Thailand’s Personal Data Protection Act

What is Thailand’s PDPA?

After nearly 10 years in the making, Thailand’s personal Data Protection Act is now effective since 27 May 2019. Organizations will be given a year to comply with the new regulation. The PDPA aims to govern data protection and will use GDPR as a blueprint, adopting some of the largest European articles to the Thai context.

The policy contains an extra-territorial reach where data processors/controllers whose processing activities relate to Thai Data subjects, will also be required to comply with the PDPA, even if they’re not located in the country. Organizations that deal with critical information infrastructure will be subject to the Cybersecurity Act which aims to address cyber threats and national security.

Companies from a large number of industries such as retail, finance, travel, who collect and process personal data both in and outside Thailand will be required to comply with the PDPA, and penalties for non-compliance are severe.

What are the penalties?

The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data owners to bring a class action lawsuit. The director of a company could also be subject to penalties under the PDPA.

Requirements

Consents management:

Data controllers must obtain consent for personal information processing. These requests must be phrased clearly and not deceive or be misleading. Consent should be approved in writing or through electronic means unless it is impossible by its nature. Consent can be foregone in different situations such as in case of legitimate reasons, public interest or the performance of contractual obligations.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

 

Right of Access / Right to Data Portability:

Thai data subjects will have the right to request access to/and transmit their personal data their personal information relevant to them except in cases where the request is not under the provisions of applicable laws or court orders.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

 

Right to Object:

Individuals are allowed to object to the use, disclosure, or collection of their personal information and must enter a request to the relevant authority to be considered.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

 

Right to be Forgotten:

In the event that the data controller is not compliant with the PDPA, Thai data subjects have the right to request that their personal information be deleted, destroyed or anonymized. Additionally, Thai data subjects will also have the right to data portability.

How SecuPi Helps:

On the application level, SecuPi redacts information on customer who requested to be forgotten (referred to as “logical deletion”). On the database level, SecuPi applies Format Preserving Randomization (FPR) Anonymization, ensuring that both the personal data is anonymized, as well as randomized on different databases, to prevent correlation of the same anonymized value between different data sets.

 

Right To Restriction of Processing:

Individuals have the right to restrict the processing of their personal information in certain cases. Individuals can limit the way organizations use their data and this could be used as an alternative to requesting the erasure of their information. Individuals have the right to restrict the processing of/erase their personal information when it becomes irrelevant, is beyond the purpose necessary, or the data retention period ends.

How SecuPi Helps:

Using Dynamic Masking and redaction, SecuPi can disable access to data subjects where consent wasn’t given or where the customer requested to restrict processing of personal data.

 

Record of Processing Activities:

Organizations are obligated to implement processes designed to maintain and record processing of personal data either in physical or electronic format.

How SecuPi Helps:

SecuPi’s audit logs are clear and factual and can show which processor accessed which data, as well as providing full transcript of the processing activities done through the application. Since the SecuPi agent is deployed on the application server, it has access to all relevant information, including which user was used to process the information, timestamp, URI, etc. SecuPi enables to map data-flows and provides the ability to granularly audit and control it to maintain access on a “need to know basis” and use data in line with its purpose.

 

Data Breach and Security Measures:

The data controller has an obligation to inform the Personal Data Protection Committee (PDPC) of any breach or violation regarding the data subject’s personal data within 72 hours. In addition, certain industries such as Telco operators or electronic service providers must follow precise notification requirements.

How SecuPi Helps:

In the unfortunate case of a breach, SecuPi’s audit logs and behavior analytics can pinpoint exactly which data was exposed and breached, and significantly shorten the reporting time, while providing accurate and accountable information. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).