The European Union (EU) has recently adopted the General Data Protection Regulation (GDPR), a new piece of legislation intended to protect the privacy of data subjects in the EU, which will be effective from 25 May 2018.
Why is the GDPR important to Thai companies?
In short, Thai companies could be obliged to comply with the GDPR, even if such Thai companies have no established entity in the EU. The territorial reach of the GDPR is determined based on the nature of the business, irrespective of whether Thai companies would receive any fees from individuals in the EU.
Article 3 of the GDPR has adopted an “extraterritoriality” principle. Data controllers or processors outside of the EU will thus be subject to the GDPR, where their processing activities are related to:
- the offering of goods or services to data subjects within the EU (even for free); or
- the monitoring of data subjects' behaviors in the EU, so long as their behaviors take place within the EU.
If goods or services of Thai companies are available in the EU or Thai companies track the behavior or location of individuals in the EU, such Thai companies could be required to comply with the GDPR. This includes scenarios where Thai companies' websites contain the option to select the language or currency of EU member states. In simple terms, any Thai companies that have individuals in the EU as customers should be aware of and become familiar with the GDPR, especially those which offer cross-border services, (e.g., e-commerce, online services, airline, and mobile operators).
Failure to comply with the GDPR can lead to fines of up to EUR 20 million or 4% of global revenue of the preceding financial year, whichever is higher.
For Thai companies subject to the GDPR, what are the obligations thereunder?
Please see below the key obligations under the GDPR.
1. Data subjects' rights
The GDPR introduces new rights for individuals, such as the right to data portability, the right to erasure (right to be forgotten), the right to restriction and objection of certain processing activities.
Consent will require clear affirmation by the data subject. Therefore, silence, pre-ticked boxes, and inactivity will no longer be deemed to constitute sufficient consent under the GDPR.
3. Data controller and processor obligations
The GDPR imposes compliance obligations on both controllers and processors of data, including obligations to implement security measures, maintain records of processing activities, and report data breaches without undue delay.
The GDPR will become effective in May 2018 and the fines imposed for non-compliance are severe.
It is imperative that Thai companies involved in the processing of personal data of data subjects in the EU understand the new obligations imposed by the GDPR, review their business models and activities, and begin preparing for compliance with the GDPR.