Personal Data Protection Act, B.E. 2562 (2019), or PDPA is personal data protection law in Thailand, which was published in a government gazette on May 27, 2019. However, as most businesses were not ready for implementation of this regulation due to the complexity of statute and financial difficulty during the Covid-19 pandemic. Thai government, therefore, has postponed the enforcement of this Act to be after May 31, 2022, giving the business sector more time to prepare sufficient measures for an upcoming change.
PDPA aims to protect the privacy and security rights of individuals by controlling the unlawful and disproportionate data processing in business activities. The contents of PDPA are mostly similar to GDPR, the personal data protection law in Europe. However, there are some provisions of PDPA which is different from GDPR such as the definition of personal data and the lawful basis to process personal data. H&P lawyers have prepared this article on PDPA as a continuation of the article we published in July 2020 on the same regulation.
What is personal data under PDPA?
“Personal Data” under PDPA is broadly defined. It refers to any information that could directly or indirectly identify the individual such as the name, email address, phone number, medical or criminal record. However, the personal data is not limited to only the text. It also includes photographs, audio, video, records from CCTV, or any form of information that could be related to a certain person. This means, if you receive that information from your business operation, you will be subject to PDPA. The owner of personal data is called “Data Subject”.
What is the processing of personal data?
Processing of personal data under PDPA covers collecting, use, and discloser of personal data by the data controller and data processor.
Who is subject to PDPA?
PDPA imposes the responsibilities to any person who processes the personal data, which is called “Data Controller” and “Data Processor”.
A data controller is a person or juristic person who has the power to decides how the personal data will be processed. If the organization appoints the employee to process the personal data, the organization is still considered as a data controller even if the company does not actually take any action by itself. The reason is that the employee merely carries out activities on behalf of its employer, meaning that the company remains in full power to manage the data.
Another party being controlled under PDPA is the data processor. It refers to the third party who processes personal data on behalf of the data controller. However, the definition does not include the employee of the data controller since the person in the data controller’s organization is not separately considered as a third party. The data processor could be a person or any external agency that provides services in connection with the processing of data. For instance, cloud service provider, payroll service provider.
The data processor process personal data upon the data controller’s order, the data controller thus will not be shielded from any liability arising from PDPA violation made by its data processor. Therefore, in the opinion of H&P lawyers, if your organization subcontracts an external agency to take care of data processing activities, you may need a comprehensive contract to reduce the possible risk and to assure the data processor has an appropriate security system for data processing.
What is a legal basis to process personal data?
In general, the processing of personal data by any party other than the data subject is prohibited unless you have a lawful basis to justify your action. Most people misunderstand that all data processing needs consent from the data subject. It is not true. There are seven lawful grounds that the data controller may claim over its action, depending on the relationship between the data controller and data subjects or the necessity to process the data.
The lawful bases under section 24 of PDPA include consent basis, vital interest basis, contractual basis, official authority basis, legitimate interest basis, legal obligation basis, and the basis for the preparation of the historical documents and research.
In business operation, the lawful basis that is typically involved is “contracting basis”. The justification under this basis is that the contracting party need to collect personal data to perform its obligation under the contract. For example, you want to get a loan from the bank. The bank must collect your information to assure your credibility. In this instance, the bank can legally process your data on a contracting basis without the requirement of “explicit consent”. However, although the bank may not be required to obtain consent from you. But under the “transparency principle” the bank, as a data controller must inform the client about the processing of such data as imposed by section 23 under the PDPA.
Another basis which is commonly used by business operator is “legitimate interest basis”. Under this basis, the data controller could process personal data without any relationship with the data subject to protect its legitimate interest. For example, having CCTV in the public area for the safety of data controllers. This lawful basis is relatively flexible, but uncertain because the data controller must be able to prove that its legitimate interest overrides the fundamental rights of the data subject.
However, the above basis is not applicable for processing some specific data which is considered as sensitive data under section 26 of PDPA, such as the data about racial, ethnic origin, political opinions, religious, sexual behavior, criminal records, health data, genetic data, biometric data. If you process those data, “explicit consent” is always required, except your purpose falls within the scope of the exception under section 26 such as to prevent a danger to the data subject’s life where the data subject is incapable to give consent.
How to prepare your organization for PDPA?
Under PDPA, the data controller and data processor need to implement sufficiently technical and organizational measures to maintain the security and privacy of personal data processed. For example, having an effective IT system, training the staff who is responsible for the processing of personal data. However, to have suitable measures for your organization you need to check what is the personal data that you may collect from your client or employee in your organization. Also, you need to review whether that information is necessary to retain. You should collect only the data that necessary for you. If that data is necessary, the next step you should do is to review that how that information will be processed, how it is retained in your company, the system to protect that data is safe enough. How long you will keep it, is it still necessary for your purpose. Will you disclose that data to any third party. Besides, if your organization processes a large scale of sensitive information, you will be required to appoint the DPO.
If you need to discuss with a lawyer in Thailand on implementation of PDPA in your business, please contact us at [email protected]
