Overview of Thailand Personal Data Protection Act B.E.2562 (2019)

Personal Data Protection Act B.E. 2562 (2019) of Thailand (PDPA) became effective on 1 June 2022.

We have highlighted some of the key obligations under the PDPA below.

• Key definitions
• The Personal Data Protection Committee
• Extraterritorial application
• General protections
• Collection of Personal Data
• Cross-border transfer of Personal Data
• Rights of data subject
• Data Protection Officer
• Fines and penalties
• Grandfathering provisions
• Subordinated regulations
• What is next?

Key definitions

The PDPA has some key definitions which are similar to data protection laws elsewhere:

1. "Personal Data" is broadly defined as any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons in particular.
2. "Data Controller" is a person (whether a natural or legal person) who has the authority and duty to make decisions on collection, usage or disclosure of Personal Data.
3. "Data Processor" is a person (whether a natural or legal person) who collects, uses or discloses Personal Data in compliance with the orders of the Data Controller or on behalf of the Data Controller.

The Personal Data Protection Committee

On 11 January 2022, the Personal Data Protection Committee (Committee), a regulator under the PDPA, was formed.

The Committee is authorized under the PDPA to set up a master plan for the promotion and protection of the Personal Data; prescribe measures, criteria and guidelines for business operators to comply with, and issue subordinated regulations and rules under the PDPA.

Extraterritorial application

Organizations outside Thailand who collect, use or disclose Personal Data collected from individuals in Thailand (whether or not those individuals are Thai citizens) may be subject to the PDPA if such organization engages in the following activities:

1. offering of goods or services to the data subjects who are in Thailand, regardless of whether payment is made by the data subject or not; or
2. monitoring of the data subject's behaviour, where the behaviour takes place in Thailand, which could be the case of using cookies, google analysis or search panels.

In addition, a Data Controller or the Data Processor who is located outside Thailand and subject to the PDPA above will also be required to appoint a representative in Thailand and in writing (who can either be an individual or a legal person) to act on behalf of the Data Controller itself without any limitation of liability in respect of the collection, usage or disclosure of the Personal Data according to the purposes of the Data Controller as specified in the privacy policy, or to act on behalf of the Data Processor itself without any limitation of liability in respect of the collection, usage or disclosure of the Personal Data by the Data Processor in compliance with the orders of the Data Controller or on behalf of the Data Controller. However, the appointment of such a representative will not be required if the Data Controller or Data Processor:

1. is a public authority as prescribed by the Committee; or
2. conducts a business of the collection, usage and disclosure of the Personal Data that is not related to racial, ethnic, origin, political opinions, cults, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any other data which may affect the data subject in the same manner, as prescribed by the Committee (Sensitive Personal Data) and does not have a large amount of Personal Data that requires a regular monitoring as prescribed by the Committee.

General protections

Specific consent is required from the data subject, in writing or via electronic means, prior to or at the time of collection, use or disclosure of Personal Data, unless one of the prescribed exceptions applies. A data subject may at any time revoke his/her consent, unless there is a restriction by the law or under a contract on revoking such consent.

Collection of Personal Data

Collection of Personal Data must be for a lawful purpose and be directly relevant to, and necessary for, the activities of the Data Controller. The Data Controller must inform the data subject, prior to or at the time the Personal Data is collected, of the following details, except where the data subject already knows of such details:

1. the purpose of the collection for use or disclosure of the Personal Data, including the consent basis or other lawful basis which it intends to rely on in case for the collection, usage or disclosure of the Personal Data without the data subject's consent;
2. whether the data subject must provide his or her Personal Data in compliance with the law, or contract, or where it is necessary to provide the Personal Data for the purpose of entering into a contract, including the consequence if the data subject does not provide such Personal Data;
3. the Personal Data to be collected and the period for which it will be retained. If it is not possible to specify the retention period, the expected data retention period according the data retention standard shall be specified;
4. the categories of persons or entities to whom the Personal Data which has been collected may be disclosed;
5. the contact details of the Data Controller and, where applicable, of the Data Controller's representative or data protection officer; and
6. the rights of the data subject in accordance with the PDPA.

Except under limited circumstances prescribed under the PDPA, typically, Personal Data must be collected directly from the data subject. Also, the collection of Sensitive Personal Data is prohibited, without the explicit consent from the data subject, except under limited circumstances as set out under the PDPA. For instance, collection of Sensitive Personal Data is permitted (without the explicit consent from the data subject) to protect or prevent harm to a person's life, body or health where the data subject is incapable of giving consent by whatever reason.

Cross-border transfer of Personal Data

In the event that the Data Controller sends or transfers Personal Data to a foreign country, the destination country or international organization that receives such Personal Data must have an adequate data protection standard in accordance with the rules for the protection of Personal Data as prescribed by the Committee, except in the following circumstances:

1. the transfer is made pursuant to applicable laws;
2. consent is obtained from the data subject which informed the data subject of inadequate Personal Data protection measures of the destination country or international organizations receiving the Personal Data;
3. the transfer is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
4. the transfer is for compliance with a contract between the Data Controller, and other persons or juristic persons for the interests of the data subject;
5. the transfer is to prevent or suppress a danger to the life, body, or health of the data subject or other persons, when the data subject is incapable of giving the consent at such time;
6. the transfer is necessary for carrying out the activities in relation to substantial public interest.

Rights of data subject

Under the PDPA, a data subject has certain rights as follows:

1. to withdraw consent;
2. to access and obtain a copy of Personal Data;
3. to receive Personal Data in machine readable formats and request the Data Controller to send the same to other Data Controller;
4. to object to the collection, usage and disclosure of the Personal Data in the circumstances as set out in the PDPA;
5. to request for deletion and anonymization of the Personal Data in the circumstances set out in the PDPA;
6. to request a suspension in use of the Personal Data in the circumstances set out in the PDPA;
7. to have the Data Controller ensure that the Personal Data remains accurate, up-to-date, complete and not misleading; and
8. to file complaints with the relevant authority.

Data Protection Officer

A data protection officer (DPO) is required to be appointed by the Data Controller, the Data Processor or the representative of the Data Controller or the Data Processor (in the event that such Data Controller or the Data Processor is required to appoint a representative in Thailand as explained above) in the following cases:

1. the Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee; or
2. the activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require regular monitoring of the Personal Data or the system, due to the reason of having a large number of the Personal Data as prescribed by the Committee; or
3. the core activities of the Data Controller or the Data Processor are the collection, use, or disclosure of the Sensitive Personal Data.

Fines and penalties

Failure to comply with the PDPA could result in civil liabilities, criminal penalties or administrative fines.

Grandfathering provisions

The Data Controller may continue to use Personal Data collected prior to the date that the PDPA comes into force, provided that:

1. such Personal Data is only used for the purpose for which it was originally collected; and
2. the Data Controller shall prepare and publicize a consent withdrawal method to enable the data subject, who does not wish the Data Controller to continue collecting and using his or her Personal Data, to notify his or her withdrawal of consent easily.

Subordinated regulations

Four subordinated regulations (Regulations) issued under the PDPA took effect on 21 June 2022. The Regulations consists of the following:

1. exemption of the Personal Data information record for the Data Controller who is considered a small organization;
2. rules and procedures on the preparation and maintenance of Personal Data processing activities for the Data Processor;
3. security standard of the Data Controller; and
4. rules on the issuance of order to impose administrative fines by the expert committee.

It is anticipated that further subordinated regulations of the PDPA will soon be issued by the Committee.

What is next?

Even though, at present, there are only four subordinated regulations issued under the PDPA, once the other subordinated regulations or rules have been issued, Data Controllers and the Data Processors subject to the PDPA should monitor such subordinated regulations and review their privacy policy and procedures to determine if any change must be implemented.