On 27 May 2019, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) was published in the Government Gazette after being presented to the King for Royal Signature. While the PDPA has been in effect since 28 May 2019, the main operative provisions under Chapters 2, 3, 5, 6 and 7, and Sections 95 and 96, will not come into force until after a one year grace period from the publication date, i.e. 27 May 2020. This PDPA is Thailand’s first consolidated law governing data protection.
The PDPA will affect entities that handle the personal data of individuals by requiring such entities to obtain consent from such individuals prior to the collection, processing or use of their personal data (although certain exceptions to this requirement may apply). Moreover, individuals will have the right to revoke their consent and require entities to erase their personal data. Entities that handle personal data are subject to civil, criminal and administrative liability for breaching the PDPA.
The key terms of the PDPA are as follows:
- The term “personal data” means any information or data of a natural person which can directly or indirectly identify such person, but excluding information of a deceased person.
- The term “sensitive personal data” means personal data such as race, ethnic origin, political view, doctrinal, religious or philosophical beliefs, sexual behavior, criminal record, health record, or biometric information. Sensitive personal data must be treated differently from personal data and are not allowed to be kept without explicit consent from the data owner unless otherwise stipulated in Section 26 of the PDPA (such as for medical purposes).
- The term “data controller” means a person or entity that is able to make decisions concerning the collection, usage or disclosure of personal data.
- The term “data processor” means a person or entity that collects, uses or discloses personal data for or on behalf of a data controller.
- The term “data protection officer” means a person or entity appointed by a data controller or data processor to inspect the handling of personal data. A data protection officer only needs to be appointed in certain circumstances, such as governmental bodies designated by the Ministry of Digital Economy and Society (“MDES”), entities which collect large amounts of personal data, and organizations whose core business involves the collection, use or disclosure of sensitive persona data.
DUTIES UNDER THE PDPA
STEP 1: Collection of Personal Data
The data controller must inform the data owner of the following prior to collecting personal data:
- Purposes of personal data collection;
- Types of Personal Data to be collected and time under which it will be kept;
- Types of third parties to whom the Personal Data will be disclosed;
- Information about the Data Controller and contact details; and
- Rights of the Data Owner under the PDPA, including the rights to withdraw consent, access, deletes or anonymize their Personal Data.
Consent must be obtained from the Data Subject via statement or electronically. Consent from a data owner must be clear and explicit, and must be acquired before or during the collection of personal data. Certain circumstance may apply that no consent shall require such as collection for education, protecting a person’s life, compliance with legal obligation, performance of contract and legitimate interest.
STEP 2: Ongoing Duties
Following collection of personal data, the data controller is subject to the following responsibilities:
- Processing, using or disclosing personal data within the scope of purpose informed to the data owner (Section 21 of the PDPA);
- Avoiding indirect collection of personal data from other sources other than the data owners (subject to certain exceptions) (Section 25 of the PDPA);
- Implementing “suitable measures” to prevent the loss, unauthorized access, alteration or disclosure of personal data. The MDES will later announce the minimum standards of such “suitable measures”;
- Ensuring that third parties that acquire personal data do not use or disclose the data wrongfully or without authorization;
- Deleting personal data when the prescribed period of storage expires, when it is no longer relevant, exceeds the scope of consent or necessity, or when consent is withdrawn;
- Notifying the MDES within 72 hours of a data breach that would have a detrimental effect on the rights of the data owner (the data owner would also need to be notified and provided with compensation if adversely affected); (Section 37 of the PDPA).
EXTRATERRITORIALITY AND NEXT STEPS
The extraterritorial effect of the law has been adapted from the General Data Protection Regulation (EU) 2016/679 (“GDPR”). The PDPA is applicable not only to personal data collected, used or disclosed by a data controller or a data processor residing in Thailand, but also to a data controller or a data processor residing outside Thailand but collecting, using or disclosing personal data of a data subject in Thailand: (1) for offering goods or services to individuals in Thailand; or (2) where the behaviour of data subjects within Thailand is monitored.
For business operators, since the grace period for compliance with the operative provisions is only one year, business operators should be well prepared and raise awareness among their employees and staff. There are some recommendations: business operators should conduct a review and analysis of data they are currently possessing in order to understand such data, and then segregate personal data; identify levels of compliance with the PDPA; review privacy policies, agreements and any other rules and practices; arrange training for their employees and staff; assess risks of possible violation of the PDPA involved in each activity; put some measures in place to effectively detect, report and investigate a violation of the PDPA, as well as designate an in-house data protection team. These preparations, in some ways, can ensure that personal data in their possession will be properly collected, maintained and processed.