News

Back

Liabilities for Non-Compliance with the PDPA

The Personal Data Protection Act of 2019 (PDPA) is a body of law intended to protect data subjects by requiring businesses and other entities to meet obligations in the collection, use, and disclosure of data subjects’ personal information. Data controllers, data processors, and other concerned parties are responsible for the secure maintenance of personal data and compliance with the Act. Therefore, all concerned parties may be fined for failure to comply with the Act.

Non-compliance with the provisions of this Act may result in: (1) civil liability; (2) criminal liability; and (3) administrative liability. The details are as follows:

Civil Liability

When the Data Controller or Data Processor’s operation in relation to the Personal Data violates or fails to comply with the provisions of this Act and causes damages to the data subject, the Data Controller or Data Processor shall compensate the data subject for such damages. This liability occurs regardless of whether the operation is performed intentionally or negligently; it does, however, exclude damages caused by certain situations such as force majeure.

The court has the power to order the Data Controller or Data Processor to pay punitive damages in addition to the compensation specified above; however, the punitive damages ordered shall not exceed two times the compensation amount.

The claim for compensation is barred by prescription after the lapse of three years from the date that the injured person knows of the damages and the identity of the Data Controller or Data Processor, or ten years from the date that the wrongful act was committed.

Criminal Liability

The following persons shall be considered criminally liable: (1) the Data Controller, who uses or discloses Personal Data without the consent of the data subject; (2) the person or juristic person, who uses or discloses Personal Data for any purpose other than the purpose notified to the Data Controller; (3) the Data Controller, who sends or transfers the Personal Data to a foreign country without complying with the conditions set forth in this Act, and (4) the person who comes to know the Personal Data of another person.

When the actions of persons stipulated in (1), (2), and (3) cause the data subject to suffer damages, affect his or her reputation, or expose the data subject to scorn, hatred or humiliation, the responsible persons shall be punished with imprisonment for a term of no more than six months, a fine of no more than five hundred thousand THB, or both. When the unlawful acts of such persons are motivated by a desire to benefit themselves or another person, the persons shall be punished with imprisonment for a term no more than one year, a fine no more than THB 1,000,000, or both. Such offences are compoundable.

When the person in category (4) discloses the Personal Information to any other person—with certain exceptions—such person shall be punished with imprisonment for a term of no more than six months, a fine no more than THB 500,000, or both.

In cases where the offence is committed as a result of instructions given by any director, manager, or person, such individuals are also criminally liable for the offence.

Administrative Liability

The PDPA established the “Experts Committee” and vested in it the authority to determine administrative fines and enforcement orders for noncompliance with the Act.

 When the Data Controller fails to inform the data subject of key details such as the purpose of collection, fails to provide access to or a copy of the Personal Data, fails to maintain certain records in a written or electronic form, or fails to designate a data protection officer, when necessary, the Data Controller shall be punished with an administrative fine of no more than THB 1,000,000.

When the Data Controller fails to use or disclose Personal Data according to the purpose previously given to the data subject, collects unnecessary Personal Data, or collects Personal Data without the consent of the data subject, such Data Controller shall be punished with an administrative fine of no more than THB 3,000,000.

Any collection of Personal Data pertaining to topics prohibited by the Experts Committee or using or disclosing Personal Data without consent of the data subject, shall be punished with an administrative fine of no more than THB 5,000,000.

Any person who fails to act in compliance with the order given by the Experts Committee or fails to provide a statement of facts as ordered by the Experts Committee, shall be punished with an administrative fine of no more than THB 500,000.

The Notice by the Personal Data Protection Committee, B.E 2565 (2022) was issued in June of2022 and regulates the Experts Committee’s actions under the PDPA. The Notice describes guidelines for the standards and processes in issuing fines or enforcement measures.

The Notice stipulates that the Expert Committee and its officers shall exercise care when issuing orders for noncompliance. The procedures set out in the Notice require that the Committee consider the totality of the circumstances, by assessing: the impact to data subjects; the specific acts which led to violation of the PDPA; and means of rectifying any damage. The law of administrative procedure shall govern the Committee’s actions. Furthermore, the Expert Committee’s orders are final.

The Notice stipulates how service should be provided to all concerned parties. Service of appointment, notification, or any other proceedings shall be made in writing or by reliable electronic format. In case of emergency or if prior consent has been given, additional notices may be made by fax, email, or another agreed upon means. All concerned parties shall be considered notified according to the timestamp on the notice.

When issuing an order of administrative fines or other enforcement measures, the Committee shall consider the following factors:

1.   Details of the offence, especially in cases where there was intent to harm, gross negligence, or lack of reasonable care.

2.   Seriousness of the offence.

3.   Size of the business.

4.   Potential result of the fine and whether it will alleviate damage or distress to the personal data subject and to what extent.

5.   Benefits the personal data subject will gain from the order of administrative fines.

6.   The impact on all concerned parties and to the noncompliant business.

7.   Value and severity of damages arising from the offence.

8.   Comparison to administrative fines and enforcement measures previously imposed for the same offence (if any were ordered).

9.   Records of administrative fines or the enforcement measures imposed on all concerned parties. In the case that a concerned party is a juristic person, the record of fines or enforcement measures against individuals related to the offence will also be considered.

10.   Level of responsibility the concerned party held at the time of the offence.

11.   The ethical codes, business practices, and security standards to which all concerned parties were held at the time of the offence.

12.   Measures which were taken by the parties to alleviate damage when the offence came to their attention.

13.   Compensation for damages to the personal data subjects.

14.   Other related facts.

Non-serious Offences

All concerned parties shall be issued a warning or ordered to rectify the offence. The Experts Committee may also:

1.   Issue an order instructing the parties to comply, rectify, stop, suspend, refrain, or abstain from the activity which is in violation of or noncompliance with the PDPA. The order must contain the details, reasons, and objectives the measures imposed are meant to achieve. The order must further stipulate how the rectification or procedures under the PDPA must be executed.

2.   Issue an order prohibiting any act that causes damage to the personal data subject.

3.   Issue an order restricting the collection, usage, or disclosure of personal data which was compromised to prevent further damage to the data subject.

Serious Offences

A non-serious case where orders were met with noncompliance shall be considered to have escalated into a serious case. An administrative fine shall be issued to all concerned parties. The degree of severity and other circumstances shall be considered when imposing the fine. Orders under categories 1, 2, and 3 for non-serious cases may be issued as the Experts Committee deems necessary.

1.   The order of the administrative fine must contain details of the consideration and reasons. Considerations and reasons must include:

i.   Essential facts of the offence.

ii.   Legal points concerned.

iii.   Additional considerations and supporting points which were part of the deliberation.

iv.   Details for compliance with the order.

2.   The order shall be made in writing, including the date it was issued, and must be signed by the Experts Committee Chairman.

An officer shall notify the Expert Committee if the concerned parties have not complied with administrative fines or enforcement measures. If the parties have failed to pay fines in full by the date stipulated in the order, a written warning shall be issued instructing the concerned parties to make the payment within a specified grace period, which shall be no less than seven days. If the grace period lapses and the fine still has not been paid in full, an officer shall enforce the order as per standards outlined in the law governing administrative procedures. In case an officer is not available or unable to proceed, the Experts Committee shall file a lawsuit in the Administrative Court for the enforcement of the fine. If enforcement requires the seizure, attachment, or sale by auction of a concerned party’s property, the Experts Committee shall order it.

The receipt, transfer, custody, and disbursement of money from at auction shall be done per the regulations prescribed by the Ministry of Finance. Fees and expenses related to the seizure or sale by auction of property shall be deducted from the proceeds before paying the fine. Any remaining funds shall be returned to the eligible person according to law.

Considering the power invested in the Experts Committee, the Notice charges officers to exercise care when imposing administrative fines or other enforcement measures. Officers should consider available evidence, code of ethics, professional standards, common business practices, the applicable law, the impact on the persons and business, and the operations of the concerned parties. Though the Expert Committee’s decisions are final, the Committee must provide ample reasoning and evidence.

 

For inquiries about our PDPA Compliance Services, please contact us at info@mahanakornpartners.com

Enforcement of the Personal Data Protection Act

Cyber Security and Directors Liability

Enforcement of Personal Data Protection Act Postponed Another Year