Thailand’s Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) has been published in the Government Gazette on 27 May 2019.
With very few exceptions, companies and organizations collecting, using, disclosing, and/or transferring personal data will have preparation time for a period of one year to become fully compliant with key provisions on personal data protection before the penalties kick in. The sub-regulations should be completely issued within the next two years.
Seven Key Things to Know
A summary is set out below of the seven key things you should know about the PDPA:
- Personal Data. The PDPA governs any data of an alive person that could identify that person directly or indirectly. For example, any personal data of an individual handled by the company, including customer data, employee data, data of directors, shareholders, contractors, suppliers, seminar and market survey participants, and data involving customer complaints and inquiries would be subject to the PDPA
- Players. The Personal Data Protection Committee will be established to set out further sub- regulations and protect the rights of the data subjects. Any entities collecting, using, disclosing and/or transferring personal data will be required to comply with the PDPA as a data controller and/or a data processor (which have different roles and obligations).
- Applicability. The PDPA has extraterritorial applicability. Thus, data controllers and data processors both in and outside of Thailand could be subject to the PDPA.
- Legal basis. In order to collect, use, disclose and/or transfer personal data, the data controller has to rely on a legal basis, which could be consent or other exemptions (e.g., vital interest, public interest, legal obligations, and legitimate interest).
- Personnel. The data controller and the data processor could be required to appoint a data protection officer and a representative in Thailand, which is subject to future sub-regulations.
- Rights of data subjects. The data controller has to guarantee certain rights to the data subjects.
- Penalties. The PDPA imposes penalties for non-compliance. Violations are punishable with administrative fines (up to THB 5,000,000), criminal penalties (imprisonment up to 1 year and/or fines up to THB 1,000,000), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class action lawsuit. The director of a company could also be subject to penalties under the PDPA.