Tilleke and Gibbins International Ltd.
The following law(s) specifically govern personal data / information:
The primary legislation governing personal data protection in Thailand is the Personal Data Protection Act, B.E.2562 (A.D.2019) (“PDPA”). The PDPA was originally issued in 2019 with a grace period of 1 year, with the exception of the establishment of the PDPA regulator – the Personal Data Protection Commission (“PDPC”). However, in conjunction with the COVID-19 pandemic, the full enforcement of the PDPA has been extended twice. Most recently, a royal decree issued on 8 May 2021 stated that the PDPA will only become fully effective on 1 June 2022. In other words, most of the obligations of the data controller, including the obligation to inform data subjects about the required information, will only become enforceable against data controllers from June 1, 2022 onwards.
The key data protection principles in this jurisdiction are:
The PDPA mainly prescribes requirements in relation to the collection, use, and disclosure (“process”) of the personal data, including the cross-border transfer of the personal data and the security standards that the data controller and the data processor shall have. The key principles are, for example, as follows:
- The personal data under the PDPA refers to any information pertaining to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased Persons in particular.
- The collection of personal data must be limited to the extent necessary in relation to the lawful purpose of the data controller.
- The processing of the personal data shall comply with the lawful bases as prescribed in the PDPA, such as consent, contractual obligation, and legitimate interest.
- The processing of certain categories of the personal data, i.e., the sensitive personal data, which includes health data and criminal records, shall be subject to more stringent requirements.
- When transferring the personal data to a foreign country, the destination country shall have adequate personal data protection standards.
- The data controller and the data processor must provide appropriate security measures in relation to the process of the personal data.
The supervisory authority / regulator in charge of data protection is:
The Personal Data Protection Commission (“PDPC”)
Is there a requirement to register with a supervisory authority / regulator?
No, there is no registration requirement under the PDPA.
Is there a requirement to notify the supervisory authority / regulator?
The PDPA does not require the data controller to notify them in relation to the processing of the personal data before processing or transferring the personal data. However, data controller must notify them if there is a data breach incident, which may affect the rights and liberties of the data subject.
Is it possible to register with / notify the supervisory authority / regulator online?
As described above, the PDPA does not prescribe any specific requirements in relation to the registration and the notification before commencing processing of the personal data.
In addition, at this stage, the PDPA does not prescribe any specific requirement or provide a specific channel for notifying the data breach. The PDPC is entitled to issue the subordinate law relating to the rules and methods of the notifications at the later stage.
The key data subject rights under the data protection laws of this jurisdiction are:
Under the PDPA, the data subject will have the following rights in relation to their personal data:
- Right to withdraw consent;
- Right to access;
- Right to rectification;
- Right to suspend the use of the personal data;
- Right to object the use of the personal data;
- Right to erasure;
- Right to portability; and
- Right to lodge complaints.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, the data controller/data processor must appoint a data protection officer (DPO) if:
- The data controller/data processor is a public authority as prescribed and announced by the PDPC;
- The activities of the data controller/data processor, in respect to the processing of the personal data, requires regular monitoring of the personal data or the relevant system, due to the fact that it has a large quantity of personal data, as prescribed and announced by the PDPC; or
- The core activities of the data controller/data processor involve the processing of sensitive personal data under the PDPA.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No, the PDPA does not prescribe any specific requirements in relation to the Data Impact Assessment.
Does this jurisdiction have any specific data breach notification requirements?
Yes, the PDPA requires the data controller to notify the Office of PDPC and/or the data subject of the data breach.
The data controller is required to notify the Office of PDPC of any personal data breach without delay and, where feasible, within 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the persons. If the personal data breach is likely to result in a high risk to the rights and freedoms of the persons, the data controller shall also notify the personal data breach and the remedial measures to the data subject without delay.
The notification and the exemption to the notification shall be made in accordance with the rules and procedures set forth by the Commission.
The following restrictions apply to the international transfer of personal data / information:
The PDPA requires that, when transferring the personal data to an organization in a foreign country, the relevant destination country, or the international organization, that receives such personal data shall have adequate personal data protection standards, and the transfer of the personal data shall be performed in accordance with the requirements prescribed by the PDPC, except in certain circumstances, for example, as follows:
- where the law so prescribes;
- where the consent of the data subject is obtained after the data subject has been informed of the insufficient personal data protection standards of the relevant destination country; or
- where it is necessary to comply with the contract in respect of which the Data Subject is a contracting party.
For overseas transfers within affiliates, the PDPA provides more relaxed restrictions in which the general cross-border transfer requirements requirements/restrictions could be exempted if the data controller has the internal data protection policy relating to sending, or transferring, personal data overseas to the data controller’s affiliates (within the same affiliated business, in order to jointly operate the undertaking or business) (i.e. Binding Corporate Rules), which has been reviewed and certified by the PDPC.
In the event that there are no Binding Corporate Rules, the exemptions for cross-border transfer requirements could still be applied, if the data controller/data processor provides appropriate security measures that could ensure the enforcement of the data subject’s rights under the PDPA, including remedial actions which are available under the law, in accordance with the supplementary rules and methods to be further prescribed by the PDPC.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the PDPA adopts the extra-territorial principle from the GDPR.
According to the PDPA, the data controller and the data processor, which are located outside Thailand, will be subject to the PDPA if there is processing of the personal data of data subjects in Thailand, and the processing activities are as follows:
- The offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject; or
- The monitoring of the data subject’s behavior, where the behavior takes place in Thailand.
The following rules specifically deal with marketing:
In Thailand, there is no unified legislation which governs marketing activities. When conduct marketing, the business operator then shall comply with regulations which may be applicable to the case.
The legislations, which are basically related to marketing, are for example as follows: (i) the PDPA; (ii) Computer Crime Act; and (iii) sector specific law (e.g., insurance, banking, securities).
Do different rules apply to business-to-business and business-to-consumer marketing?
As described, the applicable law in relation to marketing would depend on the characteristic of such marketing activities.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
The Computer Crime Act prescribes the prohibitions in relation to the unsolicited computer data, which includes emails and SMS.
Sending computer data or an electronic mail to another person while hiding or faking its sources, in a manner that interferes with such another person’s normal utilization of the computer system, shall be subject to a fine not exceeding THB 100,000. Furthermore, the Computer Crime Act also prohibit sending the computer data without an opt-out/unsubscribe functions.
The following rules specifically deal with cookies:
The consequences of non compliance with data protections laws (including marketing laws) are:
Under the PDPA, the data controller and the data processor, which fail to comply with the requirements prescribed therein, may be subject to:
- Civil liability, in which the court will have the power to impose the punitive damages.
- Administrative fines, which range from the maximum amount at THB 500,000 – 5,000,000.
- Criminal penalties, which include an imprisonment for a period of not exceeding 1 year, and the fines of not exceeding THB 1,000,000.
Under the Computer Crime Act, the person who violates the prohibitions prescribed therein shall be subject to the criminal penalties, both the imprisonment and the fines, depending on the criminal offenses committed.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
It is recommended that, when the business operator wishes to process the personal data of individuals in Thailand, it should first review the extra-territorial requirements/criteria under the PDPA and assess whether it will be subject to the PDPA. This is because if the business operator falls under the PDPA, the business operator will need to comply with a number of obligations prescribed in the PDPA, including appointing its DPO, requesting for consent, and implementing security measures in accordance with the standards set by the PDPC.
Besides the PDPA, when conducting the direct marketing via emails or SMSs or other electronic means, it shall comply with the rules in relation to the unsolicited emails/SMS prescribed in the Computer Crim Act, which also contains the extra-territorial provision.
Multinational organisations should be aware of the following upcoming data protection developments:
As the PDPA will become fully effective on 1 June 2021 and certain requirements under the PDPA still need further clarifications and guidelines from the PDPC, it is expected that, in 2021, various subordinate regulations will be issued by the PDPC.