We use cookies, including third party cookies, to personalise and optimise your experience when exploring our website. For more detailed information about our cookies, please refer to cookies section in our privacy notice .
If you agree to the use of cookies, please click “Accept”. To manage your cookies settings, please click “Cookies Settings”.
Cookies Settings |
|
In light of the ever-growing importance of data privacy, the Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”) was published in the Royal Gazette on 27 May 2019 as the main legislation governing personal data protection in Thailand.
Similar to the General Data Protection Regulation (GDPR), the PDPA imposes a number of significant obligations on persons involving in the process of collecting, using or disclosing Personal Data (see definition below), as well as grants certain rights to the data subject. Accordingly, the processing of Personal Data which falls within the ambit of the PDPA must comply with the procedures and requirements prescribed thereunder.
The following key terms have the meaning given to them under the PDPA as follows:
means any information relating to a person which can directly or indirectly identify such person, excluding those of a deceased person.
means a person or juristic person having the power and duties to make decisions regarding the collection, usage or disclosure of Personal Data.
means a person or juristic person who operates in relation to the collection, usage or disclosure of Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such person or juristic person is not a Data Controller.
The PDPA applies to the processing of Personal Data by each of Data Controllers and Data Processors who:
- has an establishment in Thailand; or
- do not have an establishment in Thailand but pursue any of the following activities:
- offering goods or services to data subjects in Thailand; or
- monitoring behaviour of data subjects who are in Thailand (but not necessarily a Thai national).
Accordingly, the extraterritorial application of the PDPA extends its reach to Data Controllers and Data Processors operating outside of Thailand. In addition, Data Controllers and Data Processors outside of Thailand who are subject to the PDPA are obliged to appoint a representative in Thailand to act on their behalf without any limitation of liability with respect to the processing of Personal Data.
Personal Data Protection
In principle, a Data Controller can process Personal Data only if it has at least one of the valid legal bases, namely (i) consent; (ii) archiving, research or statistical purposes; (iii) vital interest; (iv) contract; (v) public tasks; (vi) legitimate interests; or (vii) legal obligation.
Where consent is used as legal basis, the request for consent must be explicitly made in writing or via electronic means, unless cannot be done given its nature. The request must be accompanied by the purpose of processing, clearly distinguishable from other content, easily accessible and intelligible, using clear and plain language, and must not be deceptive or misleading to the data subject.
Additionally, prior to or upon collection of Personal Data, the Data Controller is obliged to inform the data subject of the prescribed privacy information which includes:
- purposes of processing, and the legal basis relied on;
- necessity by laws or contracts to provide the Personal Data, including possible effect if such Personal Data is not provided;
- the Personal data to be collected;
- retention period;
- types of recipient to whom the Personal Data may be disclosed;
- contact details of the Data Controller, representative or Data Protection Officer (as applicable); and
- rights of the data subject.
Additionally, the PDPA demands higher level of protection for sensitive Personal Data, which includes race, ethnicity, political opinions, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disabilities, trade union information, genetic data, biometric data and etc. Such sensitive Personal Data can be processed only by explicit consent of the data subjects, unless other exemptions apply. Likewise, processing of Personal Data of children below the age of 10 (and for those over the age of 10 in certain circumstances), incompetent or quasi-incompetent persons requires consent from their parent, guardian or curator (as the case may be).
Export of Personal Data
Cross-border transfer of Personal Data to a recipient outside of Thailand can be made, provided that the recipient country shall have an adequate level of data protection unless other exemptions apply.
In this connection, the PDPA provides an exemption for inter-group transfer where Personal Data is transferred between affiliated businesses or undertakings within the same business group, provided that a data protection policy demonstrating adequate safeguards for personal data protection has been reviewed and certified by PDPC Office.
- they are a public authority;
- the core activities require large scale, regular and systematic monitoring of individuals; or
- the core activities concern sensitive Personal Data.
The DPO may be appointed from an employee of the Data Controllers or Data Processors or third party contractor to supervise and monitor compliance with the PDPA.
Right to Withdraw Consent - where consent is used as a legal basis of processing, data subjects can withdraw their consent at any time in a manner which is as easy as giving consent, unless otherwise restricted by law, or the contract which gives benefits to the data subject;
Right to be Informed - data subjects have the right to be informed of how the Personal Data relating to them will be, are being or were processed;
Right to Access - data subjects may request access to and receive a copy of their Personal Data, or request disclosure of the Personal Data obtained without their consent. Where there is no valid ground to reject such request, the Data Controller is obliged to fulfil the request without delay within 30 days from the date of receiving such request;
Right to Data Portability - data subjects have the right to receive Personal Data, which were provided by them to the Data Controller, in a structured, commonly used and machine readable format, as well as to request the transmission of such Personal Data directly to another Data Controller;
Right to Object - data subjects may object to the processing of their Personal Data, upon which the Data Controller would generally be obliged to stop processing the Personal Data;
Right to be Forgotten - data subjects have the right to have their personal data erased, destroyed or anonymised;
Right to Restrict Processing - data subjects may in certain circumstances request the restriction of processing of their Personal Data, in which case the Data Controller would generally be permitted to store (as apposed to use) the Personal Data;
Right to Rectification - data subjects may request to have their Personal Data rectified if inaccurate, incomplete or misleading; and
Right to lodge a complaint - data subjects may file complaint to the relevant authority in case of any violation by the Data Controller or Data Processor (including its employees or contractors) of the PDPA or notifications issued thereunder.
It is important to note that, not all these rights are absolute and their exercise will depend on the circumstances and the lawful basis being relied on for the processing of Personal Data.
In the event of a breach of Personal Data, the Data Controller is required to notify the PDPC Office of the breach without delay and, where feasible, within 72 hours after having become aware of the breach, except where such breach is unlikely to result in a risk to the rights and freedoms of a person. Where the breach is highly likely to result in a risk to the rights and freedoms of a person, notification of the breach and remedial measures shall be made to the data subject without delay.
Similarly, the Data Processor is required notify the Data Controller of any breach of Personal Data.
This document is solely intended to provide an update on recent development in Thailand legislation and is not purported to provide a legal opinion, nor a legal advice to any person.
Download full CV