Thailand PDPA: What You Need to Know
The Thailand Personal Data Protection Act’s (PDPA) entry into effect was postponed for a second time on May 5, 2021. The Ministry of Digital Economy and Society made the announcement citing the effects of the Coronavirus pandemic on the country’s economy as a driving force behind the postponement.
With the effective date being postponed, organizations had a further 12 months to evaluate their privacy programs and ensure they are adequately prepared for the upcoming compliance requirements which include mandatory data protection officer (DPO) appointment, a range of data subjects rights, and data breach notification requirements.
On April 30, 2021, OneTrust DataGuidance was joined by a panel of expert speakers to discuss the key requirements of the Thailand PDPA and what the postponement meant for businesses.
Key Areas of PDPA Compliance
The Thailand PDPA sets out many requirements for organizations to uphold to protect individuals’ personal data. In many cases, the PDPA mirrors the provisions of the General Data Protection Regulation (GDPR) which will aid many businesses who are familiar with the law. For example, the PDPA places strict requirements around cross-border transfers, imposes a greater standard of protection for sensitive data, and offers data subjects several rights that reflect those found under the GDPR.
Scope of the PDPA
The PDPA applies to any data controller or data processor based in Thailand that collects, discloses, or processes personal data of a natural, living person with exceptions such as when the activity is performed as part of a household activity. Organizations outside of Thailand also fall under the PDPA’s scope when offering goods or services to individuals in Thailand or monitoring the behavior of individuals in Thailand.
The Thailand PDPA does not define sensitive data within its text, however, certain types of personal data, that closely align with types of Sensitive Data found in other global privacy laws, require the data controller to obtain the data subject’s consent before processing. These include:
- Racial or ethnic origin
- Political opinions
- Cult, religious or philosophical beliefs
- Sexual behavior
- Criminal records
- Trade union information
- Genetic data
- Biometric data
Data Subject Rights
The PDPA provides data subjects with several rights that closely mirror those found under the GDPR. These rights include:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure
- The right to object
- The right to opt-out
- The right to data portability
Cross-Border Data Transfers
Data controllers transferring personal data within Thailand must obtain consent from each data subject before or at the time of transfer.
A transfer of personal data outside of Thailand can only be made to a data importer who meets a level of protection of personal data required by the PDPC regulations.
Thailand PDPA: What You Need to Know Webinar
OneTrust DataGuidance was joined by a panel of experts to discuss the requirements of the PDPA and how organizations can achieve compliance with the law ahead of the effective date.
Key takeaways from the webinar include:
- The new effective date of June 1, 2022
- Obligations for compliance and exemptions for select organizations
- Sub-regulations that impact the key requirements under the PDPA
- Achieving PDPA compliance
Further resources for privacy compliance for Thailand PDPA:
- OneTrust DataGuidance News: BREAKING: Thailand: Cabinet approves draft decree postponing enforcement of PDPA for another year
- OneTrust DataGuidance News: Thailand: PDPA second postponement under consideration
- OneTrust DataGuidance Guidance Note: EU - Thailand: GDPR v. PDPA