Thailand’s Personal Data Protection Act BE 2562 (PDPA)

PDPA went into effect June 2021 and is the first consolidated law governing data protection in Thailand. The PDPA was signed in 2019 but was postponed following the Cabinet’s approval of a royal decree that proposed enforcement begin in 2022.

The key principles are based on GDPR. The Act gives individuals full right to transparency with regards to their personal information. All Thai organizations that collect resident data or collect data from within the borders, irrespective of whether they’re formed or recognized under Thai law, are residents, or have a business within the borders must comply. Any data that belongs to the citizens of Thailand no matter where it is being accessed from, inside or outside Thailand, falls under PDPA.

Primary Legislation

Primary Legislation

  • Dot The Constitution of the Kingdom of Thailand supports the human dignity, rights, freedoms, and equality of all Thais protected under the customary practices of the Government of Thailand.
  • Dot The Constitution recognizes the right to privacy as well as the right to protection against undue exploitation of personal data relating to his or her individuality.
  • Dot In case of a violation of the right to privacy, the affected individual may be entitled to claim damages in tort under the Thai Civil and Commercial Code.
Secondary Legislation

Secondary Legislation

  • Dot The secondary legislation requires the Personal Data Controller to maintain suitable security measures.
  • Dot It also states the Criteria and Methods for organizing, making and keeping records, including processing activities.
  • Dot Small and medium enterprises are exempt from the requirement of organizing, making and keeping records, including processing activities
  • Dot It also states the criteria for issuing administrative fines and orders of the expert committee.

Key Definitions

Personal Data

Personal Data

Any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons.

PSensitive data

Sensitive Data

Any personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner as to be prescribed by the PDPC.

Biometric data

Biometric Data

The personal data arising from the use of technics or technology related to the physical or behavioral dominance of a person, which can be used to identify such person apart from other persons, such as facial recognition data, iris recognition data, or fingerprint recognition data.

Similarities Between PDPA and GDPR

  • Dot Both laws have a similar legal framework when it comes to how and when data is collected.
  • Dot Under both, all kinds of data—be it individual in nature or a combination of various information that can identify a person—will be considered personal data.
  • Dot Both require a Data Processing Officer for a large-scale organization.
  • Dot Both ensure the information privacy and protection of citizens that fall under their jurisdiction, irrespective of whether or not the data controller or processor is within the law’s territorial bounds.
  • Dot Both require explicit and clear consent of individuals before processing their information.
  • Dot Both grant equal rights to the data of subjects, and only protect the rights of living subjects, excluding information regarding deceased subjects
  • Dot Under both, data subjects must be notified within three days in case of a data breach.
Similarities Between PDPA and GDPR

Differences Between PDPA and GDPR

 

Personal Scope

Material Scope

PDPA
Does not apply to public authorities that maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity.
Does not differentiate or refer to automated and non-automated means of processing. Excludes 'the House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose personal data in their consideration under the duties.'
GDPR
Applies to data controllers and data processors who may be public bodies.
Applies to the processing of personal data by automated means or non-automated means if the data is part of a filing system. It also does not exclude legislative bodies

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.

GET A DEMO

We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.

CONTACT US

©2021 All Rights Reserved. AnnexCloud