After nearly two decades in the making, the Personal Data Protection Act was published on May 27, 2019. Ostensibly inspired by the EU General Data Protection Regulation, the PDPA was slated to go fully effective in June 2022 following a two-year delay due to COVID-19 outbreak.
After nearly two decades in the making, the Personal Data Protection Act B.E. 2561 (“PDPA“) was published on May 27, 2019. Ostensibly inspired by the EU General Data Protection Regulation, the PDPA was slated to go fully effective in June 2022 following a two-year delay due to COVID-19 outbreak.
Being a consolidated law governing the protection of personal data of data subjects, the PDPA applies to both data controllers and data processors who are in Thailand, whether a natural person or juristic entity, regardless of whether the collection, storage, usage, disclosure, or processing of personal data takes place inside or outside of Thailand.
In the event where the data controller or data processor is located outside Thailand (for example, key international players and global platform service providers), and collects, uses, or discloses personal data of a data subject who is a Thai resident, such data controller or data processor will similarly be subject to the PDPA if their activities relate to:
offering of goods or services to a data subject in Thailand, irrespective of whether the data is required to make a payment; or
monitoring of data subject’s behavior as far as his/her behavior takes place in Thailand.
Trust is indeed an essential ingredient in managing data, including facilitating its exchange. Businesses and individuals need to trust the online platform as a means of transmitting and providing access to confidential and often sensitive information; they also need to trust that the systems which protect that data are safe, secure, and reliable. Accordingly, many companies, both local and foreign, have placed efforts in taking good data privacy practices to gain competitive advantage.
Legal Basis for Collection and Processing of Personal Data
Under PDPA, the collection, usage, or disclosure of personal data requires explicit consent from data subjects or having a legal basis for data processing as provided under the PDPA (for example, prevention or suppression of danger to data subject’s life, body or health, performance of contract, or legitimate interests of the data subject).
PDPA places additional restrictions on treatment of sensitive personal data (for example, race, ethnic origin, political opinions, and religion of data subject). Given its vulnerability, the collection and use or processing of sensitive personal data generally requires explicit consent from the data subject, unless exempted by exceptions prescribed under the PDPA (for example, legal claims, vital interest, substantial public interest, or made by data subject).
Obligations of Data Controller
Upon collection of personal data, the data controller is obliged to notify the data subject of the required particulars (for example, purpose of personal data collection, legal basis of collection, retention period, disclosure, or transfer of personal data to third parties and rights of the data subject).
In addition, the data controller is required to comply with operational requirements, including to put in place security standards and measures to protect personal data from unauthorized access, prevent unauthorized use, or disclosure of data by person/entity to which the data is disclosed, put in place a system to erase or destroy personal data, and notify any data breach to the Personal Data Protection Commission (“PDPC“) and/or data subject.
Cross-Border Data Transfer
Cross border transfer of personal data requires implementation of sufficient security measures by the destination country and such security measures shall be in accordance with criteria and conditions as prescribed by the PDPC, unless being exempted by certain circumstances under the PDPA. As of submission deadline for this article, the PDPC has yet to announce the prescribed criteria, conditions, and details of overseas data security measures which they see as sufficient for protecting the data subject’s personal data. In principle, PDPA requires that for transfer of personal data outside of Thailand, the destination country must have adequate personal data protection measures. Based on the draft implementing regulations by the PDPC (as of February 2021), the PDPC has the power to announce a list of destination countries or international organizations which are considered to have adequate protection measures and the list could be reviewed every four years.
In case the destination country does not have adequate protection measures, the transfer of personal data may be permissible if the data controllers put in place the data protection policy commonly used within a group of companies which has been reviewed and approved by the PDPC. The draft provides the list of minimum requirements for the policy. For example, the contact details of responsible persons in the group, the types of personal data, purpose of processing, assessment of impact to data subjects, and details of destination countries. It also considers contractual obligations and commitments with respect to personal data protection effective between entities in the group and third parties which align with the PDPA, implementations for data subjects to exercise their rights under the PDPA, compliance monitoring mechanisms with respect to the personal data protection policy, cooperation mechanisms with the regulator to inform on changes to the policy, inspection and audit, and robust trainings for personnel in the group.
Representative of Overseas Data Controller
If a data controller is located outside Thailand and involved in either of the following activities: (i) offering of goods or services to data subject in Thailand; or (ii) monitoring data subject’s behavior in Thailand, the PDPA prescribes that an overseas data controller is required to designate a representative in Thailand in writing. Upon any commission of an offence under the PDPA by the overseas data controller, the PDPC has authority to impose relevant penalties on that designated representative in Thailand.
The Draft Royal Decree on the Digital Service Platform
In parallel, Thailand has also put in place a Draft Royal Decree regarding regulation of digital service platforms (Draft Royal Decree on the Digital Service Platform), which specifically governs operators of digital platforms that act as a medium between users and business operators, and where exchange of goods, services, or intangible assets occurs on the platform. The extraterritorial scope of the Draft Royal Decree on the Digital Service Platform extends to any digital platform operator overseas, provided that such digital platform includes particulars such as having certain or all contents in Thai or accepting payment in Thai baht.
Any digital platform operator which falls within this legislation shall have the duty to notify its operation to the relevant authorities prior to operation in Thailand, submit annual reports, and comply with operational requirements prescribed thereunder. Any violation of obligations under the Draft Royal Decree on the Digital Service Platform constitutes an authority of the relevant authorities to suspend such platform’s operation in Thailand. Although the Draft Royal Decree on the Digital Service Platform has only been recently approved, there is expectation that the legislative body will push this bill forward given that many industries have pivoted online and hurtle headlong into an increasingly digitalized society.
A leading provider of legal and tax know-how and information for Asia.