Thailand's Personal Data Protection Act (PDPA)

If your business is based in Thailand or you collect personal data belonging to Thai residents, you must comply with Thailand's Personal Data Protection Act (PDPA). Enacted in 2019 and in full force since June 2022, the PDPA gives Thai persons significant control over how businesses process, use, and collect their personal information.

Below, we explain how Thailand's Personal Data Protection Act works, what's required of businesses subject to the Thailand's PDPA, and how to ensure your business remains compliant.

What is Thailand's Personal Data Protection Act (PDPA)?

Thailand's Personal Data Protection Act (PDPA) is a consumer privacy law, or data protection law. It enhances the control that individuals have over their personal data by compelling businesses to follow certain guidelines when they collect, store, share, or use consumers' information.

• Thailand's Personal Data Protection Act aims to strike a balance between the need for businesses to collect certain categories of data for commercial purposes, and the protection of individual privacy rights.
• Even if you're not based in Thailand, the PDPA's provisions could apply to your business.
• There are significant penalties for PDPA non-compliance. Businesses must be aware of these penalties and how to avoid compliance issues.

Thailand's Personal Data Protection Act (PDPA): Key Definitions and Terms

Before we can consider Thailand's Personal Data Protection Act compliance, it's crucial to understand how the PDPA defines certain key terms. The most significant terms and definitions are found in Section 6 and we can summarize them as follows:

• Person: A living individual
• Personal data: Any data relating directly or indirectly to a living person, which may be used to identify them
• Data controller: Person or "juristic person" (business) responsible for making decisions around the collection, use, and processing of personal data
• Data processor: The person or business acting on the instructions of the data controller, to process data in a certain way

If you're familiar with the EU's General Data Protection Regulation (GDPR), you will note that the definitions are very similar. In many ways, Thailand's Personal Data Protection Act does, indeed, offer Thai residents similar protections to that of the EU's GDPR.

Who Must Comply With Thailand's Personal Data Protection Act (PDPA)?

If you operate a business in Thailand and that business collects and processes personal data, you are obligated to comply with Thailand's Personal Data Protection Act (PDPA).

If you operate a business outside of Thailand but you offer services and/or goods to, or monitor the online behavior of Thai residents, you also comply with the act.

Who is Exempt From Thailand's Personal Data Protection Act (PDPA)?

Exceptions to Thailand's Personal Data Protection Act (PDPA) can be found in Section 4 and include the following:

• Collecting personal information purely for household or domestic use
• Public authorities pursuing state security obligations
• Individuals disclosing personal data in the public interest for artistic or journalistic purposes
• Government officials considering personal data as part of their wider duties
• Courts and legal officials working within the scope of their authority
• Credit bureau agencies undertaking official authorized duties

How Does Thailand's Personal Data Protection Act (PDPA) Affect Businesses?

Thailand's Personal Data Protection Act (PDPA) affects businesses in four key ways:

• The law compels businesses to be transparent about their data collection and processing activities. This means providing comprehensive and accurate data policies, including a Privacy Policy and Cookies Policy.
• There's an onus on businesses to take steps to obtain meaningful and informed consent from consumers before collecting data. This could mean overhauling how they collect (and record) consent.
• Businesses need a legitimate reason for collecting personal data, which typically means they must consider ways to limit and reduce the amount of data they collect.
• A business must examine its cybersecurity and data storage processes to ensure that they're robust enough to protect personal data.

How Does Thailand's Personal Data Protection Act (PDPA) Impact Consumers?

Just as the Thailand's Personal Data Protection Act impacts businesses, it represents a significant shift for Thai residents and consumers otherwise affected by its provisions.

Here are some of the ways the Thailand's PDPA impacts consumers:

• Individuals have greater control over what data businesses collect, and how that data may be used.
• A business can't process personal data without a person's consent unless it's for a specific purpose.
• It's much easier to opt out of direct marketing and targeted advertising.
• The Personal Data Protection Act allows individuals to withdraw consent at any time.

What Does Thailand's Personal Data Protection Act (PDPA) Require?

The Thailand's Personal Data Protection Act requires that businesses take the following actions.

• Establish their legitimate or lawful basis for processing personal data.
• Obtain express and informed consent to personal data processing unless they have other legitimate grounds for processing the data.
• Appoint a Data Protection Officer (DPO).
• Create a Privacy Policy (and Cookie Policy, if applicable) outlining the consumer's privacy rights, how the business complies with these rights, and how the consumer can exercise their rights.

How Do You Comply With Thailand's Personal Data Protection Act (PDPA)?

There are various steps to Thailand's Personal Data Protection Act compliance.

Establish a Lawful Basis for Personal Data Processing

You don't need consent if you have another lawful reason for processing personal data. Some valid reasons set out in Section 24 include:

• Historical documentation and archiving
• Saving a person's life
• Performing a contract, into which the person freely entered e.g. a contract of sale
• Carrying out a public duty
• Legitimate business interests
• Complying with other laws and regulations

Know your reasons for processing personal data. You will need to communicate them clearly in your Privacy Policy.

Obtain Express, Informed Consent

If you need consent, it must be expressly given and informed. This means using "opt-in" consent collection, such as clickable banners or checkboxes, rather than implied consent techniques, and providing information to a user about what they're consenting to.

Pop-up banners with "I Agree" checkboxes or buttons are a great way to get people to take a positive, active (express) step to show they consent to data collection.

Here's an example from Superdry Thailand:

Ensure that individuals understand what they are consenting to. This means explaining, in a succinct way, that they consent to the processing of personal data in a particular way. You should link your legal policies such as a Privacy and Cookies Policy to your consent request mechanism.

Get Consent Before Processing Special Categories of Personal Data

If you plan to process any categories of data that are considered special, such as sensitive personal information, you need to request and obtain clear, explicit consent first.

Create Contracts Between Data Controllers and Data Processors

Under Thailand's PDPA, data controllers and data processors must create a contract between themselves that holds both parties responsible to follow Thailand's PDPA and its requirements.

Appoint a Data Protection Officer (DPO)

Under the Thailand's PDPA, a business is only required to appoint a Data Protection Officer (DPO) if the business meets one of the following:

• It is a public authority,
• It regularly monitors personal data by collecting, using or disclosing what counts as a large amount of personal data, or
• Its main business activity involves the collection, use, or disclosure of sensitive personal data

Provide a Legally Compliant Privacy Policy

To comply with Thailand's Personal Data Protection Act (PDPA), your Privacy Policy must explain the following:

• Whether you collect "personal data" and what that means
• Your lawful basis, or legal reason, for collecting the data
• The reason, or purpose, for collecting the information
• What rights and choices individuals have over the information they share
• How to exercise those privacy rights (typically by contacting you)

Here's how Zwift's Privacy Policy defines personal information, or personal data, and sets out very specific categories of data collected:

The policy also clearly specifies the lawful basis for collecting the data, and why the data is necessary:

Zwift has made it easy for users to exercise privacy rights, which are clearly stated throughout the policy:

As an aside, you should always display your Privacy Policy somewhere prominent, such as at a point of data collection e.g. prior to completing a sale or opening an account, and within your website footer alongside other core legal documents.

Provide a Legally Compliant Cookies Policy

Your Thailand's PDPA-compliant Cookies Policy must set out, at a minimum:

• The categories of cookies used: Disclose if you use essential cookies, which are required for website functionality, or non-essential cookies, which are not required but may allow you to collect additional data.
• Purpose: Explain and clearly define why you use cookies. A good rule to follow is that, if you cannot articulate why you need to use certain cookies, it's best to turn them off.
• Consent and withdrawal of consent: Your policy should explain how to opt in and opt out of cookies at their discretion. You must make it simple for them to do so.

Apple includes its Cookie Policy within its wider Privacy Policy. This is common practice as the content is similar; there's no need to have two separate policies if you prefer to incorporate them into one document.

First, the Cookie Policy clearly defines why the company uses cookies (fraud, behavior monitoring, and commercial business purposes):

It then sets out in clear bullet points what cookies are used and why:

And finally, there are simple instructions for enabling and disabling cookies:

Who Enforces Thailand's Personal Data Protection Act (PDPA)?

The Personal Data Protection Committee (PDPC) enforces Thailand's Personal Data Protection Act. The Committee is responsible for:

• Issuing violation notices
• Helping businesses understand compliance requirements
• Drafting legal guidelines
• Determining future legal and regulatory updates

The Committee's responsibilities, including who may sit on the Committee and the scope of its authority, are set out in full in Chapter I from Section 8 onwards. Section 16 outlines the Committee's specific responsibilities in more detail:

What are the Fines and Penalties for Violating Thailand's Personal Data Protection Act (PDPA)?

Depending on the type of violation, a business violating the Personal Data Protection Act could face administrative, civil, or even criminal penalties.

Thailand's Personal Data Protection Act imposes fines of up to 5 million Baht for collecting, disclosing, or using personal data without consent or legitimate grounds, or if they send data to a foreign country which does not have adequate safeguards for protecting the information.

Under the Personal Data Protection Act, individuals can file civil lawsuits if they're harmed by a company's negligent or careless PDPA violations. Civil damages vary substantially, but the amount a company is liable for could be significant depending on the harm caused and how many individuals are affected.

If the business deliberately rather than accidentally discloses personal data wrongfully, with the intent to cause damage, humiliation, or harm, or for financial gain, they could face criminal penalties. These penalties include substantial fines and, in serious cases, jail time.

It's possible to face multiple penalties, depending on the violation(s).

Summary

Thailand's Personal Data Protection Act (PDPA) went into effect in June of 2022.

If you operate a business in Thailand and that business collects and processes personal data, you are obligated to comply with Thailand's Personal Data Protection Act (PDPA).

If you operate a business outside of Thailand but you offer services and/or goods to, or monitor the online behavior of Thai residents, you also comply with the act.

Under the Thailand's PDPA:

• You can't process, collect, use, or disclose personal data without consent unless you have another legitimate reason for doing so.
• What data you collect, and how and why you collect personal data, should be clearly communicated to your consumers.
• Failure to comply with the Personal Data Protection Act can lead to administrative, civil, or criminal penalties.

To comply with the Thailand's Personal Data Protection Act, take the following steps:

• Establish your grounds for collecting personal information
• Implement a mechanism for obtaining express, opt-in consent, such as a clickable banner or checkbox
• Draft (or update) your Privacy Policy and Cookie Policy to comply with the PDPA's terms
• Appoint a Data Protection Officer if necessary