In light of the ever-growing importance of data privacy, the Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA
”) was published in the Royal Gazette on 27 May 2019 as the main legislation governing personal data protection in Thailand.
Similar to the General Data Protection Regulation (GDPR), the PDPA imposes a number of significant obligations on persons involving in the process of collecting, using or disclosing Personal Data (see definition below), as well as grants certain rights to the data subject. Accordingly, the processing of Personal Data which falls within the ambit of the PDPA must comply with the procedures and requirements prescribed thereunder.
The administrative parts (primarily those concerning a set up of the Personal Data Protection Commission (the “Commission
”) and the Office of the Personal Data Protection Commission (the “Office
”) became effective the day after its publication in the Royal Gazette. Nonetheless, its primary elements regarding the personal data protection were initially planned to take full effect on 27 May 2020 (i.e. following the anniversary of its publication in the Royal Gazette), but have been ultimately delayed until 1 June 2021 instead.
During this transitional period, a broad range of business sectors are exempted from the duties and responsibilities imposed by the PDPA. However, Data Controller (see definition below) remains obliged to provide security measures for personal data in accordance with the Notification of Ministry of Digital Economy and Society regarding the Standards of Maintaining the Security of Personal Data B.E. 2563 (A.D. 2020) (the “Notification”) as follows:
- to inform its personnel, staffs, employees, workers or relevant persons of the security measures, as well as create awareness of personal data protection a for such persons to strictly comply with; and
- the security measures shall comprise administrative, technical and physical safeguards regarding access control of personal data, which shall at least cover control over access to personal data and data processing equipment, authorisation or rights to access personal data, user access management, user responsibilities and examination of previous access, change, deletion or transfer of personal data.
In light of the above, the Data Controller may opt for other measures having standards which are not lower than those prescribed in the Notification.
The following key terms have the meaning given to them under the PDPA as follows:
means any information relating to a person which can directly or indirectly identify such person, excluding those of a deceased person.
means a person or juristic person having the power and duties to make decisions regarding the collection, usage or disclosure of Personal Data.
means a person or juristic person who operates in relation to the collection, usage or disclosure of Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such person or juristic person is not a Data Controller.
The PDPA applies to the processing of Personal Data by Data Controllers and Data Processors who:
- have an establishment in Thailand; or
- does not have an establishment in Thailand but pursue any of the following activities:
- offering goods or services to data subjects in Thailand; or
- monitoring behaviour of data subjects who are in Thailand (but not necessarily a Thai national).
Accordingly, the extraterritorial application of the PDPA extends its reach to Data Controllers and Data Processors operating outside of Thailand. In addition, Data Controllers and Data Processors outside of Thailand who are subject to the PDPA are obliged to appoint a representative in Thailand to act on their behalf without any limitation of liability with respect to the processing of Personal Data.
Personal Data Protection
In principle, the Data Controller can process Personal Data only if it has at least one of the valid legal bases, namely (i) consent; (ii) archiving, research or statistical purposes; (iii) vital interest; (iv) contract; (v) public tasks; (vi) legitimate interests; or (vii) legal obligation.
Where consent is used as legal basis, the request for consent must be explicitly made in writing or via electronic means, unless cannot be done given its nature. The request must be accompanied by the purpose of processing, clearly distinguishable from other content, easily accessible and intelligible, using clear and plain language, and must not be deceptive or misleading to the data subject.
Additionally, prior to or upon collection of Personal Data, the Data Controller is obliged to inform the data subject of the prescribed privacy information which includes:
- purposes of processing, and the legal basis relied on;
- necessity by laws or contracts to provide the Personal Data, including possible effect if such Personal Data is not provided;
- the Personal data to be collected;
- retention period;
- types of recipient to whom the Personal Data may be disclosed;
- contact details of the Data Controller, representative or Data Protection Officer (as applicable); and
- rights of the data subject.
Additionally, the PDPA demands higher level of protection for sensitive Personal Data, which includes race, ethnicity, political opinions, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disabilities, trade union information, genetic data, biometric data and etc. Such sensitive Personal Data can be processed only by explicit consent of the data subjects, unless other exemptions apply. Likewise, processing of Personal Data of children below the age of 10 (and for those over the age of 10 in certain circumstances), incompetent or quasi-incompetent persons requires consent from their parent, guardian or curator (as the case may be).
Export of Personal Data
Cross-border transfer of Personal Data to a recipient outside of Thailand can be made, provided that the recipient country shall have an adequate level of data protection unless other exemptions apply (e.g. the transfer is made for compliance with law or with consent of the data subject and etc.).
In this connection, the PDPA provides an exemption from the above cross-border transfer requirements in the case where Personal Data is transferred to affiliated businesses or undertakings within the same business group, provided that a data protection policy or binding corporate rules (BCR) demonstrating adequate safeguards for personal data protection throughout the organisation is submitted for a review and certification by the Office.
Data Protection Officer
Subject to sub-regulations to be further announced, the PDPA requires the Data Controllers and Data Processors to appoint a Data Protection Officer (the “DPO
- they are a public authority;
- the core activities require large scale, regular and systematic monitoring of individuals; or
- the core activities concern sensitive Personal Data.
The DPO may be appointed from an employee of the Data Controllers or Data Processors or third party contractor to supervise and monitor compliance with the PDPA.
Rights of Data Subjects
The data subjects are entitled to various rights under the PDPA in respect of their Personal Data as follows:
Right to Withdraw Consent -
where consent is used as a legal basis of processing, data subjects can withdraw their consent at any time in a manner which is as easy as to giving consent, unless otherwise restricted by law, or the contract which gives benefits to the data subject;
Right to be Informed
- data subjects have the right to be informed of how the Personal Data relating to them will be, are being or were processed;
Right to Access
- data subjects may request access to and receive a copy of their Personal Data, or request disclosure of the Personal Data obtained without their consent. Where there is no valid ground to reject such request, the Data Controller is obliged to fulfil the request without delay within 30 days from the date of receiving such request;
Right to Data Portability
- data subjects have the right to receive Personal Data, which was provided by them to the Data Controller, in a structured, commonly used and machine readable format, as well as to request the transmission of such Personal Data directly to another Data Controller;
Right to Object
- data subjects may object to the processing of their Personal Data, upon which the Data Controller would generally be obliged to stop processing the Personal Data;
Right to be Forgotten
- data subjects have the right to have their personal data erased, destroyed or anonymised;
Right to Restrict Processing
- data subjects may in certain circumstances request the restriction of processing of their Personal Data, in which case the Data Controller would generally be permitted to store the Personal Data, but not use it;
Right to Rectification
- data subjects may request to have their Personal Data rectified if it is inaccurate, incomplete or misleading; and
Right to file complaint
- data subjects may file complaint to the relevant authority in case of any violation by the Data Controller or Data Processor (including its employees or contractors) of the PDPA or notifications issued thereunder.
It is important to note that, not all these rights are absolute and their exercise will depend on the circumstances and the lawful basis being relied on for the processing of Personal Data.
Data Breach Notification
In the event of a breach of Personal Data, the Data Controller is required to notify the Office of the breach without delay and, where feasible, within 72 hours after having become aware of the breach, except where such breach is unlikely to result in a risk to the rights and freedoms of a person. Where the breach is highly likely to result in a risk to the rights and freedoms of a person, notification of the breach and remedial measures shall be made to the data subject without delay.
Similarly, the Data Processor is required notify the Data Controller of any breach of Personal Data.
Failure by Data Controllers or Data Processors (including their representatives and data protection officers, as applicable) to comply with the PDPA may subject either of them not only to a civil liabilities (including punitive damages) but also a criminal offence and/or an administrative penalty introduced thereunder.
This document is solely intended to provide an update on recent development in Thailand legislation and is not purported to provide a legal opinion, nor a legal advice to any person.