Draft Personal Data Protection Act

The draft Personal Data Protection Act (“PDPA”) was finally approved by the National Legislative Assembly on 28 February 2019, and will be submitted for royal endorsement and then published in the Royal Gazette.

Keywords: Mazars, Thailand, Legal, Personal Data Protection Act, PDPA, National Legislative Assembly, Royal Gazette

19 April 2019

The PDPA is expected to be a key part of securing personal data and controlling how personal data is used by governmental and private sectors. The main elements of the PDPA are summarized below:

Definition

  • ‘Personal data’ means information which identifies a person, directly or indirectly, but not including information of a person who has died.
  • ‘Personal data controller’ means a natural or legal person authorized to make decisions on the collection, use, and disclosure of personal data.
  • ‘Personal data processor’ means a natural or legal person who collects, uses, or discloses personal data by order of or on behalf of the personal data controller. This person is someone other than the personal data controller.

Personal data processing

  • The explicit consent of the data owner is required before collecting, using, or disclosing personal data.
  • The purposes for which the personal data is being collected, used, and disclosed must be provided to the data owner.
  • The explicit consent of the data owner is required before collecting sensitive personal data such as race, ethnic background, political opinions, religious beliefs, genetics, information on their sex life, biometrics, health, trade union membership, and criminal convictions and offences.
  • The personal data controller responsible for using the personal information must ensure that the information is secure and protected from unlawful alteration or access.

Rights of the personal data owner

  • Withdraw consent which was given previously (main idea).
  • Access the personal data given and request a copy from the personal data controller.
  • Be informed when personal data is disclosed without their consent.
  • Portability of data.
  • Have personal data erased, and stop, restrict, or object to  how personal data is processed in certain circumstances.
  • Have incorrect data updated.

Regulation and enforcement

  • The Office of the Personal Data Protection Commissioner is empowered under the PDPA to act as a compliance authority. The Office of the Personal Data Protection Commissioner is a governmental authority under the Act on Tortious Liability of Officials.
  • The Personal Data Protection Commissioner has the authority to regulate the collection, use, and disclosure of personal data, and to interpret and make decision on issues arising under the PDPA.
  • A board of specialists appointed by the Personal Data Protection Commissioner will be responsible for dealing with claims related to failing to comply with or violating the PDPA.
  • Civil liabilities for damages can be imposed on a personal data controller or processor for failing to comply with or for violating the PDPA: (1) The personal data controller or processor is liable for actual damages due to such actions, regardless of whether such actions were taken intentionally or negligently; and (2) The personal data controller or processor is liable for punitive damages based on a court order.
  • Criminal penalties such as fines, prison sentences, or both can be imposed for failing to comply with or for violating the PDPA.
  • Administrative penalties may also be imposed based on the severity of the offence.

For more information, please visit the Senate website and the Ministry of Digital Economy and Society website.

Want to know more?