Personal Data Protection Act BE 2562

PDPA (2019) Thailand June 1st 2022

The Personal Data Protection Act B.E. 2562 (2019) was put into place as a measure to follow Western countries (GDPR) and the Cross-Border Data Protection Issues. The PDPA went into full force on June 1st 2022. This page aims to inform and will summarize the PDPA. We also have a full English translation of the PDPA available for download. Just click the link here; Personal Data Protection Act. PCS also offers to help Companies get PDPA compliant with a PDPA Package. So let's press on and hopefully give you a better understanding of the PDPA in Thailand.

Understanding The PDPA - Definitions

The essence of the Personal Data Protection Act is to protect personally identifiable collected data from any source. Let's start with some definitions;

  • Data Subject:
    • A living breathing person who you will collect data from.
  • Personal Data:
    • Any information relating to a data subject, which enables the identification of such data subject, whether directly or indirectly, but not including the information of a deceased Person(s).
  • Data Controller:
    • The Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data;
  • Data Processor:
    • The Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller;

PDPA - Enforcement

The PDPA applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in Thailand, regardless of whether such collection, use, or disclosure takes place in Thailand or not.

In the event that a Data Controller or a Data Processor is outside of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in Thailand, where the activities of such Data Controller or Data Processor are the following activities:

(1) the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject.
(2) the monitoring of the data subject’s behavior, where the behavior takes place in Thailand.

Personal Data Protection

The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior to or at the time of such collection, use, or disclosure, except the case where it is permitted to do so by the Law and in requesting consent from the Data Subject, the Data Controller shall also inform the Data Subject of the purpose for which collection, use, or disclosure of the Personal Data is required.

A request for consent shall be explicitly made in a written statement, or via electronic means, unless it cannot be done by its nature.

The data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as to giving consent, unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject.

However, the withdrawal of consent shall not affect the collection, use, or disclosure of personal data that the data subject has already given consent legally under this law.

The Data Controller shall collect, use, or disclose Personal Data according to the purpose notified to the data subject prior to or at the time of such collection. Such use of data shall not be conducted in a manner that is different from the purpose previously notified to the data subject unless:

1. The data subject has been informed of such new purpose, and the consent is obtained prior to the time of collection, use, or disclosure.
2. It can be done by the law.

Rights Of The Data Subject

The data subject is entitled to request access to and obtain copy of the Personal Data related to him or her, which is under the responsibility of the Data Controller, or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent.

The Data Controller shall fulfill the request without delay, but shall not exceed 30 days from the date of receiving such request.

The request can be rejected by the Data Controller only where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.

The data subject shall have the right to request from the Data Controller, to erase or destroy the Personal Data, or anonymize the Personal Data to become anonymous data which cannot identify the data subject, where the following ground applies:

1. The Personal Data is no longer necessary in relation to the purposes for which it was collected, used or disclosed.
2. The data subject withdraws consent on which the collection, use, or disclosure is based on, and where the Data Controller has no legal ground for such collection, use, or disclosure.
3. When the data subject completely object the Personal Data which is collected without consent under the exemption to consent requirements under Section 26 (4) (5)) and the Data Controller fails to prove the exception of such exemption (mentioned above).
4. The Personal Data have been unlawfully collected, used, or disclosed under this law.

Data Protection Officer

The Data Controller and the Data Processor shall designate a Data Protection Officer in the following circumstances:

  1. The Data Controller or the Data Processor is a public authority and announced by the Committee.
  2. The activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data and announced by the Committee.
  3. The core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data.

The Data Protection Officer shall have the following duties:

  1. Give advices to the Data Controller or the Data Processor, including its employees with respect to compliance with this law.
  2. Investigate the performance of the Data Controller or the Data Processor.
  3. Coordinate and cooperate with the Office in the circumstance where there are problems with respect to the collection, use, or disclosure of the Personal Data.
  4. Keep confidentiality of the Personal Data known or acquired in the course of his or her performance of duty under this Law.

Violation Or Failure To Comply With PDPA

In the event that the Data Controller or the Data Processor, whose operation in relation to Personal Data, violates or fails to comply with this law and this failure causes damages to the data subject, the data subject may demand compensation for such damages, regardless of whether such operation is performed intentionally or negligently.

Civil Liability
The compensation includes all necessary expenses incurred by the data subject for the prevention of the damages likely to occur, or which was spent to suppress the damages occurred. The court shall have the power to order the Data Controller or the Data Processor to pay punitive damages in addition to the actual compensation rendered by the court as deems fit, but the amount shall not exceed two times the actual compensation amount.
Prescription: The claim for compensation from the wrongful act against the Personal Data Protection Act shall be barred by prescription after the lapse of 3 years from the date that the injured person knows of the damages and the identity of the Data Controller or the Data Processor who is to be liable, or after 10 years from the date of which the wrongful act against the Personal Data took place.

Criminal Liability
Also, any Data Controller who violates the provisions which relates to the Personal Data in a manner that is likely to cause other person to suffer any damage, impair his or her reputation, or expose such other person to be scorned, hated, or humiliated, shall be punished with imprisonment for a term not exceeding 6 months, a fine not exceeding THB 500,000, or both.

Any Data Controller who violates the provisions which relates to the Personal Data in order to unlawfully benefit himself or herself, or another person, shall be punished with imprisonment for a term not exceeding 1 year, a fine not exceeding THB 1,000,000, or both.

The offenses under this section are compoundable offenses.

Any person who comes to know the Personal Data of another person as a result of performing duties under this Law and discloses it to any other person shall be punished with imprisonment for a term not exceeding 6 months, a fine not exceeding THB 500,000, or both.

PDPA & The Employer & Employee

So how does the Personal Data Protection Act affect the Employer and Employee relationship? It all starts with a request to ask for permission to store the prospective Employee's personal data when the Employee applies for a job. And then after the Employee is hired the Employer must get the Employee to sign a PDPA consent form acknowledging the Personal Data Privacy Policy of the Company. This should include information on how the employee's personal data will be handled, stored, and who will have access to it. It should also define the data controller and the data processor.

Summary - Personal Data Protection Act (PDPA)

As you can see a Company will now need to clearly ask permission to collect data from a Data Subject (person), and advise the data subject as to why they are collecting this data, finally describe what data is being collected. Also the Company must make provisions to supply a copy of collected data to the data subject, to delete or destroy the data collected, if the data subject requests it. This not only means more paperwork but tighter controls as well.

We also strongly suggest to Companies that they take measures to get compliant with PDPA. Professional Corporate Services (PCS) has extensive knowledge of the Personal Data Protection Act and can help employers with setting up the policy and the paperwork required for consent. PCS can also act as the Data Protection Officer of the company. We have assembled an all inclusive Personal Data Protection package for companies so don't hesitate to contact us. At PCS your 1st consultation is always totally FREE of charge. Please use the contact form below. We are looking forward to working with you you!

Contact PCS

Our Address

219/2 Asoke Towers Building, 2nd Floor, Sukhumvit 21 Road

Email Us

info@pcsthai-1.com

Call Us

+66 2 120 9480

Loading
Your message has been sent. Thank you!

We would like your permission to collect, review and process the information you are supplying us with for the purpose of personalizing an answer to your question or for providing you with more information on the subject you stated. By checking on the box below you confirm that you allow us to collect, process and use the information you supplied and that you have read our Personal Data Protection Policy. Additionally, by clicking on the Send Message button you agree to receiving a response from us.