The Thailand Personal Data Protection Act (PDPA) is the latest piece of legislation which offers data protection regulations against the misuse of personal data that has been collected from individuals in Thailand. The PDPA was greatly influenced by the European Union’s General Data Protection Regulation (GDPR) which set a new standard for data protection regulations around the world.
Objectives of the PDPA
The PDPA imposes penalties for non-compliance with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages.
Could you or your business be subjected to the PDPA?
If the answer to any of the following questions is yes, then your business is subjected to the rules set out in the PDPA.
A business falls under the scope of the PDPA if it collects personal data and offers and promotes its services to individuals located within Thailand.
Note that according to the PDPA, the data collectors and processors do not need to be located within the kingdom of Thailand.
Exemptions under PDPA
The PDPA excludes 2 types of personal data namely, personal data of a deceased person, and business data such as contact details, and title or address of the business.
Like the GDPR, the PDPA has an extraterritorial reach which means that even without having offices in the kingdom, companies offering goods and services to Thai data subjects or monitoring any behavior that takes place within Thailand will need to comply with the PDPA and appoint a representative within the kingdom. The representative is responsible for all acts done by the data collector and processors which they represent.
Consent from the data owner
In conclusion, the PDPA offers protection against the misuse of collected personal data from individuals in Thailand. It has an extraterritorial reach due to the fact that of data collectors and processors are outside the kingdom of Thailand, they have to appoint representatives within the kingdom, and those appointed representatives will be wholly responsible for the acts committed by the data collectors and processors. It also states that the data collectors and processors must receive consent from the data subject for them to use their personal data in any way. However, there are certain exceptions of some operations that do not require consent in the collecting and processing of personal data which are stipulated in Article 4 of the PDPA and are mentioned above.
If you have any questions regarding the Thai Personal Data Protection Act, feel free to contact us at [email protected] or call us at +66 (0)2 117 9131-2.