Privacy laws and personal data protection regulation

In the past, Thailand never had specific legislation regarding personal data protection. Specific laws applied only to protect the information of individuals that was in the possession or control of a state agency, while other personal data protection regulations were scattered among general laws, e.g. the Constitution and laws pertaining to wrongful acts specified under the Civil and Commercial Code.

In 2019, the National Legislative Assembly approved Thailand’s first consolidated Personal Data Protection Act (2019) (PDPA), which came into full effect on 1 June 2022. The PDPA provides key points of protection on details, criteria, process, standards or relevant guidelines, which are stipulated in the sub-legislatives or regulations issued or to be issued by the Personal Data Protection Committee.

IMPACT ON BUSINESS PRACTICES

The PDPA affects every person/business that collects, uses, discloses or transfers personal data, regardless of the quantity of personal data processed. However, some businesses, e.g. SMEs or charitable foundations, may be exempted from certain requirements under the PDPA, subject to certain criteria.

Following enactment of the PDPA, businesses are required to change the way they collect, use, disclose or transfer personal data, which includes personal data of their clients, customers, business partners and employees. Personal data can no longer be kept forever, and its processing must be based on a legal basis provided under the PDPA.

Businesses in Thailand have been actively amending their handling of personal data to comply with the PDPA since it took effect, as it imposes severe penalties on persons who fail to comply. The following civil, administrative and criminal penalties shall be imposed:

• Civil liability: compensation for damages up to two times the quantum of the actual damages;
• Administrative liability: an administrative fine up to THB5 million (USD137,700); and/or
• Criminal liability: an imprisonment for a term not exceeding six months to one year and a fine not exceeding THB500,000 to THB1 million, or both (as the case may be).

It is crucial to note that not only the business entities but also the directors, managers or authorised persons who instructed the businesses may be punished with the same criminal penalties.

Therefore, all business entities that process the personal data of persons in Thailand must create a new culture in processing personal data, and everyone in these organisations, from top-level management to operating personnel, must be aware of and comply with the PDPA.

In addition, a privacy policy and personal data handling flows and procedures must be prepared or revisited for PDPA compliance. Failure to comply with the PDPA may lead to data leaks resulting in organisations being penalised with sanctions under the PDPA.

KEY POINTS OF PDPA

What is personal data? The PDPA specifies to what extent and to whom it is applicable. Personal data is defined as “any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons”. Any data under this definition shall be protected under the PDPA.

The PDPA also defines the data that requires special care in handling. It is practically known as “sensitive data”, which means personal data pertaining to race, ethnic origin, political opinions, culture, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data that may affect the data subject in the same manner.

The PDPA applies to protect only individuals whose personal data has been processed by a data controller and/or data processor by means regulated under the act. The data of the juristic person is, therefore, not protected by the PDPA.

Relevant parties. Under the PDPA, five major parties are subject or relevant to the act: the data subject; the data controller; the data processor; he data protection officer; and the Personal Data Protection Commission.

The data controller is a person or a juristic person having the power and duties to make decisions regarding the collection, use or disclosure of personal data. The data processor is a person or a juristic person who operates in relation to the collection, use or disclosure of personal data pursuant to the orders given by or on behalf of a data controller, where such person or juristic person is not the data controller.

Thus, the data controller/data processor could be either an individual or an entity, but a data controller collects, uses, discloses or transfers personal data of a data subject to its discretion, while a data processor processes personal data on behalf of, or by order of, a data controller.

The PDPA mainly imposes duties and obligations on the data controller. The main duties of the data controller can be placed in two categories:

• • Duties towards the data subject. The main duties include providing the data subject with the minimum information required under the PDPA on the processing of personal data, and ensuring that the rights of the data subject are recognised under the act.
  • Duties within businesses. The main duties include an implementation of security measures including data disposal procedure, notifying of data breaches, preparing data processing agreements, keeping records of processing activities, or ensuring sufficient data protection standards of the country to which personal data is transferred.

The PDPA imposes fewer duties on the data processor, but in some circumstances the data processor may also be liable under the act as if it were the data controller, if it processes personal data beyond the order or instruction of the data controller.

In addition to the data controller and data processor, other persons may be required to be appointed by a data controller or data processor. These are:

• • A data protection officer (DPO), the person who must have knowledge or expertise with respect to personal data protection, because a DPO is required to give advice to and investigate the performance of data a controller/data processor and co-ordinate and co-operate with the Office of Committee; and/or
  • A representative in Thailand in case personal data is processed overseas.

In the processing of personal data, the committee shall be a regulator to assure compliance with the PDPA.

Scope of application. The PDPA adopts both a territorial and an extraterritorial basis. Both data controller and data processor, in Thailand and overseas, shall be subject to the PDPA if they process personal data of subjects in Thailand, with certain exceptions.

Legal basis. While seeking consent is a key principle to the processing of personal data, the PDPA provides exceptions for processing personal data on the following bases:

• • Historical purposes, research or statistics;
  • Vital interest;
  • Legal obligation;
  • Contractual basis;
  • Public interest; or
  • Legitimate interest.

For the processing of sensitive data, certain additional legal bases must be met.

Rights of data subjects. Under the PDPA, subject to exceptions, data subjects shall enjoy the following rights:

• • Right to be informed;
  • Right to access/obtain records;
  • Right to data portability;
  • Right to object;
  • Right to erasure;
  • Right to restrict processing;
  • Right to rectify;
  • Right to withdraw consent; and
  • Right to complain.

Based on the above-mentioned, it is important for data subjects to be informed of the purpose and the basis for processing personal data, including the type of personal data to be processed and the period for which the personal data will be retained.

If personal data may be disclosed, data subjects must be informed of the categories of persons or entities to which the collected personal data may be disclosed. Finally, the information and contact channel details of the data controller, representative (if applicable) or data protection officer including the rights of a data subject must also be informed.

PREPARATION AND IMPLEMENTATION

If not yet in compliance, a business should commence gap analysis to identify non-compliance with the PDPA in its practice. A legal basis for processing personal data on each activity must be determined. A privacy policy must be prepared or revisited including other relevant policies and underlying documentation. All relevant persons in the organisation must be trained, and all business partners must acknowledge the change of the personal data protection culture in the business.

In addition, a business may consider simultaneously implementing its personal data management process and its IT security measures. The security measures must have a minimum security standard that is no less than that set out in the notification of the committee.

The minimum standards align with the concepts in the International Organisation for Standardisation and the International Electrotechnical Commission standard 27001 (ISO/IEC 27001), in which the main concepts include confidentiality, integrity and the availability of data.

MULTINATIONAL CORPORATIONS

Even though GDPR regulations were used as a guideline in drafting the PDPA, including enforcement, businesses should keep in mind that GDPR-compliant companies may not be compliant with the PDPA in all aspects. Businesses should also implement personal data protection regimes in their organisations to be compliant with the PDPA. Personal data transfer among subsidiaries must also follow the requirements and restrictions of the PDPA.