Thailand’s first Personal Data Protection Act (PDPA) law finally enforced.
After being postponed since 2019, the Personal Data Protection Act has come into force in Thailand on June 1, 2022, intending to ensure members of the public that their personal data is protected and not misused.
Under the PDPA, data controllers and data processors must receive consent prior to collecting, using or disclosing personal data, except cases where it is permitted to do so by provisions of the Act or other related laws.
Further details of the Personal Data Protection Act
What is personal data?
According to section 6 of the Act, personal data refers to any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.
There are two types of data, general information and sensitive data. General information includes name, date of birth and phone number, while sensitive data includes health, disability, racial, sexual, religious, political and biometric information.
Collecting personal data
When collecting personal data, the data controller must inform the data subject of the following details:
- The purpose of the collection, use or disclosure of personal data
- Notify the data subject when the data subject is required to provide personal data to comply with a law or contract or when providing personal data is necessary for entering into a contract, including notification of possible consequences if the data subject does not provide personal data.
- Type of personal data collected and the time frame for which the personal data will be kept
- Types of people or organisations to which the collected personal data may be disclosed to
- The address, contact details and information of the data controller, data controller’s representative or data protection officer
- Rights of the data subject
According to section 24 of the Act, personal data can be used or collected without the consent of the data subject under the following conditions:
- Preventing or suppressing danger to a person’s life, body or health
- Preparation of historical documents or archives for the public interest or the purpose relating to research or statistics
- Necessary for the performance of a task carried out in public interest by the data controller
- Compliance with a law
- Necessary for legitimate interests of the data collector or any other persons or juristic persons, except where such interests are overridden by fundamental rights of the data subject.
Rights of the data subject
Under the PDPA, data subjects are entitled to the following rights:
- Right to access and obtain their personal data
- Right to object to the collection, use or disclosure of personal data
- Right to request the data controller to erase, destroy or anonymise personal data
- Right to request the data controller to restrict the use of the personal data
- Right to withdraw at any time
- The data collector must ensure that the personal data is accurate, up-to-date, complete and not misleading
Penalties for violating the Act
Data collectors or data processors who fail to comply with the Act and intentionally or negligently cause damage to the data subject must compensate the data subject for any damages that occurred.
Violating the Act will also result in a criminal penalty of imprisonment of up to one year or a fine of up to THB 1 million or both, and administrative fines of up to THB 5 million.
Since this is a recent event with long-term ramifications, our legal team is monitoring the situation and will update this article as new information arise. In the meantime, feel free to contact us for more information about what this new law means to your business and how we can help.