Keeping watch on Data Privacy: Thailand

Thailand’s major data privacy law is the Personal Data Protection Act (PDPA), which was passed as a law in 2019 and became fully effective in June 2022.

It sets out the key principles on personal data processing and the appointment of the Personal Data Protection Committee (PDPC) as the regulatory authority in charge. The PDPC is empowered to: implement and enforce the PDPA; issue its implementation rules and regulations; establish policies and directions for personal data protection; conduct investigations in response to complaints; and issue enforcement orders against data controllers and data processors violating the PDPA.

As of November 2023, the PDPC had issued 21 implementation rules, regulations and guidelines under the PDPA.

KEY PRINCIPLES

1. Categories of personal data. Under the PDPA, personal data means any information relating to an individual person, which enables the identification of such a person, whether directly or indirectly, but not including the information of a deceased person. The PDPA governs the processing of two categories of personal data: (i) general personal data, and (ii) sensitive personal data (SPD). SPD is personal data “pertaining to racial, ethnic origin, political opinion, cult, religious or philosophical belief, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or any other data which may affect the data subject in the same manner”.

2. Processing of personal data. The “processing” of personal data under the PDPA refers to the collection, use and disclosure of personal data. The personal data can be collected only if it is necessary, and can be kept only as long as it is needed for such purposes.

   

   The data controller must notify data subjects of the purposes of collecting their general personal data before or on collecting it by providing the privacy notice of the data controller to data subjects, containing at least: the purposes of personal data processing; details of the data controller and its data protection officer (DPO); third parties to whom the personal data may be disclosed; the rights of data subjects, and how and when they can exercise such rights.

   Collection, use or disclosure of SPD without the explicit consent from the data subject is prohibited except for a few exceptions, such as preventing or suppressing danger to the life, body or health of the person where the data subject is incapable of giving consent, for whatever reason.

   Processing personal data is lawful only when carried out in compliance with legal requirements under the PDPA. If personal data processing is based on the consent of data subjects, they can withdraw their consent any time by informing the data controller or data processor of their consent withdrawal. When processing personal data, the data controller and data processor must maintain the integrity and confidentiality of the personal data.

   Data controllers or data processors must keep full records of their personal data processing activities, so they are prepared for inspection by or submission to the PDPC.

3. Cross-border data transfers. Personal data cannot be transferred to a jurisdiction or international organisation that lacks adequate data protection, except for only: (i) Where the data subject gives explicit consent after being informed of the lack of adequate data protection; and (ii) When personal data cross-border transfer is necessary under a contract between the transferor and recipient in the destination country or receiving international organisation.

   The PDPC encourages companies in the same group to implement internal binding corporate rules to govern their intra-group data transfers to ensure that group companies adopt the same high standards of data protection.

4. DPO. Effective from 13 December 2023, the data controller and data processor are required to appoint a DPO if their core activities are involved with: (i) Processing a large scale of personal data that requires regular monitoring of personal data or systems such as tracking, monitoring, analysing or predicting behaviours or attitudes, systematic processing of personal data, membership programmes, credit scoring, fraud prevention, data processing by network service providers or telecoms operators and behavioural advertising; or (ii) Processing of SPD regardless of the scale of personal data.

   Failure to appoint a DPO can result in an administrative fine not exceeding THB1 million (USD28,300).

PROTECTING MINORS

For the collection of personal data from a minor below the age of 10, consent must be obtained from the holder of parental responsibility.

If the minor is over 10 but not sui juris by marriage, or lacks sui juris capacity, consent must be obtained from both the minor and holder of parental responsibility.

COMPLIANCE

Key compliance programmes for businesses to have in place under the PDPA include:

1. Establishing and maintaining a data privacy policy that fully complies with data processing requirements under the PDPA;
2. Signing a data processing agreement or data transfer agreement between a data controller and data processor;
3. Creating a data protection impact assessment to identify data privacy risks and measures to mitigate such risks;
4. Obtaining explicit consent from data subjects before or on collecting, using or disclosing their personal data, except only where exceptions apply, and keeping records of such consent;
5. Establishing mechanisms to protect and facilitate the exercise of rights by data subjects such as: the right to access personal data; right to withdraw consent at any time; right to rectify, delete, restrict or object to the processing of personal data; right to data portability; and the right to lodge a complaint with the PDPC Office; and
6. Appointing a DPO if so required by the core activities to ensure compliance with the PDPA and act as a contact person for data subjects and the PDPC.

DATA BREACH

A data breach notice must be submitted to the PDPC within 72 hours of becoming aware of the breach if it is likely to result in a risk to the rights and freedoms of data subjects. The notice must include the nature of the breach, details of the contact person or DPO of the data controller, possible consequences, and measures taken or to be taken to mitigate the potential adverse effects. If the data breach is likely to result in high risk to the rights and freedoms of data subjects, the data breach notice with remedial measures must be notified to both the PDPC and data subjects without delay.

If the data breach involves several data subjects, the data controller may notify each of the subjects specifically or generally to the public via public media, social media or electronic means, or any other means accessible to the data subjects or general public.

PENALTIES

Data controllers and data processors who fail to comply with the compliance requirements or violate restrictions or prohibitions under the PDPA can be subject to administrative fines, criminal liabilities and civil liabilities.

The maximum administrative fine is THB5 million. Criminal liabilities include maximum imprisonment of one year and/or a maximum fine of THB1 million per violation.

Civil liabilities are compensation for actual damages and punitive damages payable to the injured data subject as the court may order.

Penalties imposed by the PDPC or court can vary depending on the nature, severity and duration of the violation, the number of the affected data subjects, and mitigation measures implemented on and after the occurrence of the violation.

The information provided in this article is not legal advice. It is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided.