The Thailand Personal Data Protection Act was finally approved and endorsed by the National Legislative Assembly on 28 February 2019 (“PDPA“). The PDPA will be submitted for royal endorsement and subsequent publication in the Government Gazette.
· “Personal Data” means any data pertaining to a natural person which enables the identification of such person, whether directly or indirectly.
· “Data Controller” means any person or an entity which has the power to make decisions regarding collection, use, and disclosure of Personal Data.
· “Data Processor” means a person or an entity that conducts any collection, use and disclosure of Personal Data on behalf of, or under the instruction of, the Data Controller.
· “Person” means natural person. Note that this means that juristic entities are not subject to the protection under the PDPA.
· Unless permitted by law, the collection, usage or disclosure of personal data without the consent from the data subject is prohibited;
· A data controller must inform the data subject on the purpose for which the respective personal data is collected and obtain the data subject’s consent. Collected personal data can be used or disclosed for the approved purposes only;
· If a data controller intends to use or disclose personal data beyond the purpose for which consent has been obtained, he will need to inform the data subject and obtain additional consent;
· The collection of sensitive data (e.g. data related to sexual conduct, criminal history, health, national origin, race, political opinions or religious beliefs) is only permitted within the strict limitations of the law;
· Except where the data subject expressly consented otherwise, any processing of personal data for marketing purposes is not permitted;
· Measures must be implemented to ensure that collected personal data is protected against loss, alteration and modification;
· A Personal Data Protection Committee would be established and hear any claim lodged by a data subject concerning the abuse of personal data; and
· Violations would be punishable under criminal law and permit the data subject to claim for damages.
The PDPA shall not apply to personal or household activities. In terms of territory, the PDPA will apply to:
· Any Data Controller or Data Processor residing in Thailand, regardless of whether or not the acquisition, usage or disclosure of the data is carried out in Thailand;
· In the case that the Data Controller or the Data Processor resides outside of Thailand, if the subject of the aforesaid activities is data belonging to a person residing in Thailand, the PDPA shall apply only when:
o goods or services are being offered to such persons, regardless of whether any payment is involved; and
o behavior surveillance activities of such persons take place within Thailand.
If there is a sector-specific law for my organization, according to Section 3 of the PDPA, in the case that there is a sector specific law regarding Personal Data protection for an activity or an organization, such sector-specific law shall prevail, however:
· The provisions in the PDPA regarding collection, use or disclosure of Personal Data including the liabilities thereof shall apply along with and in addition to such sector-specific law, whether or not the two are repetitious.
· The provisions in the PDPA regarding filing claims and vesting of rights in officials, including the relevant liabilities thereof, shall be applicable insofar that:
o The sector-specific law lacks provisions regarding filing claims; or
o The sector-specific law contains provisions that vest the relevant authority the right to issue orders that protects the rights of the data owner, but not so extensive as the rights of the official under the PDPA.
· Processed lawfully, fairly and transparently, on the basis of the legal grounds set
out in the GDPR;
· Collected for limited purposes and not further processed beyond those purposes;
· Limited to what is necessary for the processing purposes;
· Accurate and kept up-to-date;
· Kept in a form that permits identification of data subjects for no longer than necessary; and
· Processed in a manner that ensures appropriate security of the personal data.
· Consent: clear consent by the individual to process personal data for a defined purpose;
· Contract: processing is necessary to give effect to a contract with an individual;
· Legal obligation: processing is required to comply with the law;
· Vital interests: processing is required to save the life of an individual;
· Public task: processing is required to carry out a public or official duty and this is clearly set out in law; and
· Legitimate interests: processing is required for the legitimate interests of the data controller or third party.
1) Rights of data owners:
The Act states that data owners bear the right to request access to personal data pertaining to them except in cases where, among others, the request is incongruent with provisions of other applicable laws or court orders. Data owners are likewise entitled to request that their personal data be destroyed, temporarily suspended, or anonymized.
2) Responsibilities of data administrators:
The draft Act highlights several obligations of data administrators, including the collection of data within lawful means or purposes. Administrators are required to inform data owners of the details regarding the collection of their personal data and obtain their consent to do so. Moreover, the Act specifies that administrators must implement appropriate security measures to prevent loss or unauthorized alterations to the data and give data owners access to their information upon request.
3) Extraterritorial reach:
Personal data administrators based overseas may be subject to the Data Protection Act if goods and services are offered to data owners residing in Thailand. These administrators will also be required to assign a local representative in the Kingdom and must comply with the conditions set forth in the Act.
The draft states that requests for consent must be clear and conducted in a way that does not mislead data owners. It adds that requests must be made in writing or via digital means, outlining the purpose of the collection, what data is to be collected, and to whom the data will be disclosed. However, exemptions can be made under certain circumstances, notably for vital interests or if parties are bound by contractual obligations. The draft also stipulates that parental consent is required to collect data from minors below 10 years of age, and under certain circumstances, even those beyond that age.
5) Transfer of data to third countries:
The draft Act specifies that the transfer of personal data to third countries where data protection regulations are substantially deficient is not permitted except in the following scenarios:
· Where consent from the data owner, who has been made aware of the third country’s insufficient data protection laws, has been obtained;
· Where obligations to a contract to which the data owner is a party must be performed;
· Transfer of data to a third country is conducted for the benefit of a data owner who does not have the capacity to give consent; and
· Where data is transferred to individuals or entities that are certified by the official mark declaring fully compliant personal data protection practices by the committee and/or transactions that fall under legal frameworks established by international agreements.
· Where otherwise required by another law.
6) Data Protection:
Data administrators are required to implement procedures to keep personal data secure. According to the draft Act, the committee may produce and circulate guidelines data administrators can use as a basis for their data protection practices. The Committee may also grant data administrators the right to display an official mark indicating that the data administrator’s data protection practices have been certified as fully compliant by the Committee.
Both civil and criminal penalties can be imposed on the data controller for violation of the provisions of the Draft Act.
Please find attached draft of Personal Data Protection Act for your further information