Data Protection in Thailand
Companies and organizations collecting, using, disclosing, and/or transferring Personal Data need to prepare for the implementation to comply with the PDPA to avoid any penalties which could be imposed to the company for the non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as PDPA allows data subjects to bring a class action lawsuit. The director of a company could also be subject to penalties under this PDPA.
What is PDPA?
The Thailand PDPA stands for the new Personal Data Protection Act B.E.2652 of the Kingdom of Thailand. It was passed in 2019 and affects businesses starting from 27 May 2020 (postponed to 2021).
PDPA is the most comprehensive Thai data privacy law to date. It expands on the rights of users whose data you collect, which means expanding on your obligations as well.
The PDPA governs any Persona Data of an individual person that could identify that person directly or indirectly.
What is Personal Data ?
- Personal details, such as title, full name, gender, age, occupation, qualifications, job title, position, business type, nationality, country of residence, date of birth, marital status, number of family members and children, ages of children, information on government-issued cards (e.g., national identification number, social security number, passport number, tax identification number, driver's license details or similar identifiers), immigration details such as arrival and departure date, signature, voice, voice record, photograph, facial features for recognition, CCTV records, work place, education, insurance details, license plate details, house registration, household income, salary and personal income;
- Contact details, such as postal address, delivery details, billing address, telephone number, fax number, email address, LINE ID, Facebook account, Facebook ID, Google ID, Twitter ID, and other ID from social networking sites including yo ur contact person detail such as telephone number, contact data on other correspondence;
- Financial details, such as debit/ credit card or bank information, credit/debit card number, credit card type, cycle cut, bank account details, payment details and records;
- Technical details, such as Internet Protocol (IP) address, cookies, media access control (MAC) address, web beacon, log, device ID, device model and type, network, connection details, access details, single sign-on (SSO), login log, access time and location, time spent on our page, login data, search history, browsing details, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on devices you use to access our platform;
- Behaviour details, such as information about your purchasing behavior and data supplied through the use of our products and services;
- Sensitive Data, such as race, religion, political opinions, fingerprints, facial recognition, physical or mental health or condition, genetic data, medical history, disability, and criminal records.
We advise your company to immediately assess your internal Personal Data governance and start taking action for compliance. This could involve the engagement from all departments within your company.
The Thailand PDPA applies to:
- Thai businesses that collect or process Personal Data in Thailand from users from anywhere in the world
- Any business from all around the world that collects or processes Personal Data of Thai citizens for the purposes of:
- the offering of goods or services to data subjects on the territory of Thailand, irrespective of whether the payment is made by them or not
- the monitoring of the data subject’s behaviour, where the behaviour takes place in Thailand.
What to do next?
There are several steps to be taken such as:
- conduct data mapping
- determine legal basis and applicable obligations
- create privacy policy, privacy notice and relevant legal documents
- implement data management process and operation system
- Conduct internal training tomaintain compliance with the PDPA
Remark:
The right approach for your company should be customized to fit the size and the business operation of each company.
Legal bases and consent
- What category of Personal Data?
- General Personal Data
- Sensitive Personal Data
- Consider if any use of Personal Data requires consent
Other legal bases | Key Purposes which required consent |
1. Contractual basis | 1. Marketing / Data Analytic |
2. Legitimate interests | 2. Sensitive Data / Minor |
3. Legal obligations | 3. Disclosure (not for providing services) |
4. Others | 4. International transfer |
- If consent is required, obtain consent before collection/use.
- Check method for consent request.
- Flag data obtained via consent.
Privacy Policy
- Consider what type of data subject?
e.g. customers, employees, business partners - Select the applicable privacy policy
- Send/forward to the relevant channels
- Seek acknowledgement, if possible
- Any change/new use of Personal Data >> consult Legal Advisor
Legal Documents to be prepared :
Company | HR | Business Partner |
- Binding Corporate Rules (if applicable)
- Template Data Retention Policy and Data Retention Schedule
- Data Security Breach Reporting and Privacy Incident Response Procedure
- Preparation of Data Subject Rights Policy/Procedure
| - Template Company Privacy Notice
- Template Customer Consent Form
- Template Parental Consent Form for children customer
| - Template Employee Privacy Notice
- Template Employee Consent Form
- Template Parental Consent Form for minor employee
- Review and revise standard employment agreement for compliance with the PDPA
- Review and revise standard work rules for compliance with the PDPA
| - Template data protection clause for controller to processor / Template Data Processing Agreement
- Notice letter (in case data processing agreement cannot be executed within 2021)
- Template data protection clause for controller to controller / Template Data Transfer Agreement
- Notice letter (in case data transfer agreement cannot be executed within 2021)
|
Existing Business Partners – Flow of documents execution
Step 1 Consider whether Business Partner is controller or processor | Step 2
Vendor due diligence checklist (Only data processor) | Step 3
Send Amendment to existing agreement
(Both but depending on the role)
| Step 4
Send Privacy Policy to Supplier
(Both to controller and processor) | Step 5
Send Notice Letter
(Both but depending on the role) |
Using the criteria and checklist below to help determine controller and processor | If identify as data processor = to cross-check vendor’s qualification in terms of data protection | - If identify as data controller = sending template data protection clause for controller to controller / Template Data Transfer Agreement
- If identify as data processor = sending template data protection clause for controller to processor / Template Data Processing Agreement
| This will help notify the directors, contact persons, employees, etc. of business partners of how your Personal Data will be collected, used, disclosed, transferred as well as your rights | - If identify as data controller = sending notice letter for data controller
- If identify as data processor = sending notice letter for data processor in case Amendment to existing agreement cannot be executed within 2021
|
New Business Partners – Flow of documents execution
Step 1
Consider whether Business Partner is controller or processor
| Step 2
Send Vendor due diligence checklist
(Only data processor) |
Step 3
Step 3: Send Amendment to existing agreement
(Both but depending on the role)
| Step 4
Step 4: Send Privacy Policy to Supplier
(Both but depending on the role) |
Using the criteria and checklist below to help determine controller and processor | If identify as data processor = to cross-check vendor’s qualification in terms of data protection by sending vendor due diligence checklist | - If identify as data controller = sending template data protection clause for controller to controller / Template Data Transfer Agreement
- If identify as data processor = sending template data protection clause for controller to processor / Template Data Processing Agreement
| This will help notify the directors, contact persons, employees, etc. of business partners of how your Personal Data will be collected, used, disclosed, transferred as well as your rights |
Sample channels and methods
Form | Sample Channels | Sample Method of Notification |
- Privacy Notice to Supplier
| Online:
Offline: - Agreement
- P.O.
- Registration form
- Access request form
- Update information request form
| - Send back by email (containing link to Privacy Notice on website)
- Display as part of email default signature
- Attach with agreements/forms
- Add clauses to agreements/forms by mentioning the link to Privacy Notice on website
|