PDPA

Personal Data Protection Act Comes into Full Effect on 1 June 2022

The Personal Data Protection Act (“PDPA”) came into full effect on 1 June 2022 and its ramifications are extensive. Similar to the EU, Thailand is now imposing higher standards of care and duties on businesses and organisations to ensure the privacy and security of personal data.  Embedded in the PDPA are the rights of individuals in relation to the collection, use and dissemination of their personal information along with the obligations and procedures that organisations must uphold.  Failure to comply may result in civil and criminal liabilities for the organisation and its management. 

Here are some key features to know about the PDPA and what organisations need to do now to be compliant:  

PDPA Main Features: 

• Adopted for data privacy which aligns with global data protection laws in the EU and elsewhere 

• Data overseen by Personal Data Protection Committee 

• Applicable to all people-identified information – both direct and indirect

• Violations are punishable by administrative fine (up to THB 5 million), criminal penalties (up to THB 1 million or 1 year penalty), and punitive damages (up to twice the cost of damages)      

What businesses need to do now: 

• Find and catalogue all the personal information you have 
• Establish a retention/deletion schedule to get rid of personal information you no longer need 
• Put privacy notices on your website and other information collection points 
• Make sure you have procedures in place for recognising and actioning individuals’ rights requests (e.g. access requests) 
• Decide whether or not to appoint a Data Protection Officer or establish an alternative privacy function 
• Review your data security and governance arrangements 
• Identify the legal basis for collecting/using personal information – consent or an alternative 
• Explain new rules to staff and train them to reinforce their personal responsibility