Introduction
Personal data has become a valuable commodity, leading to the need for increased privacy laws worldwide. Thailand’s Personal Data Protection Act (PDPA) is one such law that aims to protect individuals’ personal data and privacy. In this article, we will discuss the key points of Thailand’s PDPA and why it is essential to be aware of it.
Thailand’s PDPA was enacted on May 28, 2019, to regulate personal data collection, use, and disclosure. The act aims to protect individual’s rights and privacy by ensuring their data is collected, used, and disclosed fairly and transparently.
Understanding Thailand’s Personal Data Protection Act (PDPA)
Thailand’s Personal Data Protection Act (PDPA) was enacted in 2019 and, as of the 1st of June 2022, came into full effect. It is a comprehensive privacy law that aims to regulate the processing of personal data in Thailand. This section will examine the key terms and concepts related to the PDPA.
Definition of personal data
According to the PDPA, personal data refers to any information that can directly or indirectly identify an individual. This includes but is not limited to a person’s name, address, date of birth, email address, telephone number, identification number, online identifier, and any other information that can be used to identify an individual.
What is considered sensitive personal data?
The PDPA defines sensitive personal data as any personal data that reveals or concerns an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning a person’s sexual life.
Overview of data subjects
Under the PDPA, a data subject is an individual who is the subject of personal data. The PDPA recognizes the rights of data subjects and requires that data controllers process personal data under these rights. Data subjects have the right to access, rectify, erase, restrict, and object to the processing of their data.
Who are data controllers and processors?
The PDPA defines a data controller as a person or entity with the power to make decisions about collecting, using, or disclosing personal data. This includes natural and legal persons, such as companies, organizations, or government agencies.
A data processor is a person or entity that processes personal data on behalf of a data controller. For example, a company that provides data processing services to another company would be considered a data processor.
Data protection officer (DPO)
Under the PDPA, data controllers and processors must appoint a data protection officer (DPO) to oversee their data protection activities. The DPO is responsible for ensuring that the organization complies with the PDPA’s requirements and handling data subject requests.
The PDPA is a significant piece of legislation that aims to protect the privacy rights of individuals in Thailand. It is essential for organizations that collect and process personal data to understand their obligations under the PDPA, including their obligations as data controllers and processors and the rights of data subjects.
Personal data processing activities
When it comes to managing personal data operations, it is crucial to ensure that all relevant laws and regulations are being followed. By prioritizing the proper handling of personal data, organizations can ensure that they are protecting both their customers’ privacy and their own reputation.
Types of personal data processing activities
Personal data processing activities refer to any operation performed on personal data, such as collection, use, disclosure, storage, and destruction. There are various types of personal data processing activities that data controllers and processors perform, including:
Collection of personal data: This includes any form of data collection, such as data obtained through website cookies, social media platforms, or registration forms.
Use of personal data: This includes any form of data usages, such as data analytics, profiling, and direct marketing.
Disclosure of personal data: This includes sharing personal data with third parties, whether for commercial purposes or regulatory compliance.
Storage of personal data: This refers to the retention of personal data, whether in physical or digital form.
Destruction of personal data: This refers to the secure and permanent erasure of personal data in compliance with data retention standards.
Disclosure of personal data
Data controllers and processors are responsible for ensuring that personal data is not disclosed to unauthorized parties. This means that any sharing of personal data with third parties must be done in compliance with data protection laws and regulations.
Data controllers and processors must ensure appropriate security measures are in place to protect personal data disclosed to third parties. They must also ensure that such disclosure is done in compliance with data subject consent and is limited to the purposes for which the data was collected.
Personal data breach
A personal data breach refers to the unauthorized access, use, or disclosure of personal data. Data controllers and processors must have appropriate measures in place to prevent such breaches from occurring. If a breach occurs, they must notify the relevant authorities and data subjects promptly and transparently.
Obligations of data controllers and processors
Data controllers and processors are responsible for collecting and processing personal data lawfully and with consent. They must keep data accurate and protected, with appropriate measures in place. Retention standards must be followed, and a data protection officer must be appointed to ensure compliance with regulations. Processing personal data under the Personal Data Protection Act safeguards data subject rights.
Consent and withdrawal
Data controllers must ensure that the personal data they process is accurate and up-to-date. Data controllers must also implement appropriate security measures to protect the personal data collected, processed, and stored. Data processors must adhere to the controller’s instructions and implement appropriate security measures.
Obtaining consent
Obtaining consent is an essential part of the Personal Data Protection Act in Thailand. Data controllers must obtain consent from data subjects before collecting and processing their data. This consent should be written or electronic and an explicit, informed, and voluntary agreement. Data controllers must inform the data subjects of the purpose of the personal data processing activities, the types of personal data being collected, the expected data retention period, and the data controller’s identity and contact details.
Withdrawal of consent
Data subjects have the right to withdraw their consent to processing their data at any time. The withdrawal of consent should be as easy as giving it. The data controller must inform the data subject of this right before obtaining consent. Data controllers must also provide a consent withdrawal method that is clear and easy to use.
Explicit consent
Explicit consent is required for certain types of personal data processing activities, such as the processing of sensitive personal data. Data controllers must obtain explicit consent from data subjects to process such personal data. Explicit consent means that the data subject must give clear consent for processing such data.
Substantial public interest
Data controllers may sometimes be exempt from obtaining consent if there is substantial public interest. Such cases include:
The prevention or suppression of a criminal offense.
The protection of the data subject’s or other person’s life.
Physical or mental health.
The protection of the public interest.
In such cases, data controllers must have appropriate measures to ensure data privacy and notify the Personal Data Protection Committee of the processing activities.
Rights of data subjects
Under the Personal Data Protection Act, data subjects have several rights regarding their personal data. These rights are designed to give individuals greater control over their data and ensure it is processed fairly and lawfully. Here are some of the critical rights of data subjects:
Data subject’s consent
One of the most fundamental rights of data subjects is the right to give or withhold their consent to process their data. Data controllers must obtain the explicit consent of data subjects before processing their personal data and provide information about the purposes and methods of processing at the time of obtaining consent. Data subjects have the right to withdraw their consent at any time.
Access to personal data
Data subjects have the right to access their personal data being processed by data controllers. Data controllers must provide data subjects access to their data without undue delay and free of charge. This includes information about the purposes of the processing, the categories of personal data being processed, and the recipients of the personal data.
Correction and deletion of personal data
Data subjects have the right to have their personal data corrected if it is inaccurate or incomplete. Data controllers must also delete personal data that is no longer necessary for the purposes for which it was collected or if the data subject withdraws their consent. Data controllers must also take reasonable steps to inform third parties receiving personal data about the correction or deletion.
Data portability
Data subjects can receive their data in a structured, commonly used, and machine-readable format. This allows data subjects to transfer their data to another data controller without hindrance. Data controllers must provide this service free of charge and ensure personal data is transmitted securely.
Right to object
Data subjects have the right to object to processing their data in certain circumstances, such as if the processing is for direct marketing purposes. Data controllers must inform data subjects of this right when collecting their data and stop processing personal data if the objection is valid.
Data protection obligations
As an organization, it is imperative to prioritize data protection requirements and establish a comprehensive data protection policy that outlines the steps to be taken to ensure compliance and mitigate risks associated with data breaches.
Adequate data protection standard
Under the Personal Data Protection Act, data controllers and processors must ensure that appropriate security measures are implemented to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. These security measures must be relevant to the sensitivity of the personal data being processed and the harm that could result from unauthorized access, use, disclosure, alteration, or destruction.
Data retention period
Data controllers and processors must establish and implement a data retention standard that specifies the expected data retention period for personal data collected or processed. Personal data should only be retained for as long as necessary to achieve the purposes for which it was collected or processed.
Personal data protection policy
Data controllers and processors must develop and implement a personal data protection policy that outlines their policies and practices for processing personal data. The policy should include details such as the types of personal data collected, the purposes for which the data is collected, the legal basis for processing the data, the types of recipients to whom the data is disclosed, the expected data retention period, and the security measures used to protect the data.
Data protection impact assessment
Data controllers must conduct a data protection impact assessment before processing personal data in certain situations. A data protection impact assessment is a process for identifying and assessing the risks associated with processing personal data and determining the appropriate measures to mitigate those risks.
Regular monitoring
Data controllers and processors must regularly monitor their data processing activities to ensure compliance with the Personal Data Protection Act and any other relevant data protection laws. Regular monitoring helps identify and address any risks or issues that arise and ensures that personal data remains accurate, up-to-date, and secure.
Penalties and fines
In order to ensure compliance with Thailand’s Personal Data Protection Act, the law imposes penalties and fines for those who violate its provisions. Both criminal and administrative sanctions can be imposed, depending on the nature and severity of the violation.
Criminal penalties
Under the Personal Data Protection Act, criminal penalties can be imposed for serious law violations. For example, any person who discloses personal data without consent and intends to obtain a benefit or cause damage to the data subject may be imprisoned for up to one year or a fine of up to 500,000 baht or both.
Furthermore, any person who intentionally obtains personal data without consent and intends to obtain a benefit or cause damage to the data subject may be imprisoned for up to one year or a fine of up to 500,000 baht or both.
Administrative fines
The Personal Data Protection Committee has the power to impose administrative fines on data controllers and processors who violate the provisions of the Personal Data Protection Act. These fines can be imposed for less severe violations of the law, and the amount of the fine depends on the nature and severity of the violation.
For example, suppose a data controller fails to obtain the data subject’s consent before processing personal data. In that case, the controller may be fined up to 5 million baht or 5% of the controller’s annual income. Similarly, if a data processor fails to comply with the controller’s instructions regarding personal data processing, the processor may be fined up to 2 million baht.
Conclusion
It is imperative for all data controllers and processors in Thailand to adhere to the Personal Data Protection Act (PDPA). The act has been put in place to protect the privacy rights of individuals by regulating the processing of personal data. It is mandatory for all entities handling personal data, including sensitive information, to obtain consent, implement security measures, and ensure accuracy. Data subjects hold the right to access, correct, and object to processing, and non-compliance with the act can result in severe consequences. Thus, it is crucial for all data controllers and processors to comply with the act and avoid any legal implications.