Thailand’s Personal Data Protection Act (PDPA) was approved by the National Legislative Assembly on 28 February 2019 and, after being signed and endorsed by the monarch, it will be published in the Royal Thai Government Gazette and passed into law. After this, several pieces of subordinate legislation will be enacted to provide a procedural framework so that the PDPA can be practically enforced
Important defined terms
Personal data – The data which can be directly or indirectly relate to identify a person, but not the personal data of a deceased person. Sensitive personal data is also controlled under the PDPA. It doesn’t include business information (e.g. the business title, address, and contact details).
Data controller – a natural or juristic person who has the authority to decide on the collection, use or disclosure of personal data.
Data processor – a natural or juristic person who collects, uses or discloses personal data in accordance with the order or on behalf of the data controller.
Collection of personal data
The collection of personal data requires the consent of the data owner and must be for a lawful purpose and directly relevant to, and necessary for, the activities of the data controller. Before or when personal data is collected, the data owner must be notified of the following:
The purpose for the collectionThe need to give the personal data in order to comply with laws or contracts, or enter into contracts. Also, the possible consequences of not providing the personal dataThe data to be collected and the period of time to retain the collected dataThe person to whom the personal data might be disclosedThe contact information of the data controllerThe rights of the data owner.
Consent
Consent from a data owner is a key element of the PDPA and essential for personal data processing.
Legitimate consent is a form of consent that doesn’t impose unnecessary conditions on the data owner in any circumstance, and must be:
clearly expressed in writing or through an electronic system before or at the time of the collection, use or disclosurein a form/detail that is easy to access and understand, andfreely given by the data owner.
Extraterritorial effect
The PDPA apply to the collection, usage or disclosure of personal data,in Thailand or elsewhere, by the personal data controller or the data processor who is residing in Thailand. It also applies to those residing outside Thailand if they offer products or services to the data owner residing in Thailand, whether or not payment is made, or if they monitor the activity of the data owner in Thailand
Data owner’s rights
Data owners have legitimate rights under the PDPA. They can do any of the following:
withdraw their consent, at any time. However, this doesn’t affect the collection, use or disclosure of the personal data that has already been consented to.request access to or make a copy of their own personal data that is under the responsibility of the personal data controller.oppose the collection, use or disclosure of their own personal data at any time.request that the data controller delete or destroy the personal data, make their personal data anonymous or make it impossible for other people to identify the data owner when keeping the data is no longer necessary for the agreed purpose, or when the data owner withdraws their consent.request that the data controller suspend the use of their personal data.request the data controller to perform any actions to make sure that the personal data is accurate, up-to-date, complete and not misleading.make a complaint if the data controller, the personal data processor, its employee or contractor violates or doesn’t comply with the PDPA.
Duties of the data controller and data processor
Data controller
Inform the data owner about, the objectives of the collection, use or disclosure of personal data and that the data being collected, used or disclosed according to the objectives so informed, and inform the impact of the withdrawal of consent.Provide appropriate security measures to prevent loss, access, use, change, correction or disclosure of personal data without authorisation or in an unlawful way.Prevent the use or disclosure of personal data that is given to parties other than the data controller without authority or in an unlawful way.Provide an inspection system to detect personal data that has been kept for longer than necessary or is not relevant to the objective.Inform the Office of the Personal Data Protection Board within 72 hours of being aware of or alerted to an abuse of personal data.Respond to the data owners’ requests when they exercise their rights.
Data processor
Strictly follow the instructions of the data controller when collecting, using, or disclosing personal data.Provide appropriate security measures to prevent loss, access, use, change, correction or disclosure of personal data without authorisation or in an unlawful wayInform the data controller of any violation of the personal data that occurs.Prepare and maintain a list of the data processing activities.
Data protection officer (DPO)
The data controller and data processor must appoint a DPO under the circumstances specified in the PDPA. The DPO must be independent and primarily responsible for making sure that the processing of personal data of the organisation’s staff, customers, providers or any other individuals will comply with the data protection rules.
Violation of the law
Comments