Responsibilities and Liabilities under the PDPA
The Personal Data Protection Act (“PDPA”), which will be fully effective 27 May 2020, imposes responsibilities and liabilities on those who are defined as a ‘Data Controller’ and a ‘Data Processor’. Therefore, it is necessary for your company to understand the roles of ‘Data Controller’ and Data Processor’, to establish personal data policies in accordance with the PDPA.
Keywords: Mazars, Thailand, Legal, HR, PDPA, Data Controller, Data Processor
16 March 2020
We set below information on the differences between a ‘Data Controller’ and a ‘Data Processor’, and their responsibilities:
A natural or legal person authorized to make decisions on the collection, use, and disclosure of personal data.
Implementing appropriate technical and organizational measures to assure that data processing, such as the collection, use, and disclosure of personal data, is performed in accordance with the PDPA.
- Obtaining the consent of a data subject before or at the time of collecting, using, and disclosing personal data.
- Processing data in accordance with the scope of consent.
- Selecting a Data Processor which can provide sufficient guarantees to ensure that data processing complies with the PDPA to protect the rights of the data subject.
- Appointing a Data Protection Officer.
A natural or legal person who collects, uses, or discloses personal data by order of or on behalf of the personal data controller. This person is someone other than the personal data controller.
Providing sufficient guarantees to implement appropriate technical and organizational measures in a way that meets the requirements of the PDPA.
- Collecting, using, and disclosing personal data under lawful instructions given by a Data Controller.
- Providing sufficient security measures which safeguard personal data.
- Storing and recording data processing in accordance with the PDPA.
- Subject to the notification of the PDPA Committee, appointment of a Data Protection Officer may be required.
If the Data Controller and Data Processor violate the PDPA, the following liabilities shall be imposed:
Territorial Scope of PDPA
The PDPA applies to:
1. A Data Controller or Data Processor in Thailand
The collection, use, and disclosure of personal data of Data Controllers or Data Processors who are in Thailand, regardless of whether such activities take place in or outside of Thailand.
2. Data Controller or Data Processor not in Thailand
The collection, use, and disclosure of personal data of data subjects who are in Thailand by Data Controllers or Data Processors outside of Thailand, where such activities are related to:
2.1 offering goods or services to data subjects who are in Thailand, regardless of whether the data subject is required to make a payment; or
2.2 monitoring in Thailand the behaviour of data subjects.
If a Data Controller or Data Processor fails to comply with or violates the PDPA, he is liable for the following:
1. Actual damages as a result of such actions, regardless of whether such actions were taken intentionally or negligently, unless the Data Controller or Data Processor can prove that:
1.1 such damages arose as a result of force majeure or the action or failure to act of the data subject; or
1.2 such damages arose as a result of complying with a lawful order of an official.
2. Punitive damages based on a court order.
Fines, prison sentences, or both shall be imposed for failing to comply with or for violating the PDPA.
A fine of up to THB 1,000,000 and imprisonment for up to 1 year will be imposed, based on the severity of the offence.
Administrative fines shall also be imposed for failing to comply with or for violating the PDPA.
A fine of up to THB 5,000,000 will be imposed, based on the severity of the offence.
For instance, if your company outsources some HR functions to a third-party company, such as calculating and paying withholding taxes and wages for employees, your company will be the Data Controller, and the third-party company will be the Data Processor. It is important to note that outsourcing some HR functions to another company will not exempt the company from responsibilities and liabilities under PDPA.