After three years of delays due to COVID-19 pandemic, Thailand’s first law on personal data protection (PDPA) officially entered into force on June 1, 2022.
The PDPA (Personal Data Protection Act) aims to regulate how personal datas are collected, used, disclosed, transfers, and provides a safeguard against abuses of the right to privacy of a date subject.
What is PDPA ?
Personal data is defined as any data that can identify an individual either directly or indirectly, such as email address, phone number, names etc.
The Personal Data Protection Act (PDPA) has been created to guarantee protection for individuals and their personal data and to impose obligations for businesses and state agencies regarding the collection, processing, use, and disclosure of personal information.
The PDPA protects sensitive personal datas including:
- Racial, ethnic origin and religion
- Political opinions
- Gender and sexual orientation
- Health data, biometric data, genetic data
Source : Bangkok Post
Which rights does the PDPA guarantee to the data owners?
The new data protection law guarantee the following rights: right to be informed (of the purpose of collection, data retention period, etc), right to access their personal data, right to rectification of inaccurate or misleading information, right to objection/withdrawal from inappropriate uses, right to restrict processing, right to erasure, and right to data portability.
Who needs to comply with the PDPA law?
Thailand’s PDPA applies to any legal entity collecting, using, or disclosing a person’s personal data.
However, there are a few exceptions to this rule for operations of public authorities, trial and adjudication of courts, the House of Representatives, the Senate, the Parliament, as well as activities for the public interest, with professional ethics.
What are the financial and administrative fines for breaching the PDPA?
Failure to comply with the PDPA could result in three types of liabilities: civil, criminal, and/or administrative. The penalties are subject to fines, ranging from a few thousand baht to 5 million, and/or imprisonment for up to one year.
Personal data breaches can include:
- access by an unauthorized third party
- deliberate or accidental action (or inaction) by a controller or processor
- sending personal data to an incorrect recipient
- computing devices containing personal data being lost or stolen
- alteration of personal data without permission
- loss of availability of personal data
How to get your business in accordance with the PDPA?
There are several steps to Thailand PDPA compliance:
- First, add or update the Privacy Notice / Policy for your website to disclose how you deal with personal data.
- Make sure to get consent from users before collecting their personal data.
- Implement Cookie consent (free plugin) for alerting users about the use of cookies on your website.
- Data collected must be limited to what is required for the purpose for which it is being collected.
- In case of international data transfer, the recipient country/organization must have a governing privacy law or standards equivalent to the PDPA.
- Make sure users must be able to exercise their rights easily.
- Keep the personal data protected against the breach or any kind of misuse, and be prepared with possible preventive measures.
- Appoint a DPO if your organization collects large volumes of personal data or works with sensitive personal data.
At the very least, you must send a consent form to each of your employees for the HR process. If you don’t have a consent form, we can provide a sample for you.
If you need more information about the PDPA and how to ensure full compliance, you can book a consultation with one of our experts.