Personal Data Protection Act: is there any better way to title an act relating to personal data protection? It is little wonder why this term has been adopted across multiple jurisdictions, but when referred to simply as the PDPA, knowing exactly which law is in question can become confusing. Not to mention that the PDPA initialism extends beyond the APAC region and Personal Data Protection Acts.

Explore this blog to understand the varying requirements under some of the different iterations of the PDPA and discover the in-depth research materials OneTrust DataGuidance has to offer on each.

Request a free trial: OneTrust DataGuidance

Table of Contents

• Thailand Personal Data Protection Act
• Singapore Personal Data Protection Act
• Malaysia Personal Data Protection Act
• Taiwan Personal Data Protection Act
• Macau Personal Data Protection Act
• Other Uses of PDPA Outside of APAC

Thailand Personal Data Protection Act (PDPA)

The Thai PDPA was originally set to enter into effect on May 31, 2020. However, the effective date was postponed until May 31, 2021 due to the COVID-19 ('Coronavirus) pandemic and later postponed for a second time until May 31, 2022.

Scope

The Thailand PDPA applies to a legal person that collects, uses, or discloses the personal data of a natural person and has both territorial and extra-territorial application. The Thai PDPA applies to personal data which is categorized into general personal data and sensitive personal data.

Legal Bases

Part 2 of the Thai PDPA outlines the legal bases for processing general and sensitive personal data.

When processing general personal data, organizations can rely on: consent, research or historical documentation, vital interests of the data subject, fulfillment of a contract with the data subject, in the public’s interest, legitimate interest, and to fulfill a legal obligation.

When processing sensitive personal information, organizations can rely on: the vital interests of the data subject, when sensitive personal data has been made public with the data subject's explicit consent, the establishment, compliance, exercise, or defense of legal claims, when non-profit bodies carry out legitimate activities and do not disclose the sensitive personal data outside of their organization, and when necessary to comply with a legal obligation.

Data Subject Rights

Data subjects that fall under the Thai PDPA’s scope can exercise several rights including:

• Right to be informed
• Right to access
• Right to rectification
• Right to erasure
• Right to object
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint

Enforcement

Non-compliance with the Thai PDPA can lead to civil liabilities with fines ranging up to THB 5 million (approx. €135,400) and criminal penalties which can include imprisonment for up to one year, a fine of up to THB 1 million (approx. €27,080), or both.

Learn more: Thailand – Data Protection Overview Guidance Note

Singapore Personal Data Protection Act (PDPA)

Scope

The Singapore PDPA applies to private organizations that collect, use, and/or disclose personal data of individuals as well as organizations with no physical presence in Singapore if they are collecting, using, or disclosing data within Singapore. Exemptions to the PDPA’s scope apply in certain scenarios including individuals acting in a personal or domestic capacity or public agencies, among others.

Legal Bases

For organizations that fall under the scope of the Singapore PDPA, there are several legal bases that can be relied upon to collect, use, and/or disclose personal data. These include consent, for the fulfillment of a contract with the data subject, to fulfill a legal obligation, in the vital interest of the data subject, in the interest of the public, and where the data controller has a legitimate interest.

Regarding consent, organizations are not required to obtain consent where the exceptions in the First Schedule and the Second Schedule to the PDPA apply. This includes where the collection, use, or disclosure of personal data about an individual:

• Is necessary for any purpose which is clearly in the interests of the individual, and:
  • consent for the collection, use, or disclosure cannot be obtained in a timely way; or
  • the individual would not reasonably be expected to withhold consent;
• Is publicly available; is in the national interest;
• is in the legitimate interests of the organization or another person and the legitimate interests of the organization or other person outweigh any adverse effect on the individual.

Individuals can be deemed to have given consent when they voluntarily provide their personal data for a purpose, and it is reasonable that they would voluntarily provide such data. The PDPA provides for three different forms of deemed consent: deemed consent by conduct; deemed consent by contractual necessity; and deemed consent by notification.

Data Subject Rights

Individuals have several rights that they can exercise in relation to how their personal information is handled by organizations. These rights include:

• Right to Access
• Right to rectification
• Right to object/opt-out

There is currently no specific right for individuals to be informed, however organizations are subject to several data protection obligations under the PDPA which require them to provide notification to the individual data subject under certain circumstances.

Similarly, the PDPA does not provide individuals with a right to erasure. However, organizations are required to cease to retain personal data if retention of such personal data is no longer necessary for legal or business purposes under the Retention Limitation Obligation.

Enforcement

In Singapore, the Personal Data Protection Commission (PDPC) is responsible for enforcing the PDPA. The PDPC has wide enforcement powers and can instruct organizations to:

• Stop collecting, using, or disclosing personal data
• Destroy personal data
• Provide access to or correct personal data
• Pay a financial penalty of up to SGD 1 million (approx. €625,735)

The Personal Data Protection (Amendment) Act 2020 (the Amendment Act) introduced enhanced financial penalty provisions that will take effect at a later date still to be confirmed, which will be no earlier than February 1, 2022.

Learn more: Singapore – Data Protection Overview Guidance Note

Malaysia Personal Data Protection Act (PDPA)

Scope

The Malaysia PDPA applies to any person who processes or has control over the processing of personal data. In terms of territorial scope, the Malaysia PDPA only applies to data processed outside of Malaysia if there is an intention to further process that data in Malaysia. The scope of the Malaysia PDPA covers the collection, recording, holding, or storage of personal data, or carrying out of any operation or set of operations on personal data.

The Government of Malaysia and state governments are exempt from the application of the PDPA as is processing personal data for the purposes of personal, family, or household affairs.

Legal Bases

Under the Malaysia PDPA, there is a general principle that prohibits the processing of personal data without the consent of the data subject.

However, the requirement for consent does not apply if the personal data is being processed for: the performance of a contract, compliance with a legal obligation, protecting the vital interest of the data subject, or the administration of justice – among other things.

Data Subject Rights

The Malaysia PDPA establishes the following rights for data subjects:

• Right of access
• Right to correction
• Right to withdraw consent
• Right to prevent processing likely to cause damage or distress
• Right to prevent processing for direct marketing purposes.

Under the PDPA, there are no rights established for erasure, data portability, or to object to automated decision-making.

Enforcement

The Department of Personal Data Protection (PDP) is the agency charged with enforcing and regulating the PDPA in Malaysia.

Penalties for non-compliance with the PDPA include monetary fines and may amount in criminal charges. For non-compliance with any of the seven data protection principles under the PDPA, fines can be issued up to MYR 300,000 (approx. €60,400) and/or to two years imprisonment. For, the unlawful collection, disclosure, and sale of personal data, can amount in a fine of up to MYR 500,000 (approx. €100,680) and/or up to three years imprisonment.

Learn more: Malaysia Data Protection Overview Guidance Note

Taiwan Personal Data Protection Act (PDPA)

Scope

The Taiwanese PDPA applies to both government and non-government agencies (this includes the private sector, all individuals, and all non-state-owned entities). However, both are subject to different obligations under the PDPA. The Taiwanese PDPA applies to all collection and processing activities that take place in Taiwan and is not limited to Taiwanese nationals.  There is not an explicit extra-territorial scope.

Processing activities done through automatic or manual means are covered by the Taiwanese PDPA. However, there are two exceptions including processing in the course of personal or family activity or the use of audio-visual information in a public place or for a public activity, which is not associated with any other personal data.

Legal Bases

For non-government agencies collecting non-sensitive personal data, processing can only take place if there is a 'specific purpose' and meets any one of the following statutory grounds:

• It is specifically permitted by law
• A contract has been entered into or is being negotiated
• The data subject has made the personal data public
• it is necessary for academic research by an academic research institution for the public interest
• The consent of the data subject has been obtained
• It is necessary for the sake of public interest
• The data has been collected from a source accessible to the collector unless the interest of the data subject takes priority over that of the collector; or
• It would not harm the data subject's rights or benefits.

Data Subject Rights

The Taiwanese PDPA establishes several rights for data subjects to exercise including:

• Right to access to check and review personal data
• Right to correct or supplement personal data
• Right to erasure
• Right to request an organization stops processing personal data
• Right to object to marketing activities

Although the right to erasure is explicitly stated in Article 3 of the PDPA, there is debate that this right actually exists following a case brought before the Taipei District Court who ruled that a data subject can only request the removal of his/her personal data when the data is incorrect, the specific purpose for the data processing no longer exists, or the data was unlawfully collected or processed.

Enforcement

There is no independent regulatory authority in Taiwan and the enforcement of the Taiwanese PDPA falls on the central, local, municipal, county, and government authorities that regulate and supervise the business operations of non-government agencies for each industry.

The PDPA outlines that the illegal collection, processing, or use of personal data; the failure to obey a central government authority's order imposing restrictions on the international transfer of personal data; or the illegal amendment or deletion of personal data files or employment of any other illegal means can result in criminal charges and monetary penalties.

Learn more: Taiwan – Data Protection Overview Guidance Note

Macau Personal Data Protection Act (PDPA)

Scope

Macau’s Personal Data Protection Act applies to controllers or processors that are domiciled or based in Macau, or that use a network access provider established in Macau. Entities that, directly or indirectly, collect, process, or transfer personal data in Macau will also be subject to the requirements of the law.

Regarding the material scope, Macau’s PDPA bares similarities with the GDPR and applies to the processing of personal data, wholly or partly, by automatic means, and to other processing of personal data which form or is intended to form part of a manual filing system.

The law does not apply to the processing of personal data carried out by a natural person in the course of a purely personal or household activity.

Legal Bases

Macau’s PDPA sets out six legal bases for processing personal information which organizations can rely upon, including:

• Consent - defined as 'any freely given specific and informed indication of his/her wishes by which the data subject signifies his agreement to personal data relating to him being processed.'
• When necessary for the performance of a contract with the data subject
• When necessary for compliance with a legal obligation to which the data controller is subject
• In order to protect the vital interests of the data subject
• Where necessary for the performance of a task carried out in the public interest
• When pursuing the legitimate interests of the controller or the third party to whom the data is disclosed

Data Subject Rights

The PDPA in Macau establishes several rights for data subjects to exercise, these include:

• Right to be informed
• Right to access
• Right to rectification
• Right to erasure
• Right to object at any time to the processing of part or all of their data
• Right not to be subject to automated decision-making
• Right to indemnification

The right to indemnification allows data subjects reparation for the damage sustained due to the unlawful processing of personal data. The PDPA in Macau does not provide for a right to data portability.

Enforcement

The Office for Personal Data Protection (GPDP) is responsible for monitoring, enforcing, and coordinating the PDPA in Macau.

The GPDP is empowered to issue administrative fines ranging from MOP 2,000 (approx. €210) to MOP 200,000 (approx. €21,100), depending on the nature of the offense.

Additionally, non-compliance with the law may result in prison sentences of up to two years or a fine of up to 240 days. According to the Penal Code of Macau for fine penalties fixed in days, each day of the fine corresponds to an amount between MOP 50 and MOP 10,000 (approx. €5 and €1,050). A such, a fine of up to 240 days would equal a fine between MOP 12,000 and MOP 2.4 million (approx. €1,260 and €252,100).

Learn more: Macau Data Protection Overview Guidance Note

Other Uses of PDPA: Armenia Personal Data Protection Agency (PDPA)

The PDPA acronym does extend beyond the several instances of a Personal Data Protection Act outlined above. In Armenia, the Personal Data Protection Agency is the main supervisory authority whose goals include:

• Maintaining of the register of personal data processors
• Ensuring the protection of the data subjects’ rights
• Ensuring the legality of the processing of personal data within its competence.

Learn more: Armenia Data Protection Overview Guidance Note

OneTrust DataGuidance offers hundreds of guidance notes, expertly authored by the team in in-house analysts as well as local privacy experts, to help you distinguish the varying requirements under the world’s privacy laws. Request a demo to learn more about how OneTrust DataGuidance can help your organization accelerate its privacy research.

Further resources for understanding privacy law in the Asia-Pacific region: 

• OneTrust Blog: The Ultimate Guide to Thai PDPA Compliance

• OneTrust DataGuidance: Jurisdictions - Asia Pacific
• OneTrust DataGuidance Portal: Thai PDPA

• OneTrust DataGuidance Comparison: Privacy Index

Follow OneTrust DataGuidance on LinkedIn to keep up to date with upcoming webinars, insights, and more