The Personal Data Protection Act (“PDPA”), which will be fully effective 27 May 2020, imposes responsibilities and liabilities on those who are defined as a ‘Data Controller’ and a ‘Data Processor’. Therefore, it is necessary for your company to understand the roles of ‘Data Controller’ and Data Processor’, to establish personal data policies in accordance with the PDPA.
Keywords: Mazars, Thailand, Legal, HR, PDPA, Data Controller, Data Processor
16 March 2020
We set below information on the differences between a ‘Data Controller’ and a ‘Data Processor’, and their responsibilities:
If the Data Controller and Data Processor violate the PDPA, the following liabilities shall be imposed:
For instance, if your company outsources some HR functions to a third-party company, such as calculating and paying withholding taxes and wages for employees, your company will be the Data Controller, and the third-party company will be the Data Processor. It is important to note that outsourcing some HR functions to another company will not exempt the company from responsibilities and liabilities under PDPA.