As May 2020 approaches, many companies in Thailand are focusing their attention on the impending adoption of the Thailand’s new data protection legislation, the Thai Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). This act will significantly impact businesses handling personal data and impose quite substantial penalties on organizations that mishandle or even “accidently” fail to protect personal information they possess or process. Not surprisingly, organizations in Thailand are reacting to this new data protection environment with varying degrees of responsiveness. Some are approaching the issue with a cool as ice attitude, feeling they have already addressed the issue by having put in place compliance measures long ago. Others are panicking and sending mass emails to attorneys and other service providers expressing an urgency in their need to initiating the compliance development and implementation process. Others (or the same!) are quantifying the risks associated with non-compliance. Finally, some are maybe not yet aware of these new obligations.
This article is aimed at helping Thai organizations build a better understanding the impact of the PDPA on your business practices.
We will also discuss practices that can be implemented today within your organization to kick-start your PDPA compliance formulation and implementation process.
The PDPA at a Quick Glance
The PDPA was published last year on 27 May 2019 in the Royal Gazette and shall soon take effect, on 27 May 2020. It is the first comprehensive privacy legislation in Thailand. Up until 2019, Thailand did not have a consolidated law governing personal data protection. Prior to enactment of the PDPA, data protection measures were only sector specific and focused mainly on personal information collected in the context of healthcare or banking services. It is a significant step for the Kingdom in bringing data protection in line with international best practicesby incorporating some of the principles and concepts as set out in the European Union General Data Protection Regulation, commonly known as the “GDPR”.
The one year grace period between adoption and commencement of enforcement was meant to allow businesses some time to familiarize themselves with PDPA requirements and provide for a period of implementation of appropriate data protection measures and procedures before the effective deadline for enforcement.
The scope of the PDPA is broad and covers collection, use, and disclosure of personal data, (i.e. private data pertaining to individuals). This includes the processing of data from clients, suppliers, third-party service providers or employees and requires that any such handling or use of data be conducted in strict compliance with the PDPA provisions. Companies found to be in non-compliance with the PDPA may be subject to both criminal and civil liability in the form of imprisonment and/or fines, with each specific offense under the PDPA potentially giving rise to penalties of up to THB 5 million and in some cases court imposed punitive damages that could double the amount of fines payable.
Other consequences may include reputational damage and loss of consumer trust which could prove quite detrimental to a business given the current global environment in which people have heightened concerns around data privacy. Instead, an organization’s compliance with PDPA standards will demonstrate a company’s desire to protect customers’ interests and privacy, which could result in greater consumer trust and coincidentally lead to new business opportunities.
That’s All Well and Good but is my Organization Subject to the PDPA?
Before panicking and thinking that the harsh penalties associated with PDPA non-compliance are imminent for you, your directors, and your organizations, there are 3 key questions your organization must ask before launching its compliance efforts.
- Do our personal data handling activities fall within the scope of the PDPA?
If your business is based in Thailand and you process personal data, the PDPA will apply to your data processing activities regardless of whether such activities take place inside or outside Thailand.
The PDPA not only applies to businesses collecting personal data directly from individuals, say for example a retail company’s collection of customer data acting as a so called ‘data controller’ but also applies to companies that process personal data on behalf of a data controller, say for example by an online data storage business acting as a so-called ‘data processor’.
Finally, regardless of whether your company has a presence in Thailand, it may still fall under the jurisdiction of the PDPA if it is in any way involved in the processing of personal data of individuals physically located within the Kingdom.
- Do we offer goods and/or services to individuals physically located in the Kingdom of Thailand?
- If your business is based outside Thailand but you process personal data of individuals physically located in Thailand with a view to offering goods or services to these individuals, e.g. through a website, your activities are subject to the relevant provisions of the PDPA.
- Do we monitor the behavior of individuals physically located in the Kingdom of Thailand?
- If your business is located outside Thailand but you conduct behavioral surveillance activities of individuals located in Thailand by using cookies and other tracking methods via your company’s website or app, you will also fall within the purview of the PDPA.
- If your business is located in Thailand and you are operating cameras within your office space to monitor the behavior of individuals then you also fall within the scope of the PDPA.
Kick-Starting Compliance – Some Key Principles to Keep in Mind
Because the PDPA was mainly based on and has adopted various concepts taken from the EU’s GDPR and other major data protection laws around the world, many companies that have an already existing set of data protection policies and procedures in place may not need to undertake too many changes in order to bring themselves into compliance with the Thai PDPA.
In summary, businesses must:
- have a valid legal basis for processing personal data such as having obtained prior consent of the individuals whose personal data is being processed;
- in the form of a privacy notice provide a sufficient description of the information being collected and why to the individuals from whom the data is being collected ;
- implement appropriate security measures to prevent the loss of, unauthorized access to, or alteration or disclosure of data in accordance with the minimum standards set out by the Personal Data Protection Committee;
- adequately uphold the rights of individuals to control over their own data by implementing appropriate technical and organizational measures to ensure the ability to satisfy any request from any individual regarding such data without undue delay; and
- keep written or electronic records of data processing activities in order to demonstrate compliance with PDPA requirements.
DFDL and PDPA Compliance Catered to YOUR Organization
While the tips above will help organizations to better understand and realize their compliance obligations, some organizations may require a greater level of assistance from attorneys and services providers.
How can DFDL help you in adopting an appropriate level of compliance? DFDL is able to provide organizations in Thailand with compliance assistance and products catered to your specific needs. Please feel free to contact any of the authors of this publication to see how we can assist in kick-starting or further developing your compliance efforts.
Authors & Contacts
Regional Senior Legal Adviser
Deputy Head of Regional Banking and Finance
Thailand Tax Director
Head of Regional Compliance & Investigations