The first Thailand Personal Data Protection Act B.E. 2562 (2019) (the "PDPA") was finally introduced on 27 May 2019 and became effective on 28 May 2019. The PDPA contains provisions of personal data protection, use and disclosure of personal data, complaint, etc.
Under the PDPA, "Personal Data" broadly covers information of a natural person that is able to directly or indirectly identify such person, but excluding information of a deceased. The PDPA also defines "Personal Data Controller" and "Personal Data Processor", who shall have the responsibilities and liabilities under the PDPA in handling "Personal Data".
"Personal Data Controller" includes a natural or juristic person having the authority to make decisions on collection, usage and disclosure of Personal Data, and "Personal Data Processor" means a natural or juristic person who carries out the collection, usage and disclosure of Personal Data in accordance with the instruction of or on behalf of "Personal Data Controller", provided "Personal Data Processor" and "Personal Data Controller" must be separate person.
Extraterritorial Application
Personal data controller and personal data processor locating outside Thailand are also subject to the PDPA, if the collection, usage and disclosure of Personal Data of the owner of such Personal Data in Thailand are carried out for the following activities: (i) offer of product or service to owner of the Personal Data in Thailand whether there is payment by such owner or not; and (ii) monitoring of behaviours of the owner of the Personal Data occurring in Thailand.
Consent of Personal Data Owner
The personal data controller must obtain express consent (whether in writing or through electronic system) from the personal data owner prior to or at the time of collecting, using or disclosing of the personal data. Purposes of collecting, using or disclosing of the personal data must be clearly stated and separated from other contents in the request for consent.
Basically, personal data owner can revoke his/her consent at any time. However, a revocation shall not affect the previous collection, usage or disclosure, which has been legally consented by the owner of such personal data.
Personal data controller must collect, use or disclose the personal data only in accordance with the purpose notified to the owner before or at the time of such collection, usage or disclosure.
Collection of Personal Data
Except for certain limited circumstances, personal data shall be collected directly from the owner.
The PDPA also prescribes the duties of the personal data controller to inform the personal data owner of certain things before or at the time of collection such as purpose of the collection, the type of person or government authority to which the personal data may be disclosed, the contact information of personal data controller.
The PDPA also set forth certain circumstances to which the collection of personal data may be conducted without consent of the owner such as for purpose of protecting and restraining danger to life, body and health of a natural person or as necessary to comply with the contract to which the personal data owner is a party.
Transfer of Personal Data
Subject to limited exceptions, personal data could be transferred to a recipient outside Thailand only if such recipient country or international organization, as the case may be, has sufficient measure for personal data protection as per the regulations to be stipulated by the Personal Data Protection Committee.
Rights of Data Owners
The data owner has the right to request for access and obtain copy of his/her personal data from the personal data controller or seek disclosure of the source of information where the personal data is obtained without the data owner's consent.
Penalties
The PDPA imposes both civil and criminal penalties for non-compliance where the fines could be up to Baht 5,000,000 and the imprisonment could be up to one year. The PDPA also provides the court with the authority to order the personal data controller or personal data processor to pay the punitive damages in addition to the actual damages determined by the court of up to twice of such actual damages.
Conclusion
The PDPA provides a period of one year for all persons and entities which are considered as personal data controller or personal data processor to prepare and start taking necessary actions for compliance. The regulations and notifications to be issued under the PDPA shall be introduced within one year from the effective date of the PDPA.
