What is the Personal Data Protection Act?

The Personal Data Protection Act (PDPA) is a law enacted to protect the rights of individuals residing in Thailand, regardless of their nationality, as owners of personal data. It requires individuals and organizations to have duties and responsibilities in collecting, using, and disclosing personal data of data owners as specified by law.

However, collecting, using, and disclosing personal data for personal or family purposes does not require compliance with this law; provided that, it must not cause damage to the data owner. Although there may be no liability under this law, there may be liability under other laws.

What is "Personal Data"?

"Personal data" means any data, including sensitive data, that can identify the data owner, whether directly or indirectly. Examples include name, surname, address, photo, phone number, ID card, race, health information, criminal history, and sexual behavior.

“Related Party” Under the Personal Data Protection Act

1. Data Subject: A natural person who owns personal data and has rights under this law, including all citizens, such as company employees and individual customers. This does not include juristic persons or deceased persons.

2. Data Controller: A person or juristic person who is involved in the collection, use, and disclosure of personal data and has duties as specified by this law, such as organizations, agencies, and institutions.

3. Data Processor: A person or juristic person who is involved in personal data in accordance with the instructions received from the data controller, such as agencies or organizations that are contracted by the data controller to handle personal data.

4. Data Protection Officer (DPO): A person assigned to oversee data protection for the data controller by providing advice and auditing data protection for the agency or organization.

Consent

The law requires the Data Controller who intends to collect, use, and disclose personal data to be responsible for obtaining consent from the Data Subject before doing so. This should consider the purpose and necessity of collecting, using, and disclosing personal data, as well as the freedom of the Data Subject to consent.

The requested consent must specify the information as required by law, such as the purpose of collection, the types of personal data collected, the period of collection, information about the data controller, contact information for the data controller, and the rights of the Data Subject.

In the case of minors (under 20 years old), a guardian (such as a father or mother) must also consent. However, in some cases, minors can consent themselves, such as when entering into a contract which benefits them unconditionally.

In other cases where consent from the Data Subject is not required, personal data may be collected, used, and disclosed. This must be done for certain necessities, such as to prevent or mitigate harm to the life, body, or health of another person, to perform contractual obligations, for the public interest, or to comply with the law.

Rights of the Data Subject

1. Right to be informed

2. Right to withdraw consent

3. Right to access personal data

4. Right to correct inaccurate personal data

5. Right to erase personal data

6. Right to disallow to processing of personal data

7. Right to data portability

8. Right to object to processing of personal data

Penalties for Violating the Personal Data Protection Act

There are three types of penalties for violating the Personal Data Protection Act:

1. Civil liability: Pay damages of 2 times the actual damage

2. Criminal liability: A fine of up to 1 million baht and imprisonment of not more than 1 year

3. Administrative liability: A fine of up to 5 million baht

Filing a Complaint

The data owner can file a complaint with the Personal Data Protection Committee in case of a violation of the Personal Data Protection Act for consideration of the complaint and further action according to the Committee's policy.

LAS / Legal Advance Solution

Nanthanat Saengthong

[email protected]