What is Thai PDPA Compliance?
Thai PDPA compliance means data controllers and data processors that are covered by the scope of the PDPA take the necessary steps to meet the data protection obligations defined by the law.
The Thai PDPA outlines several requirements for data controllers, including that personal data is accurate, up-to-date, complete, and not misleading. It defines further requirements for processing certain types of personal information and upholding data subject rights. The Thai PDPA also has extra-territorial reach, meaning that organizations based outside of Thailand who offer goods or services or monitor the behavior of individuals in Thailand will fall under the scope of the law.
Overview of the Thai PDPA
The Thai Personal Data Protection Act 2019 (‘PDPA’) is the first consolidated data protection law in Thailand. The Thai PDPA was originally set to enter into effect on May 31, 2020. However, this was initially postponed until May 31, 2021, due to the COVID-19 (‘Coronavirus’) pandemic and later postponed for a second time until May 31, 2022.
The PDPA contains several similar provisions to those found under the GDPR. These include similar legal bases for processing personal data as well as requirements for data controllers and data processors. There are however several key differences between the PDPA and the GDPR which include lower monetary penalties and the inclusion of criminal penalties of up to one-year imprisonment. The Thai PDPA also provides for the establishment of the Personal Data Protection Committee (‘PDPC’) to, among other things, draft and issue sub-regulations on data protection.
Thai PDPA: Key Terminology
A data controller is a person or legal entity that has the power to make decisions regarding the collection, use, or disclosure of personal data.
A Data Processor is a person or legal person who operates in relation to the orders given by or on behalf of a data controller regarding the collection, use, or disclosure of personal data.
Personal data is defined as any information relating to a natural person, which enables the identification of the individual, whether directly or indirectly. Information of deceased individuals is not included under the definition of personal data.
There is no explicit mention of sensitive data under the Thai PDPA. However, it does provide that the collection of data relating to any of the following types of data requires the consent of the data subject:
- Racial or ethnic origin
- Political opinions
- Cult, religious or philosophical beliefs
- Sexual behavior
- Criminal records
- Health data
- Trade union information
- Genetic data
- Biometric data
It is also important to note that the Thai PDPA does not explicitly define health data, biometric data, or pseudonymization.
Does the Thai PDPA Apply to Your Organization?
The Thai PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural, living person with exceptions such as when the activity is performed as part of a household activity.
The Thai PDPA applies to processing activities conducted by a data controller or data processor that is based in Thailand.
Regarding the extra-territorial scope of the PDPA, the law applies to organizations outside of Thailand when their processing activities relate to offering goods or services to individuals in Thailand or when monitoring the behavior of individuals where the behavior has taken place in Thailand.
Data that falls under the material scope of the PDPA include general personal data such as name, date of birth, email address, etc. Furthermore, specific requirements and exemptions apply to the processing of certain types of personal data, such as racial, sexual, and health data. See above for further examples.
PDPA Data Subject Rights
The Thai PDPA outlines several rights to data subjects that closely resemble those found under the GDPR. Furthermore, the Thai PDPA requires organizations to inform data subjects of these rights prior to or at the time of the collection of personal data.
The Thai PDPA data subject rights include:
Right to be informed
The data controller must inform the data subject of details of the processing activity such as the purpose of the collection, data retention periods, as well as data subject rights.
Right to access
The data subject has the right to access or request a copy of their personal data collected, used, and disclosed by the data controller.
Right to rectification
The data subject has the right to correct incomplete, inaccurate, misleading, or out-of-date personal data held by the data controller.
Right to erasure
The data subject has the right to request that the data controller delete or de-identify their personal data. There are exceptions to this right whereby data controllers are required to retain the data to comply with a legal obligation or to establish, exercise, or defend legal claims.
Right to object/opt-out
The data subject has the right to object to the collection, use, and disclosure of their personal data in certain circumstances such as for direct marketing purposes.
Right to data portability
The data subject has the right to obtain the personal data that the data controller holds about them in a structured electronic format and to send or transfer such data to another data controller.
Right not to be subject to automated decision making
The Thai PDPA does not explicitly provide for the right not to be subject to automated decision-making. However, the subject has the right to restrict the use of their personal data in certain circumstances.
8 Steps to Thai PDPA Compliance
Appoint and empower a Data Protection Officer (‘DPO’)
Section 41 of the PDPA requires organizations to appoint a DPO in certain circumstances whose responsibilities include informing and advising the organization of their obligations, monitoring the performance of the data controller and data processors, and acting as a point of contact. An organization can empower its DPO with automated data mapping tools to give a clear view of data flows and to assist with the fulfillment of data subject rights.
How OneTrust helps: OneTrust Data Mapping Automation can help your organization create and maintain data inventories by integrating with existing systems and data discovery tools. Data Mapping Automation also allows organizations to visualize the flow of data across your organization and generate compliance reports.
Implement Data Subject Rights Request (DSAR) processes
The PDPA provides data subjects with specific rights relating to the collection and use of their personal data. Implementing an automated DSAR process can help streamline the intake and fulfill DSARs and can help manage, track, and report on the requests your organization receives.
How OneTrust helps: OneTrust Privacy Rights Management (DSAR) automates every step of the DSAR process from intake to fulfillment including data discovery and data redaction of sensitive information that shouldn’t be shared with the requestor.
Monitor and measure personal data risks
Developing internal processes to monitor potential risk to personal data is critical for organizations looking to comply with the PDPA and for avoiding the monetary penalties ranging up to THB 5 million (approx. €129,000). By monitoring potential risks across the data ecosystem organizations can identify gaps in compliance efforts, reduce the risk of data breaches, and assist in the fulfillment of data subject rights.
How OneTrust helps: OneTrust GRC helps organizations manage and respond to risk by helping to identify, mitigate, and monitor internal and external risks. OneTrust GRC assists in developing policies and performing audits to ensure your program evolves with your business needs and obligations.
Optimize data collection and survey risk across your business
Section 39 of the PDPA requires businesses to maintain records of data collected and specify the purpose for its use. Implementing PDPA-specific Privacy Impact Assessments (PIAs) helps organizations to comply with the data minimization and purpose limitation principles specified in the PDPA and helps to understand risk across processing activities.
Document and respond to breach incidents
Under the PDPA, controllers and processors are required to document any data breach activity and notify the Personal Data Protection Committee (PDPC) within 72 hours of realization, as well as impacted data subjects without undue delay when the breach is likely to result in a high risk to the rights and freedoms of the affected individuals.
How OneTrust helps: OneTrust Incident Management analyzes incidents via a built-in PDPA notification assessment template. Organizations can respond and implement a remediation plan with customizable workflows to streamline response and notification.
Control third-party access to personal data
Section 37 of the PDPA outlines that data controllers are responsible for securing the access and use of personal data. Understanding the extent of the information that has been made available can help identify instances of risk, maintain PDPA compliance, and fulfill data subject requests.
How OneTrust helps: OneTrust Vendor Risk Management helps document vendors and data flows between organizations. OneTrust can assist organizations to measure PDPA compliance and implement controls across third-party suppliers, service providers, and vendors.
Endorse and distribute a data protection management program
Organizations are required to define and document their data protection policies. These policies should be made accessible to employees throughout your organization to guide operations while maintaining PDPA compliance. Documentation should affirm how your company operates to uphold the nine data subject rights outlined in the PDPA for both internal and external stakeholders.
How OneTrust helps: OneTrust Policy & Notice Management helps organizations in defining and documenting a business data management policy. The OneTrust Policy & Notice management tool supports full version control and archiving, allowing users to display the most current plan for reference to both potential data subjects, as well as your entire organization.
Stay up to date with the latest developments and regulatory changes to the Thai PDPA
The PDPC is authorized to issue guidance in relation to the provisions of the PDPA. Therefore, staying up to date with the latest developments and regulatory changes issued by the PDPC is crucial to remain compliant with the PDPA.
How OneTrust helps: OneTrust DataGuidance offers the most comprehensive and up-to-date regulatory research platform. Leveraging an in-house team of 40+ privacy analysts as well as a contributor network of 800+ privacy professionals, OneTrust DataGuidance helps organizations to stay informed with the latest regulatory developments.
Further Thai PDPA Compliance reading:
- OneTrust Solutions: Thailand’s Personal Data Protection Act (PDPA)
- OneTrust Blog: Are You Ready For The Thai PDPA Compliance Deadline?
- OneTrust Blog: Thai PDPA Data Subject Rights: What You Should Know
- OneTrust Video: Thai PDPA Compliance: How OneTrust Helps
- OneTrust DataGuidance Portal: Thai PDPA
- OneTrust DataGuidance Blog: The Ultimate Guide to APAC’s PDPA Regulations