A Guide To Thailand’s Personal Data Protection Act (PDPA)

Understanding Thailand’s PDPA

The PDPA is essentially a consumer privacy law, designed to give individuals greater control over their personal data. It establishes guidelines for businesses regarding the collection, storage, sharing, and use of consumers’ information. This law aims to strike a balance between commercial interests and the protection of privacy rights.

Even if a business is not physically located in Thailand, if it offers services to Thai residents or monitors their online behavior, it falls under the jurisdiction of the PDPA. Non-compliance with the PDPA can lead to significant penalties, making it vital for businesses to understand and adhere to its provisions.

Key Definitions & Terms

To grasp the essence of the PDPA, it’s essential to familiarize oneself with its key definitions and terms. Section 6 of the PDPA outlines crucial definitions, including:

• Person: Referring to a living individual.
• Personal Data: Information about an individual that can directly or indirectly identify them. This includes details like name, address, phone number, customer ID, age, gender, height, username, password, and IP address. However, information about deceased individuals is not considered personal data.
• Sensitive Personal Data: While not explicitly defined by the PDPA, sensitive personal data typically includes information related to race, ethnic origin, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, and biometric data.
• Data Controller: An entity responsible for determining how and why personal data is collected, used, and shared.
• Data Processor: Any individual or organization that handles personal data as instructed by the data controller, including gathering, using, or sharing it.

The definitions within the PDPA bear striking similarities to those found in the EU’s General Data Protection Regulation (GDPR), offering Thai residents comparable protections.

Compliance & Exceptions Requirements

Material Scope

Thailand’s PDPA generally applies to any legal entity that collects, uses, or discloses personal data of living individuals, with certain exceptions.

Territorial Scope

The PDPA covers personal data collected, used, or disclosed by data controllers or processors within Thailand, regardless of where these activities occur.

If a data controller or processor operates outside Thailand, the PDPA still applies if they engage in activities such as:

• Offering goods or services to individuals in Thailand, regardless of where payment is made.
• Monitoring the behavior of individuals in Thailand.

Exemptions

While the PDPA applies broadly, there are exemptions outlined in Section 4. These exemptions include:

1. 1. Personal data collection for household or domestic purposes
   2. Public authorities fulfilling state security obligations
   3. Individuals disclosing data for artistic or journalistic purposes in the public interest
   4. Government officials performing their duties
   5. Courts and legal officials within their authority
   6. Credit bureau agencies fulfilling official duties

Key Responsibilities For Businesses

To understand the core of Thailand’s Personal Data Protection Act (PDPA), it’s important to grasp the responsibilities it imposes on businesses:

a. Obtaining Consent: Organizations must obtain explicit consent from data subjects before collecting, using, or disclosing personal data unless exempted by law. Consent requests must be clearly communicated, in plain language, and include the purposes of data processing. Data subjects retain the right to withdraw consent easily.

• Data controllers must obtain explicit consent from individuals before collecting, using, or disclosing their personal data, except in specific circumstances.
• Requests for consent should be clearly communicated through written statements or electronic means, using plain language to explain the purposes of data processing.
• Individuals have the right to withdraw their consent easily, with the same level of simplicity as giving consent.

b. Consent for Minors: Processing minors’ personal data, particularly those under 10 years old, necessitates obtaining consent from parents or guardians.

c. Notifying Data Processing: Organizations must inform data subjects about the reasons for collecting personal data, circumstances mandating data submission, information about potential consequences of not providing data, data retention periods, recipients of data, and contact details of the data controller.

d. Data Security: Data controllers are mandated to implement suitable security measures to safeguard personal data from unauthorized access, loss, or misuse. These measures must be regularly reviewed and encompass administrative, technical, and physical safeguards.

e. Managing Data Breaches: Organizations are required to promptly notify the Personal Data Protection Committee (PDPC) of any personal data breach, preferably within 72 hours. If the breach poses a high risk, data subjects must also be notified promptly.

f. Data Protection Officer: Data controllers and processors must appoint a Data Protection Officer (DPO) under specified circumstances, such as being a public authority or engaging in large-scale data processing activities.

g. Data Protection Impact: While not explicitly required, organizations must assess the risks associated with personal data processing activities that may impact data subjects’ rights.

h. Documentation of Processing Activities: Organizations must maintain records of personal data processing activities, detailing information about the data controller, purposes of processing, types of data collected, retention periods, security measures, and more.

i. Third-Party Processing Guidelines: Data processors must strictly adhere to the instructions of data controllers, notify them of any unauthorized access or breaches, and maintain records of processing activities.

j. Cross-border Data Transfer: Transferring personal data abroad requires ensuring that the destination country or organization maintains adequate data protection standards unless exempted by specific circumstances outlined in the PDPA.

k. Data Subject Rights: Data subjects have various rights, including access to their personal data, portability, objection to processing, erasure, restriction of processing, and rectification of inaccurate or incomplete data. These rights must be respected and acted upon promptly by organizations.

Influence On Businesses

For businesses, compliance entails revisiting data processing practices, revamping consent mechanisms, and fortifying data security infrastructure. Conversely, consumers stand to benefit from heightened privacy safeguards, gaining greater autonomy over their personal information. The act empowers individuals to withhold consent, opt out of marketing endeavors, and withdraw consent at any juncture, thereby fostering a culture of data privacy and consent. The PDPA significantly impacts businesses in several key ways:

• • Mandating transparency: Businesses must provide clear and comprehensive data policies, including Privacy Policies and Cookies Policies.
  • Obtaining consent: Meaningful and informed consent from consumers is essential before collecting data, potentially necessitating changes to consent collection methods.
  • Justifying data collection: Businesses must have legitimate reasons for collecting personal data, often requiring them to minimize data collection.
  • Ensuring data security: Robust cybersecurity measures are necessary to safeguard personal data against breaches.

The PDPA represents a substantial shift for Thai residents and consumers affected by its provisions. Some ways it impacts consumers include:

• • Greater control over data: Individuals have more control over the data businesses collect and its usage.
  • Consent requirement: Personal data cannot be processed without explicit consent, except for specific purposes.
  • Opt-out options: Consumers have easier options to opt out of direct marketing and targeted advertising.
  • Consent withdrawal: Individuals have the right to withdraw consent at any time.

Steps Towards Compliance

Achieving compliance with Thailand’s PDPA requires careful planning and execution. Businesses need to establish lawful grounds for data processing, primarily relying on consent unless other legal justifications apply. It’s crucial to implement clear consent mechanisms, like clickable banners, to meet compliance standards. Additionally, appointing Data Protection Officers (DPOs) where required and drafting detailed privacy policies outlining data practices and consumer rights are essential steps. Simultaneously, crafting cookie policies aligned with PDPA guidelines is crucial to addressing cookie usage and consent effectively. To ensure compliance with Thailand’s PDPA, organizations should:

1. Determine if they fall under Thailand’s PDPA jurisdiction by assessing if they process personal data of Thai individuals.
2. Review and categorize their data inventories to identify storage containing personal information about Thai individuals.
3. Enhance transparency in data processing by implementing official policies and privacy notices.
4. Establish an efficient framework for handling data subject requests.
5. Identify risks and vulnerabilities through conducting a data protection impact assessment.
6. Employ a knowledgeable data protection officer well-versed in Thailand’s PDPA to address data subject requests promptly.
7. Develop a robust consent framework to manage consent obligations effectively.
8. Enable Thai individuals to exercise their rights concerning the sale or use of their personal data.
9. Implement technical and organizational security measures to safeguard data processing procedures.
10. Thoroughly examine data handling practices and agreements to ensure compliance with PDPA regulations.

Enforcement and Penalties

Thailand’s PDPA enforcement lies with the Personal Data Protection Committee (PDPC), responsible for ensuring compliance, providing guidelines, and addressing violations. Failure to comply can result in significant penalties, including fines, civil liabilities, and criminal charges. Businesses breaking the law may face fines of up to 5 million Baht, civil damages, and potentially criminal sanctions for serious breaches. Therefore, following PDPA rules is crucial to minimize legal risks and maintain consumer trust.

Wrapping Up

Thailand’s Personal Data Protection Act marks a significant milestone in safeguarding consumer privacy rights. Businesses operating in Thailand or targeting Thai residents must navigate its provisions carefully to avoid penalties and maintain consumer trust. By understanding the PDPA’s requirements and taking proactive steps towards compliance, businesses can ensure the responsible and lawful handling of personal data in line with Thailand’s evolving privacy landscape.

GetTerms can simplify the complicated task of compliance and allow you to get back to business by addressing multiple items on your compliance checklist, including a cookie policy tailored to your business needs and generating cookie consent banners, we can help. Please take advantage of our services today. Create an account and get started in 5 minutes.