What is the deadline?

With Thailand’s Personal Data Protection Act set to come into effect on May 27th, organisations across the country must ready themselves to comply with the new regulations. Being adequately prepared entails understanding the PDPA and effectively communicating its implications with everyone in the organisation who has access to personal data. but due to the pandemic, the effective date of Thailand’s PDPA is postponed until 1 June 2021.

What are the penalties?

The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class-action lawsuit. The director of a company could also be subject to penalties under the PDPA.

What are considered as a personal data & sensitive data?

The PDPA provides stringent requirements for the collection and storage of sensitive personal data that refers to any information relating to a person, which enables the identification of such person including personal data pertaining to:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Criminal records
• Trade union memberships
• Genetic data
• Biometric data
• Health records
• Sexual orientation or preferences

The collection of sensitive personal data without the express consent of the data owner is prohibited, except in certain circumstances, such as medical emergencies or as required by law.

What is a cross border data transfer?

In the event that a data controller sends or transfers Personal Data to a foreign country, the destination country that receives such Personal Data shall have adequate data protection standards, unless an exemption is met (e.g. a consent from the data subject is obtained for the transfer of the Personal Data to a country which the data protection standard that is not adequate, or the transfer is for compliance with the law). The guideline on adequate data protection standard is yet to be issued.

What is a Data Processor?

A person or entity that collects, uses, or discloses personal data in accordance with the orders of the data controller.

What is a Data Controller?

A person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.

What is a Data Protection Officer?

The Data Protection Officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Sections 5, 6, 30-41 of the Thai Personal Data Protection Act law (PDPA). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation.