In an exclusive Q&A session with the Thai-Italian Chamber of Commerce (TICC), Mr. Giacomo Iobizzi, Secretary General, interviewed two leading experts on PDPA compliance: Ms. Werinorn Manphan, Counsel at the Corporate and Commercial Department of MPG, and Mr. Eddy Bellavoine, Chief Commercial Officer (CCO) at SafeComs. The discussion covered key challenges, best practices, and critical cases in compliance with the Personal Data Protection Act (PDPA), showcasing their thought leadership.
Legal Responsibilities of Data Controllers
Q: What are the specific obligations of a Data Controller in Thailand when a Data Subject requests the deletion, destruction, or anonymization of their personal data?
Werinorn: Under Thailand’s PDPA, Data Controllers must act promptly when receiving a request from a Data Subject to delete, destroy, or anonymize personal data. The law requires controllers to fulfill such requests without undue delay and typically within 30 days, extendable by another 30 days if necessary. Immediate deletion or destruction should occur when technically feasible. If there are technical limitations, temporary measures (such as making data inaccessible or unusable) must be taken to mitigate risks. Anonymization is required when deletion is not possible, ensuring the data can no longer identify the subject. Pseudonymization, while not a substitute for anonymization, can be used as an additional safeguard to prevent re-identification. These actions align with the principles of data minimization and security required under the PDPA.
Challenges in PDPA Compliance
Q: What are the main challenges business owners face when starting their PDPA compliance journey?
Eddy: When beginning their journey toward PDPA compliance, businesses encounter several significant challenges. First, identifying and mapping personal data—understanding where it is stored and how it flows within the organization—can be complex and resource-intensive. Limited budgets and manpower often compound these difficulties, making it harder to implement effective compliance measures and employee training.
Integrating PDPA requirements into existing IT systems poses another major challenge, as these systems may need significant updates to align with compliance standards. Additionally, ensuring consistent adherence to PDPA principles across all employees requires ongoing effort and monitoring.
A critical aspect of compliance involves categorizing personal data into two types:
✓ General Personal Data (e.g., names, contact information), which requires standard protection measures.
✓ Sensitive Personal Data (e.g., health data, religious beliefs), which demands stricter safeguards and explicit legal justification for collection and use.
Finally, the legal basis for processing personal data varies depending on the type of data and its purpose. Businesses must clearly define and document their rationale for data processing, whether it is based on consent, contractual necessity, or legal obligation, to ensure compliance with PDPA requirements.
Data Collection and Criminal Records
Q: Under what circumstances can a Data Controller in Thailand collect personal data relating to criminal records?
Werinorn: The collection of personal data related to criminal records in Thailand is permitted under specific circumstances outlined in the PDPA and supporting regulations, such as the PDPC Notification of 8 January 2024. Such data can only be collected if it is explicitly required by law or with explicit consent from the Data Subject. Examples of lawful purposes include verifying qualifications during recruitment, assessing eligibility for government services like licensing or registration, or other legally mandated activities. Data Controllers must ensure clear documentation of the purpose and implement appropriate safeguards to protect this sensitive data, as required by Article 26 of the PDPA.
Common Mistakes in Implementation
Q: What are the most common mistakes or oversights you’ve observed in PDPA implementation?
Eddy: Common mistakes in PDPA implementation include poor consent management, such as using pre-ticked boxes instead of obtaining clear, affirmative consent. Many organizations lack adequate documentation of data handling processes, which is critical for demonstrating compliance. Weak access controls and insufficient encryption increase the risk of breaches, while inadequate staff training leads to inconsistent adherence to compliance protocols. Another major oversight is failing to effectively manage third-party data processors, which can expose businesses to significant legal and financial risks in the event of non-compliance or a data breach.
Cross-Border Data Transfers
Q: What are the key requirements for a Data Controller in Thailand to transfer personal data to another country?
Werinorn: Cross-border data transfers under the PDPA require that the destination country has adequate data protection standards comparable to Thailand’s PDPA. When such standards are not present, Data Controllers may rely on binding corporate rules (BCRs) for intra-group transfers or implement contractual clauses and other safeguards to ensure compliance. All transfers must align with the lawful bases for processing under Sections 28 and 29 of the PDPA, such as consent or contractual necessity. Controllers must also assess and document the risks involved in the transfer and take measures to mitigate them.
Sustaining Compliance in the Long Term
Q: How can businesses maintain PDPA compliance without it becoming overly burdensome?
Eddy: To maintain PDPA compliance sustainably, businesses should integrate compliance into daily operations and automate repetitive tasks, such as consent management and data deletion, to reduce manual effort. Regular employee training and using centralized data management tools can streamline processes and enhance compliance. Periodic audits and reviews help identify and address gaps proactively. Businesses should also develop and maintain incident response plans to handle breaches effectively and consider consulting experts for continuous improvement. This approach minimizes the operational burden while ensuring long-term compliance.
Lessons from JIB’s Landmark Case
Q: Can you share your insights on a recent case in Thailand that highlights the importance of compliance with Thai data protection law?
Werinorn: The JIB case serves as a significant example of the consequences of non-compliance with the PDPA. JIB, a leading IT distributor in Thailand, was fined 7 million Baht for serious violations, including inadequate security measures, delayed breach notifications, and failure to appoint a Data Protection Officer (DPO) as required. The PDPC ordered JIB to overhaul its data protection framework within 30 days, implement enhanced safeguards, and provide weekly progress reports. This case highlights the importance of proactive compliance measures to avoid financial penalties and reputational damage.
Key Takeways
This insightful discussion highlighted the challenges, legal obligations, and best practices in PDPA compliance. Khun Werinorn Manphan’s legal expertise and Khun Eddy Bellavoine’s technical insights provided a comprehensive roadmap for businesses navigating Thailand’s data protection landscape. As the JIB case underscores, proactive measures are essential to mitigate risks and maintain compliance in today’s regulatory environment.