The Personal Data Protection Act (PDPA) became enforceable on the 1st of June 2022. The Act was adopted as law on the 28th of May 2019, but due to the COVID-19 pandemic and unresolved legislative processes, enforcement was delayed. Controversies surrounding the implementation of such regulation have not dissipated and the next few months will be a crucial period of development for organizations of all sizes.
The PDPA was enacted shortly after the General Data Protection Regulation (GDPR) went into effect in the European Union. These laws aim to protect citizens as data owners, subjects, and producers by requiring businesses to meet certain obligations in the collection, use, and disclosure of personal information. Though the PDPA and GDPR are mostly consistent with each other (both are extraterritorially enforceable, and consent of the data owner is a key feature) there are notable differences. Unlike the GDPR, the PDPA does not apply to certain public authorities, some concepts and definitions differ, and penalties for violation of the PDPA extend beyond monetary and administrative remedies to possible imprisonment.
Why was it enacted?
The reason for the enactment of this Act is that there are and have been many cases of violations of the right to the privacy protection of personal data resulting in the nuisance to or damages to data subjects. In addition, technological developments have increased the ease, convenience, and swiftness of the collection, use, and disclosure of personal data that are done in a manner constituting such violations, which also causes damage to the economy overall. Therefore, it is appropriate to have a law governing personal data protection in general in order to prescribe rules, mechanisms, or measures regulating personal data protection as a matter of general principles, and thus the Act is necessary to be enacted.
The PDPA applies to all organizations in Thailand and abroad which collect, use, and disclose the personal data of individuals in Thailand. No exceptions are made for those small or medium-sized businesses which often lack the resources necessary to meet such exacting demands.
Comparison between the GDPR and PDPA
Special Categories of Personal Data
Considering the PDPA alone, the imposed obligations, authority, and liabilities are laid out below.
Organizations are required to obtain the Data Subject’s consent prior to or at the time of data collection, use, or disclosure of data. When requesting the Data Subject’s consent, they shall be informed in a plain language statement and their consent must be made in writing or via electronic means. Consent must be freely given, and Data Subject’s must be able to withdraw such consent just as freely.
The Data Controller must inform the Data Subject of the following prior to or at the time of data collection:
✓ Purpose of data collection including those instances in which consent to collection is not required.
✓ Notification when a Data Subject must disclose Personal Data to comply with law, contract, or for the purpose of entering a contract. In addition, notification of the consequences for non-compliance must be included.
✓ The Personal Data to be collected and the length of retention.
✓ The categories of persons or entities to which the data may be disclosed.
✓ Contact information of the Data Controller, representative, or data protection officer.
✓ The Data Subject’s rights under the PDPA.
There are instances in which consent to collection, use, and disclosure is not required. These exceptions are listed below:
✓ For the purpose of preparing historical documents or archives and conducting research or statistics. However, measures should be put in place to protect the data and rights of the Data Subject.
✓ The prevention or suppression of danger to a Person’s life, body, or health.
✓ Necessary for the performance of a contract to which the Data Subject is a party or to meet a requirement for entering a contract.
✓ Necessary for carrying out public interest tasks by the Data Controller or in exercising official authority vested in the Data Controller.
✓ Necessary for a Data Controller, person, or juristic person to achieve legitimate interests except when overridden by the Data Subject’s fundamental rights.
✓ As necessary to comply with law to which the Data Controller is subject.
There are restrictions on the use and disclosure of Personal Data. Data may not be used in a manner inconsistent with the manner to which the Data Subject initially agreed without notice and consent. If the data falls under a consent exception, a record shall be maintained of its use and disclosure by the Data Controller.
Furthermore, the Data Controller owes a duty to Data Subjects to maintain their data responsibly and in a manner consistent with their rights. This includes responsibly destroying the data at the end of the retention period, or when the Data Subject has requested its destruction or withdraws consent. The Data Controller also has a duty to take measures to assure that any third-party which receives Personal Data shall not use it unlawfully or without authorization. Lastly, a data breach likely to put the rights and freedoms of Data Subjects at risk must be reported to the appropriate authorities.
Administratively, the Data Controller and Data Processor shall designate Data Protection Officer. The PDPA requires the establishment of an Office of the Personal Data Protection Committee which is charged with protecting personal data and enforcing the Act. The Committee shall be supervised by a commission which has the power of evaluation and administration. The Committee shall appoint an expert committee to hear and resolve complaints. The orders of the expert committee are final.