So far, 132 countries in the world have implemented Data Protection and Privacy Laws. With more and more social and economical activities happening online, these laws ensure data security and privacy. There are many data protection laws globally, but the most well-known is the GDPR (General Data Protection Regulation) of the European Union. Based on the same lines as the GDPR, Thailand has also launched the PDPA (Personal Data Protection Act), originally published on 27th May 2019.
Like the GDPR, the PDPA aims to protect Thai data owners from illegally collecting, using, and sharing their personal information. The PDPA was supposed to be enforced on 27th May 2021. However, it has been postponed to 1st June 2022 due to the global pandemic. Since the PDPA will bring about substantial changes to the present data protection regulatory environment, the extension will allow stakeholders additional time to prepare for its implementation.
Steps to take for PDPA compliance
The PDPA applies to businesses that do not have their headquarters in Thailand. However, these businesses market their products or services to Thai residents or track consumer behavior in Thailand. The law is applicable even if there is no payment involved in the activities.
Businesses must assess their data processing practices and take necessary steps to ensure that they comply with the PDPA. These steps include:
- Companies should start mapping their data to understand how they collect, process, transmit and process the data. They should also identify the legal basis for collecting and using the personal data of Thai residents.
- All internal policies, agreements, and practices pertaining to personal data must be reviewed and updated accordingly.
- Data management processes and operating systems must be implemented to ensure compliance.
- Companies must also review their existing privacy notices and create relevant legal documents to remain compliant.
- Provide proper training to your employees and personnel on the relevant requirements of the PDPA.
- Businesses should conduct a gap assessment analysis to determine their current level of compliance and make necessary changes.
- Companies should put necessary processes in place that exercise the right of individuals in relation to their personal data.
Employee data processing and the PDPA
Among the data subject rights of the PDPA is the “Right to be informed.” Therefore, employers must inform employees about the required details before or at the time of collection of personal data. The employees must be informed of the required information, the purpose of collecting the information, and how long the information will be retained by the employer.
Employers may also collect sensitive information about their employees, such as health conditions, criminal background checks, and biometrics. However, employers must obtain prior consent from their employees before collecting such sensitive information.
International data transfers under the PDPA
Under the PDPA, personal data may not be transferred outside of Thailand unless the country receiving the data has adopted data protection standards that match the PDPA.
International data transfers may be exempted under the following conditions:
- If the data transfer is necessary for compliance with a legal obligation.
- If the data owner has provided consent and has been informed of the destination country’s inadequate data protection standards.
- The data transfer is necessary to perform a contract between the data controller and the data subject.
- The transfer is required to safeguard the vital interests of the data subject.
Since the enforcement of the PDPA has been postponed to June next year, companies have adequate time to prepare for compliance. Businesses must take all measures to ensure that they comply with the PDPA. Non-compliance to the PDPA could make companies liable for both criminal and civil fines.