Data Protection in Thailand: A Summary of the PDPA
The Personal Data Protection Act 2019 (‘PDPA’) is the first consolidated legislation providing general data protection...
The Personal Data Protection Act 2019 (‘PDPA’) is the first consolidated legislation providing general data protection within Thailand and was originally expected to come into full effect on May 27, 2020. This date, however, was postponed until May 27, 2021 due to the COVID-19 pandemic. The PDPA is based on the GDPR and contains many similar provisions. Read this blog post to gain an understanding of the PDPA and its requirements for websites to remain compliant.
Who Does the PDPA Apply To?
The PDPA applies to the collection, use, or disclosure of personal data by organisations that are in Thailand regardless of whether the collection, use or disclosure of personal data takes place in Thailand or not.
In relation to extraterritorial scope, the PDPA applies to data controllers and data processors that are outside of Thailand where the collection, use or disclosure of personal data of data subjects who are in Thailand, where their activities relate to the offering of goods or services to data subjects in Thailand, regardless of whether payment is required or where the data subject’s behavior is being monitored in Thailand.
If required businesses don’t comply with the PDPA, the maximum penalty for non-compliance under Sections 26-28 is a fine not exceeding THB 5 million (approx. €149,000) can be issued by the expert committee. Depending on the violation that has occurred under Sections 26-28 of the PDPA, the penalty may be imprisonment for a term not exceeding one year
What is Personal Information According to PDPA?
The PDPA defines ‘personal data’ as any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including information of the deceased persons. The PDPA also specifies that a ‘person’ means a ‘natural person.’
The PDPA does not define special categories of personal data. However, Section 26 requires that explicit consent be obtained for the collection of ‘personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the PDPC.’
Do I Need a Cookie Banner to Comply with PDPA?
How To Ensure Your Website is Compliant
Understand Trackers on Your Website
Understanding what trackers you use on your website is the first step toward compliance. Scan your website to gain an understanding of your website’s privacy health. Detect and categorize cookies and other tracking technologies on your website.
Capture and Store Consent
Obtaining consent for collection and processing of personal data must meet the following requirements:
- The consent must be given freely
- The user must be informed about the purpose of collection and processing of data
- The request must be clear, in plain language, non-deceptive, and non-misleading
Since implied consent is not valid, you have to ensure that your cookie banners are affirmative. Additionally, users should be able to withdraw the consent they’ve given easily.
Provide the Ability to Practice Data Subject Rights
Website owners must provide visitors to contact you easily for exercising their PDPA data subject rights (the right to access, get a copy, correction, objection, portability, erasure). Ensure to provide them the ability to exercise their rights through a request intake form to capture requests based on regulation-specific requirements.