Understanding Thailand's Personal Data Protection Act (PDPA)

Mar 13, 2023 Blog Article

The Personal Data Protection Act (PDPA), Thailand’s first-ever data privacy legislation, took effect on June 1, 2022. This is a little more than three years after its introduction in the Royal Thai Government Gazette.

George Janssen, Blancco Group Legal Counsel

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

The law regulates how businesses in Thailand should handle the personal data of the country’s citizens and their right to privacy.

A Personal Data Protection Committee (PDPC) was created to enforce the law and ensure compliance, along with publishing guidelines, standards, and exceptions for data controllers.

PDPA provides broad protections, covering all personal data, including online, offline, paper-based documents, and more. All businesses that operate in Thailand or offer services to people in Thailand must adhere to these laws. This includes data outsourced to a third party.

Let’s look more at PDPA to understand its similarities and differences with other local, national, and international data management standards.

Unique Principles

Like many of the newer data protection laws, PDPA leverages several of the same principles as the European Union’s General Data Protection Regulation (GDPR). Both laws try to limit the nature of personal data and how long an organization can hold it.

Because of PDPA’s similarity to GDPR, a company doing business in the EU will be familiar with most of the PDPA’s provisions. It will be able to adjust its compliance program to PDPA’s specific requirements. For example, under both laws, organizations have 72 hours to notify customers of a data breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Understanding Each Law

There are a few critical differences that businesses operating or planning to operate in Thailand must understand.

Enforcement and Penalties

Failure to meet PDPA laws can result in criminal, civil, and administrative penalties. The most egregious violations involving sensitive personal data and unauthorized disclosure are punishable by up to a year in prison.

The amount of the penalty varies according to the nature of the violation of the law. Non-compliance is punished with administrative fines up to ฿5,000,000 (approx. €139,000 at recent exchange rates) plus punitive compensation. The PDPA provides the Thailand courts with discretionary powers to increase the amount of compensation.

Experience the Blancco Difference.

Get your free Enterprise trial today.