On the 27th of May 2019, Thailand published a new Personal Data Protection Act („PDPA“) in the Royal Government Gazette. This is an important milestone for data protection in Thailand.
The new Thai PDPA was heavily inspired by the European Union’s General Data Protection Regulation 2016/679 („GDPR“), as it adopts several GDPR principles.
Central purpose of the PDPA is the protection of personal data of individuals (the “data subjects”). This is achieved by various provisions, such as:
Going forward, many data controllers and data processors will have to appoint data protection officers and will have to implement measures to inform authorities and/or data subjects in case of data breaches.
The new PDPA will not only be relevant for Thai companies, but also for extraterritorial companies that do business in Thailand. The PDPA will be applicable to all data processing activities relating to the offering of services and goods to data subjects in Thailand. As a result, many extraterritorial companies that offer their services to Thai residents will be in scope of the new PDPA.
“Data controller” means a person or entity that can make decisions regarding the collection, use or disclosure of personal data. As part of the PDPA, the data controller has to (e.g.):
“Data processor” means a person or entity that processes personal data on behalf of a data controller. The data controller has to instruct the data processor, who strictly has to follow these instructions when using or processing the personal data. Like the data controller, the data processor also has to ensure appropriate security measures to protect the personal data and maintain adequate records of the data processing.
Failure to comply with the new Personal Data Protection Act may expose companies to civil, criminal and administrative sanctions.
Violations of the new PDPA, even for negligence, may result in significant damage claims by data subjects (up to twice the amount of the actual damages). Possible criminal penalties include imprisonment as well as criminal fines. In addition, administrative fines up to 5 million THB (currently ca. 140,000 €) are possible.
The PDPA has a grace period of one year, during which supplementary rules for the implementation will likely be issued by the Personal Data Protection Commission.
The Thai PDPA can be a game changer for many companies. While in the past personal data protection was often taken quite lightly, non-compliance with the new Personal Data Protection Act can have severe consequences. Thai companies as well as extraterritorial companies that are doing business in Thailand will face challenges to implement the necessary measures.
Achieving and maintaining compliance with the PDPA will not only result in higher operating costs for companies, but also will force companies to consider carefully how they approach data protection, as the regulations in the PDPA are not as detailed as in the GDPR.
While it remains to be seen what guidelines and interpretations the Personal Data Protection Commission will publish and if the PDPA will be consistently implemented, companies should start with the implementation of the PDPA as soon as possible, starting with an analysis of the status quo, the mapping of regulations and the identification of gaps. Once the gaps have been identified, companies can start to implement measures to achieve the required level of security and data protection, e.g. by introducing data management processes and by redefining their IT landscape.
IT Consultants like Neos can help companies implement the necessary technical and organizational measures by leveraging best-of-breed IT technologies, Cloud Services and Security Information and Event Management Systems (SIEM) to achieve "Privacy by Design".
Due to the complexity and the severity of potential consequences, the implementation of the PDPA should be made a priority of top management.