I. INTRODUCTION

Thailand’s main legal piece of legislation governing personal data protection is the Personal Data Protection Act B.E. 2555(2012) (“PDPA”). The PDPA bestows power to the Personal Data Protection Committee (PDPC), the key regulator, to enact sub-regulations, including announcements and ministerial regulations, to provide guidelines, requirement and additional details to set Thailand’s standard of personal data protection to be as impressive as its European Model; the GDPR. With a few adjustments, the PDPA was designed to accommodate the Thai environment and to support the country’s stepping into the digital era. The two main types of personal data protected under Thai law includes:

  1. General Personal Data (as defined in Section 6 of the PDPA) like names, contact details and similar information – requiring standard protection measures.
  2. Sensitive Personal Data (as implied in Section 26 of the PDPA) like health data, religious beliefs – demanding stricter safeguards and explicit legal justification for collection and use

II. REGULATORY UPDATES

The new announcement in 2022, Announcement Regarding the Criteria for Consideration of Issuing Orders and Administrative Fines ordered by the Expert Committee B.E. 2565 (2022), was enacted by the PDPC to extend the scope of assessing penalties imposed on the data controllers, processors and other individuals committing violation of the PDPA. The key criteria for assessing the extent of the penalty includes:

  • Intent, negligence, or carelessness in preventing data protection failures
  • Severity of the offense and scale of operations of the data processor and data controller
  • Financial impact on the offenders and benefits received as a result of the penalty by the data subjects whose rights have been violated
  • Past offenses and efforts to mitigate the adverse impact on the data subjects after the breaches has occurred.

II. RESPONSIBILITIES OF DATA CONTROLLER AND DATA PROCESSOR

A data controller is defined as a natural or juristic person with the authority to make decisions regarding the collection, use or disclosure of personal data. A data processor is defined as a natural or juristic person that processes personal data based on the instructions given by the Data Controller. The relationship between the two mentioned positions is via a contractual agreement, whether that be a direct employment contract or an outsourced service agreement.

The main duties owed by the Data Controller are as follows:

  • Manage personal data responsibly
  • Collect data based on lawful basis, especially for criminal records with limited permissible circumstances and the subsequent additional obligations imposed on the Data Controller to collect criminal records of data subjects.
  • Ensure that third parties receiving the personal data are processing it sensibly, lawfully and take actions to prevent unauthorized access or use
  • Report to the authorities the data breaches within 72 hours after knowing to the breach
  • Additional obligation to notify affected individuals if high risks are posed
  • Appointment of a Data Protection Officer (DPO) in accordance with the rules and guidelines of the PDPA
  • Maintain Records of Processing Activities (ROPA) ready for inspection by the PDPC (subject to certain exemptions)
  • For international data transfers, the Data Controller must ensure that the destination countries meet Thai PDPA-equivalent data protection standards. Alternatively, Binding Corporate Rules (BCRs) can be used in place for intra-group transfer of personal data. The basic requirements must also be met e.g. lawful basis for collecting personal data, risks assessment and documentations.

The main duties owed by the Data Processor are as follows:

  • Implement robust technical and organizational security measures
  • Regularly updating security measures to accommodate technological changes and developments
  • Report to the authorities the data breaches within 72 hours after knowing to the breach
  • Appointment of Data Officer (DPO) in accordance with the rules and guidelines of the PDPA

IV. PENALTIES FOR NON-COMPLIANCE

The three kinds of penalties a data controller, data processor or other individuals violating the PDPA may be subjected to includes civil, criminal and administrative liabilities.

  • Civil liability – payment of compensation for damages and expenses
  • Criminal liability – imprisonment from 6 months to 1 year, and fine ranging up to 1,000,000 Thai Baht, liability extended to the representatives if offender is a juristic person
  • Administrative liability under the PDPA – fines ranging up to 5,000,000 Thai Baht

Landmark case: JIB Thailand

JIB, a prominent Thai IT distributor with annual revenues over 6 billion Thai baht, was fined a total of 7 million Thai Baht for violating three key principles of the PDPA, including:

  1. Inadequate security measures (stipulated by Section 37(1) of the PDPA)
  2. Failure to notify the PDPC promptly (stipulated by Section 37(4)))
  3. Delay in appointing a Data Protection Officer (DPO) (stipulated by Section 41 (2))

The penalties do not only include punitive damages, which was charged at the maximum rate specified by the PDPA, but also administrative orders to overhaul its data protection framework within 30 days, to implement enhanced safeguards, and to keep the PDPC updated weekly. JIB has declared via a Facebook post of their commitments and efforts to achieving this.

Whilst the penalties are relatively gentle when examining JIB’s revenue and profit margin, it teaches both the business operators the importance of PDPA compliance and the damages it has financially and reputationally once violated. The consumers are also now aware of their rights and will be sure to enforce it when necessary.

V. CHALLENGES AND COMMON MISTAKES

Simply asking businesses to comply with the PDPA is easier said than done. In fact, business operators have faced many challenges when attempting to align their practices with the standards required by the PDPA. Data mapping is one of the biggest challenges, as businesses, especially large enterprises dealing with large amounts of data, finds it difficult to track the flow of data through their organizations, from input to storage. Resource constraints also prove to be one of the obstacles to compliance as limited budgets, manpower and training efforts are problems commonly faced by companies. Updating the IT system and integrating measures to ensure compliance is also very costly and time-consuming.

Common mistakes operators make in relation to the compliance to the PDPA includes poor consent management, lack of documentation to handle data processing, weak access controls and insufficient encryption, and failure to manage the actions of a third-party processor.

VI. SUSTAINING COMPLIANCE

Whilst difficult, it is legally required for companies to have the measures, systems and training in place in order for processing of personal data to be part of their operation and business practice. Whether it be for marketing purposes or others, companies can take the following steps for long-term compliance:

  • Integrate compliance measures into daily operations
  • Set up an automatic system for repetitive tasks like consent management and data destruction upon request
  • Regular employee training
  • Implementing a centralized data management tool
  • Perform periodic audits and prepare a ready-to-use plan to deal with future breach incidents.

VII. CONCLUSION

The PDPA is a crucial piece of legislation designed to protect personal and sensitive data in the country data, aligning with global standards set by the GDPR. With updates in recent years, the PDPA now offers clearer guidelines for businesses on how to manage data, including requirements for data controllers and processors to implement robust data protection measures. The regulatory framework not only outlines responsibilities but also imposes penalties for non-compliance, reinforcing the importance of adhering to data protection principles.

However, businesses still face significant challenges in achieving full compliance with the PDPA. Common obstacles include resource constraints, the complexity of data mapping, and difficulties in updating IT systems. To ensure sustained compliance, companies must integrate data protection measures into their operations, invest in employee training, and regularly audit their systems. By taking these proactive steps, businesses can minimize the risks associated with data breaches and demonstrate their commitment to safeguarding personal information

Therefore, it is crucial for businesses to engage legal consultants and technical experts to assess their current systems for compliance with the PDPA. This evaluation will help identify any gaps and ensure that necessary changes are implemented to meet regulatory requirements. Seeking professional assistance at this stage is essential to mitigate risks and ensure ongoing compliance.

More from Mahanakorn Partners Group Co