So far, 132 countries in the world have implemented Data Protection and Privacy Laws. With more and more social and economic activities happening online, these laws ensure data security and privacy. There are many data protection laws globally, but the most well-known is the GDPR (General Data Protection Regulation) of the European Union. Based on the same lines as the GDPR, Thailand has also launched the PDPA (Personal Data Protection Act), originally published on 27th May 2019.
Like the GDPR, the PDPA aims to protect Thai data owners from illegally collecting, using, and sharing their personal information. The PDPA was supposed to be enforced on 27th May 2021. However, it has been postponed to 1st June 2022 due to the global Covid-19 pandemic. Since the PDPA will bring about substantial changes to the present data protection regulatory environment, the extension will allow stakeholders additional time to prepare for its implementation.
Steps to take for PDPA compliance
The data protection obligations under the PDPA generally apply to all organisations that collect, use or disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognised under Thai law, and whether they are residents or have a business presence in Thailand. This extraterritorial scope of the PDPA represents a significant expansion of Thailand’s data protection obligations to cover all processing activities relating to Thailand-based data subjects. Businesses must assess their data processing practices and take necessary steps to ensure that they comply with the PDPA. These steps include:
- Companies should start mapping their data to understand how they collect, process, transmit and process the data. They should also identify the legal basis for collecting and using the personal data of Thai residents.
- All internal policies, agreements, and practices pertaining to personal data must be reviewed and updated accordingly.
- Data management processes and operating systems must be implemented to ensure compliance.
- Companies must also review their existing privacy notices and create relevant legal documents to remain compliant.
- Provide proper training to your employees and personnel on the relevant requirements of the PDPA.
- Businesses should conduct a gap assessment analysis to determine their current level of compliance and make necessary changes.
- Companies should put necessary processes in place that exercise the right of individuals in relation to their personal data.
Employee data processing and the PDPA
Among the data subject rights of the PDPA is the “Right to be informed.” Therefore, employers must inform employees about the required details before or at the time of the collection of personal data. The employees must be informed of the required information, the purpose of collecting the information, and how long the information will be retained by the employer. This is achieved by publishing both an external and internal Privacy Notice
Employers may also collect sensitive information about their employees, such as health conditions, criminal background checks, and biometrics. However, employers must obtain prior consent from their employees before collecting such sensitive information.
International data transfers under the PDPA
Under the PDPA, personal data may not be transferred outside of Thailand unless the country receiving the data has adopted data protection standards that match the PDPA.
International data transfers may be exempted under the following conditions:
- If the data transfer is necessary for compliance with a legal obligation.
- If the data owner has provided consent and has been informed of the destination country’s inadequate data protection standards.
- The data transfer is necessary to perform a contract between the data controller and the data subject.
- The transfer is required to safeguard the vital interests of the data subject.
With only just over one month to the enactment of the PDPA, it is getting to the point where organisations must prepare and achieve compliance. Businesses must take all measures to ensure that they comply with the PDPA. Non-compliance with the PDPA could make companies liable for both criminal and civil fines.