Understanding Thailand's Personal Data Protection Act (PDPA)

The Personal Data Protection Act (PDPA), Thailand’s first-ever data privacy legislation, took effect on June 1, 2022. This is a little more than three years after its introduction in the Royal Thai Government Gazette.

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

The law regulates how businesses in Thailand should handle the personal data of the country’s citizens and their right to privacy.

A Personal Data Protection Committee (PDPC) was created to enforce the law and ensure compliance, along with publishing guidelines, standards, and exceptions for data controllers.

PDPA provides broad protections, covering all personal data, including online, offline, paper-based documents, and more. All businesses that operate in Thailand or offer services to people in Thailand must adhere to these laws. This includes data outsourced to a third party.

Let’s look more at PDPA to understand its similarities and differences with other local, national, and international data management standards.

Unique Principles

Like many of the newer data protection laws, PDPA leverages several of the same principles as the European Union’s General Data Protection Regulation (GDPR). Both laws try to limit the nature of personal data and how long an organization can hold it.

Because of PDPA’s similarity to GDPR, a company doing business in the EU will be familiar with most of the PDPA’s provisions. It will be able to adjust its compliance program to PDPA’s specific requirements. For example, under both laws, organizations have 72 hours to notify customers of a data breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Understanding Each Law

There are a few critical differences that businesses operating or planning to operate in Thailand must understand.

• The PDPA states that data controllers shall not collect, use, or disclose personal data unless the data subject has provided consent. Under PDPA, consent applies first and then to other legal bases.
• In both the GDPR and PDPA, the Data Controller is responsible for ensuring that the data is accurate. However, PDPA obligates the Data Controller to ensure that the personal data remains accurate, up-to-date, complete, and not misleading. The Data Subject can request the Data Controller to comply with this requirement.
• GDPR restricts data profiling and contains a strong definition of Right to Profiling, which does not appear in PDPA.
• Data Controllers that qualify as small and medium-sized enterprises (“SMEs”) as defined under the Small and Medium-sized Enterprise Promotions Act (“SMEs Act”) remain exempt from keeping a record of processing activities.
• Under PDPA, Data Controllers do not need to conduct a data protection impact assessment (DPIA). However, as part of their security obligations, they must review their security measures when necessary or when the technology has changed to maintain suitable security and safety requirements successfully.
• The Thailand Supervisory Authority accepts specific industry control frameworks, such as ISO 27001, as sufficient evidence to comply with minimum security standards published by Thailand’s Ministry of Digital Economy and Society.

Enforcement and Penalties

Failure to meet PDPA laws can result in criminal, civil, and administrative penalties. The most egregious violations involving sensitive personal data and unauthorized disclosure are punishable by up to a year in prison.

The amount of the penalty varies according to the nature of the violation of the law. Non-compliance is punished with administrative fines up to ฿5,000,000 (approx. €139,000 at recent exchange rates) plus punitive compensation. The PDPA provides the Thailand courts with discretionary powers to increase the amount of compensation.

You may be interested in:

Blancco Data Erasure Software Certified for Government Use in Australia, New Zealand

Blancco Partners with Deloitte to Reduce Enterprise Cyber Risk in India

Governments and public sector organizations spend millions globally each year destroying data storage devices despite sustainable alternatives

A spotlight on GDPR: Is your data centre compliant?