulation (GDPR), with certain modifications suitable to the national perspective. Thus Lexology reports that “compliance with the GDPR does not necessarily mean compliance with the PDPA”.

Key takeaways from the PDPA

What is ‘personal data’?

The PDPA defines it broadly as “information relating to a person which is identifiable, directly or indirectly”. The Act clarifies that information relating to private businesses and deceased persons are excluded from the Act.

“Sensitive personal data”: the Act has provided a specific category of “sensitive personal data” which includes “personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical belief, criminal record, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, and prohibits the collection of sensitive personal data without express consent from the data subject, except in certain prescribed circumstance (e.g., medical emergency or a required by law)”, as per Hunton Privacy Blog.

What is ‘data controller’?

It is defined as a “natural or juristic person” having the power to make the decision on collection, usage or disclosure of personal data.

What is ‘data processor’?

It is a “natural or legal person” which collects, uses or discloses personal data in accordance with the instruction of the data controller.

What will amount to ‘consent’?

The Act provides that a data subject’s consent will be the primary requirement for any collection and processing of data. The Act requires that such consent should be clear and obtained in a way that does not mislead data subjects. The consent must be express and made in writing or via digital means. The exemption from requirement of consent has been provided, notably in cases for vital interests, personal interests, legal obligation or if parties are bound by contractual obligations. A data owner may at any time revoke the consent, unless he is bound by any law or contract on revoking consent.

National Data Protection Committee

A Personal Data Protection Committee will be established under the Act to enforce compliance. The committee will produce guidelines related to data protection practices that data administrators can follow in order to implement a data protection framework.

Rights of data subjects

The Act provides that the data owners or subjects are entitled to request access to his or her own personal data that is held by the data controller. Data subjects can also submit requests to delete, destroy or anonymise his/her own personal data. It excludes the cases where, among others, the request is not consistent with provisions of other applicable laws or court orders.

Responsibilities of data administrators (controllers and processors)

The Act imposes several obligations on data administrators which includes the collection of data within lawful means or purposes. Administrators are required to inform data owners of the details related to collection of owners’ personal data and obtain consent for such collection.

The Act also specifies that administrators are required to implement appropriate security measures to prevent loss or alteration of data due to any unauthorized activity.

Extraterritorial application

The Act regulates collection, use or disclosure of personal data of a data subject in Thailand conducted by data administrators based overseas. As a result, businesses outside of Thailand are subjected to the applicability of the PDPA. The data administrators will be required to assign a local representative in Thailand and must comply with conditions set forth in the Act.

Cross-border transfer of data

The Act specifies that personal data can be transferred to other countries that have rigorous data protection law. Also it can be transferred in cases where:

  1. the transfer is made in accordance to any applicable law;
  2. consent has been obtained from the data subject;
  3. the transfer is due to the compliance with the contract entered into between the data subject and data controller;
  4. the transfer is in the interests of a data subject who is incapable of giving consent; or
  5. as per the prescribed ministerial regulation.

Liability and Penalties

The Act provides both civil and criminal liabilities in cases of violation of the prescribed obligations. The PDPA provides penalties in cases of non-compliance. As Baker Mckenzie reports, “the non-compliance is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of actual damages”.

Timeframe

Companies and organizations, that are engaged in collecting, using, disclosing, and/or transferring personal data, have to implement data protection measures that are fully compliant with key provisions of the PDPA within one year of it in effect.