On 27 May 2019, the Personal Data Protection Act ("PDPA") was published in the Thai Government Gazette. The PDPA will take effect on 27 May 2020, replacing a patchwork of sector-specific data protection laws. Key provisions of the PDPA are discussed below.
Applicability of the PDPA
The PDPA applies to personal data collected, use or disclosed by a data controller or processor residing in Thailand. The PDPA also applies to a data controller or processor residing outside Thailand but collecting, using or disclosing personal data of a data subject in Thailand, for the purpose of offering goods or services to or monitoring the behaviour of that data subject. Personal data is defined in the PDPA as any data of live persons that could identify that person directly or indirectly.
Obligations for data controllers and processors
Data controllers must rely on a legal basis under the PDPA in order to collect, use or disclose personal data. The key legal bases are public interest, legal obligations and legitimate interest. Unless one of these three legal bases applies, the controller will generally also need to obtain the explicit consent of the data subject to collect, use or disclose their personal data. Furthermore, the data controller must guarantee fundamental rights of data subjects, including the rights to erasure and data portability.
Under the PDPA, data controllers and processors might be required to appoint a data protection officer and, if operating offshore, a local representative. This is subject to future sub-regulations, which the Personal Data Protection Committee (the "PDPC") has been appointed to implement.
Penalties for non-compliance
The PDPC has jurisdiction to impose civil and criminal penalties for non-compliance with the PDPA. Civil penalties include administrative fines up to THB 5m and punitive damages up to twice the amount of actual damages. Criminal penalties include imprisonment up to one year and fines up to THB 1m.
Differences between the PDPA and the GDPR
The PDPA was drafted based on EU Regulation 2016/679 ("GDPR") and the provisions of the two are largely the same. That said, there are material differences and compliance with the GDPR will not always ensure compliance with the PDPA. Two examples of such differences are set out below.
The GDPR provides specific security measures for data controllers to adopt, including encryption, confidentiality and testing of systems. The PDPA is far less prescriptive, providing only a general obligation for data controllers and processors to implement security measures.
The GDPR contains detailed rules regarding automated individual decision making, including profiling. The PDPA contains no equivalent provisions.
By 27 May 2020, employers collecting and processing personal data must ensure they are compliant with the PDPA. The following strategy could be adopted to achieve compliance:
i. Conducting data mapping and self-assessment as data processor and/or controller.
ii. Determining legal bases for data controllers and other obligations.
iii. Implementing data management process and operation systems, including relevant legal documents such as privacy notices and data processing agreements.