Last year, Thailand published the Personal Data Protection Act, B.E. 2562(2019) or “PDPA” on Government Gazette on May 27, 2019 which came into force on that date, except provisions of Chapter II, Chapter III, Chapter V, Chapter VI, Chapter VII, and section 95 and section 96, which shall come into effect on May 28, 2020.
However, the Royal Decree on Entities and Businesses Not Subject to Enforcement of the PDPA B.E. 2563, was later published on May 21, 2020 as the compliance with the rules, methods, and conditions specified by this Act are very detailed and complicated.
Besides, the advanced technology also becomes essential for protecting the personal data as this is the purpose of this Act. Accordingly, most of the Data Controller including government sectors and business sectors in Thailand are not ready to comply with PDPA.
The Royal Decree, therefore, was enacted to delay the implementation of PDPA. The following are a list of Chapters and the business entities exempted from PDPA for a specific period of time as provided by the Royal Decree which has been enforced since May 27, 2020 and end on May 31, 2021:
Chapter II: The personal data protection, general provision, personal data collection use or disclosure of personal data)
Chapter III: Rights of the data subject.
Chapter V: Complaints
Chapter VI: Civil Liability
Chapter VII: Penalties, criminal liability, administrative liability and
Section 95: For personal data that has previously been collected by a Data Controller before the effective date of this Act, the Data Controller shall be entitled to continue to collect and use such Personal Data for the Original purposes.
1 Government authorities.
2 Foreign public authorities and international organizations.
3 Foundations, associations, religious organizations, and non-profit organizations.
4 Agricultural businesses.
5 Industrial businesses.
6 Commercial businesses.
7 Medical and public health businesses.
8 Energy, steam, water, and waste disposal businesses, including their related business.
9 Construction businesses.
10 Repair and maintenance businesses.
11 Transportation, logistics, and warehouse business.
12 Tourist businesses.
13 Communication, telecommunication, computer, and digital businesses.
14 Financial, banking, and insurance business.
15 Real estate businesses.
16 Professional businesses.
17 Management and support services business.
18 Scientific and technological, academic social welfare, and artistic businesses.
19 Educational businesses.
20 Entertainment and recreational businesses.
21 Security business.
22 Household and community enterprise businesses whose activities cannot be classified.
In H&P lawyers opinion, PDPA Thailand was influenced by the European Union General Data Protection Regulation which aims to protect Personal Data from any effect arising upon the the processing of personal information. The summary of PDPA Thailand is as follows:
Law Enforcement of PDPA Thailand
This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not. If the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of the whether the payment is made by the data subject and the monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.
In this Act, the Personal Data means any information relating to a person, which enables to the identification of such person, whether directly or indirectly, but not including the information of the deceased Persons. In particular, Data Controller means a person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data and Data Processor means a Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data according to the orders given by or on behalf of a Data Controler.
The Collecting and disclosure of Personal Data
The Data Controller shall not collect, use, or disclose Personal Data unless the data subject has given consent prior to or at the time of such collection, use, or disclosure. A request for consent shall be explicitly made in a written statement, or via electronic means that the PDPA has specified such as in requesting consent from the data subject, the Personal Data Controller shall also inform the purpose of the collection, use, or disclosure of the Personal Data. Such a request for consent shall be presented in a manner that is distinguishable from the other matter, in an easily accessible and intelligible form and statements, using clear and plain language, and does not deceptive or misleading to the data subject in respect to such purpose.
After the consent, the data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as to giving consent. If the request for the data subject’s consent which is not in accordance with those prescribed in this Act it shall have no binding effect on the data subject and shall no longer enable the Data Controller to collect, use, or disclose the Personal Data.
The Data Controller shall have to provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed to efficiently maintain the appropriate security and safety.
Penalty and Liability
This Act provides both the Civil, criminal, and administrative penalties as follows.
The Civil Liability: The Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provision of this Act which causes damages to the data subject, shall compensate the data subject for such damages, regardless of whether such operation is performed intentionally or negligently. Also, the Court shall have the power to order the Data controller or the Data Processor to pay punitive damages in addition to the actual compensation rendered by the court as deems fit, but shall not exceeding two times of such actual compensation amount.
The Criminal Liability: If the Data Controller uses or disclose Personal Data without the consent of the data subject or the individual person or juristic person who obtains personal Data use or disclose such Personal Data for any purpose other than the purpose previously notified to the Data Controller in the request to obtain such Personal Data if it cause another person to suffer any damage, impair his or her reputation, or expose such other person to be scorned, hated, or humiliated, shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding five hundred thousand Baht, or both.
In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director, manager or person, who shall be responsible for such act of the juristic persons, or in the case where such person has a duty to instruct or perform any act but omits to instructor perform such activity until the juristic person commits such offense, such person shall also be punished with the punishment as prescribed for such offense.
The Administrative Liability: The Data Controller or the Data Processor, that is not operational in relation to Personal Data, violates or fails to comply with the provision of this Act. They shall have the punished with an administrative fine that maximum is 5 million Baht.
If you need to talk with a lawyer in Thailand on compliance and personal data protection, please contact H&P lawyers at [email protected]