The Urgent Need for PDPA Compliance

Introductory Remarks

Now that the Personal Data Protection Act, B.E. 2562 (2019), “PDPA”, has been enacted by the Government in May 2019, it is now necessary for business entities and persons concerned to be aware of the Act as a whole and fully compliant with the law within the timeframe prescribed by the Act.

However, there has been an enactment of the Royal Decree published in the Government Gazette on 21 May 2020 postponed the coming into force of PDPA to be on 31 May 2021.


The Act is divided into seven Chapters and consists of 96 Sections. The Act was published in the Government Gazette on 27 May 2019 and coming into force is prescribed in two phases. In the first phase, the Act has come into force on the day following the date of its publication in the Government Gazette, i.e. 28 May 2019, “except certain operative provisions. Those substantive provisions, namely Chapters II,III,V,VI, and VII and Sections 95 and 96, which are mostly related to the key players, will come into effect after the lapse of one year from the date of its publication, i.e. 27 May 2020, in the second phase and along with the postponement till 31 May 2021.


The main purpose of the Act is to protect the personal data of data subjects from all forms of violations. To achieve that goal the Act seeks to put in place appropriate mechanisms that will deter violations of the right to personal privacy protection and ensure legal guarantee of personal data protection. 

To meet the deadline for compliance, it is of utmost importance for the entities concerned to know which of the provisions directly concern them so that they may be able to choose and focus on the relevant provisions correctly.

The preamble of the Act contains Sections one to seven.

The following is a summary of provisions section-wise :

 
Preamble

Section 1:  Designation of the Act.

Section 2:  Timeframe for coming into force of the Act.

Section 3:  Overriding power of this Act with certain exceptions.

Section 4:  Exceptions or non-applicability of the Act to certain acts, operations and public officials.

Section 5:  Extraterritorial applicability of the Act.

Section 6:  Definitions on Personnel Data, Data Controller, Data Processor, Person, Committee, Competent Official,Office,Secretary-General, and Minister.                                                 
Section 7:  Designation of minister to be in charge.


Chapter I

Sections 8-18:  Provisions relating to the Data Protection Committee (PDPC).


Chapter II

Sections 19-21:  Provisions relating to personal data protection.

Sections 22-26: Provisions relating to personal data collection.

Sections 27-29: Provisions relating to use or disclosure of personal data.


Chapter III

Sections 30-42: Provisions relating to rights of the data subject.


Chapter IV

Sections 43-70: Provisions relating to the Office of the Personal Data Protection Committee (OPDPC).


Chapter V

Sections 71-76: Provisions relating to complaints.


Chapter VI

Sections 77-78: Provisions relating to civil liability.


Chapter VII

Sections 79-81:  Provisions relating to criminal liability.

Sections 82-90: Provisions relating to administrative liability.


Transitional Provisions

Section 91-96: Provisions relating to the Committee, the Secretary- General, the Office, the Commission supervising the Office, initial budget for the Office, procurement of civil officials, continued collection and use of personal data by data controllers, and issuance of regulations and notifications during the transitional period.


Summarized Salient Points


Protection mechanism : Among the players under this Act the Committee is the principal player determining measures or guidelines on protection operations, while the Office headed by the Secretary-General functions as an operating arm of the Committee and is supervised by a Commission. Under the Committee there is an Expert Committee to deal with complaints filed by data subjects, with powers to investigate any act of a Data Controller or Data Processor, settle disputes in connection with personal data, issue orders relating to performance or rectification of an act by a Data Controller or Data Processor, or seizure, attachment and sale by auction of Data Controller’s or Data Processor’s property. In other words, the entire body of the operating arm is to be regarded as the Government Regulator.


Broad definition : “Personal Data” is broadly defined as “any information relating to a Person which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased persons in particular.”
 
Collection and use or disclosure of data : Matters relating to collection and use or disclosure of personal data are subject to clearly stipulated restrictions, prior explicit consent of Data Subjects, requirement for sufficient security measures and guarantee of protection in recognition of the rights of data subjects. There are, however, certain clearly stated exemptions and exceptions in collecting and using the personal data without the requirement of consent from the Data Subject as well as certain exception from restriction on collecting the personal data from any other source apart from the Data Subject directly.


As regards transfer of personal data abroad, i.e. cross-border transfer, it is subject to an assessment of foreign destination’s adequate data protection standard and compliance with the PDPC’s rules.
 

Rights for Data Subject : Under the Act the Data Subject can exercise such rights as : accessibility to personal data; data portability; objection to collection; erasure or destruction of personal data or anonymization  of personal data; filing of a complaint; etc.

Legal basis and applicability : The act of collection and use or disclosure of personal data must rely on legal basis such as consent from the Data Subject or exemptions stipulated in Section 4 such as for State security or public security, for journalistic, artistic, or literary purposes or public interests, for legislative or legal purposes, etc. Those provisions of this Act apply to activities of Data Controllers or Data Processors both in or outside of Thailand.


Key players : Key players can be divided into two groups, i.e. public players and private players. On the public side, the key players are the Personal Data Protection Committee, the Office of the Personal Data Protection Committee, the Secretary-General of the Office, the Expert Committee, and the Commission supervising the Office of the Personal Data Protection Committee. On the private side, the key players are Data Subject, Data Controller, Data Processor, Data Protection Officer, and Representative. Each key player has its own respective power and duty under the Act.

Penalties : The following sanctions shall be applied to any violation of this Act :

(1) Civil liability: Compensation for damages include all necessary expenses and punitive damages not exceeding two times of actual compensation amount can also be added.

(2) Criminal liability: Punishment for any violation shall be imprisonment of up to one year and/or a fine of up to one million Baht. For any offence committed by a juristic person under this Act, any director, manager or person responsible for such offence shall be punished with the punishment prescribed for such offence.

(3) Administrative liability: Administrative fines run from five hundred thousand Baht to five million Baht depending on the type of offence and the class of offender under this Act.

What steps to take next?

Pursuant to the publication of the PDPA in May 2019 the transitional period of one year is running out for those business entities and operators to take necessary measures so as to be fully compliant with the Act. The deadline for completion of required steps is May 2020. The suggested course of action might, amongst others, consist of the following :

1. Review and analysis of internal policies and practices and of personal data management and protection system

2. Assessment of risks of potential violation of the PDPA and adjustment of existing levels of compliance and security measures
 
3. Analysis of classes of data and determination of legal basis and applicable obligations required under the PDPA and preparation of required legal documents

4. Conduct of awareness campaign within the organization and training of personnel and employees for readiness to handle the PDPA issues with greater efficiency
 
5. Implementation of upgraded data management system in full compliance with the PDPA 6. Taking of any other appropriate steps including the appointment of an internal data protection officer and a representative where necessary

7. Introduction of a system concerning personal data breach notifications and responses, and cross-border transfer of personal data

It is advisable that before the penalties for non-compliance kick in, i.e. before the remaining specific operative provisions come into effect, any business entity and operator should take all necessary steps to make oneself fully compliant with the PDPA.
 
Note : Under the transitional provisions, i.e. Sec. 95 of PDPA, for personal data previously collected before the effective date of this Act the Data Controller are entitled to continue to collect and use the personal data for the original purpose but must publicize a consent withdrawal method to facilitate the Data Subject.