Nowadays our personal information is used everywhere – whether it be processing transactions and applications such as opening a bank account, applying for membership, shopping online, etc. The issue is we fill these data only for those services but, in reality, our data is being used commercially or shared with other parties because companies are looking to gain as much data as possible for their analytics. The more data a company has – the more advantage they have competing in the same industry.
[Originally posted on April 2, 2020]
[Updated on May 21, 2020, due to the update from the Cabinet of Thailand] The effective date of PDPA will be postponed from May 27, 2020, to May 31, 2021.
One such experience many of you may have encountered already – is getting a random call from a company and tried to sell their products or services to you. The catch is – you don’t know them or have never contacted them before. This counts as a personal rights violation. These calls and approaches make people feel uneasy and sometimes scared but we couldn’t do anything since there were no specific laws that regulated this aspect of our digital footprint in Thailand until PDPA or Personal Data Protection Act was published on 27 May 2019 in Thailand’s Government Gazette.
Under the supervision of the Data Protection Committee, Ministry of Digital Economy and Society – here is some summarized key compliance of the act:
- Protect personal rights by protecting any personal data that can directly or indirectly identify a person such as a name, address, email, phone number, IP address, and other sensitive data such as political attitudes, religious attitudes, sexual behaviours, etc. that may be used to attack or discriminate against the data owner.
- Any person or juristic person that collects, uses, discloses, or transfers personal data has to comply with this law and protect the data with appropriate security measures.
- Collection of personal data can be done only after the consent of the data owner has been given every single time.
- The request to collect personal data must be obvious and specific on how data will be used. The data owner can choose freely whether to consent or not and must be able to withdraw the consent afterwards.
- The data owner must have the rights to access, revise, request a copy, suspend, delete, or destroy that personal data.
- The data collector must declare the objective of data collection and the possibility to disclose or transfer that data while collecting it. The data must be used for the declared objectives only.
- The person who breaches this law will be liable for both civil and criminal cases. For a civil case, the amount of compensation can go up to twice the amount of the actual damages. For a criminal case, the fine can go up to 5 million baht or imprisonment of up to 1 year. If the offender is a juristic person, the directors could be liable.
Therefore, all organizations should revisit their processes and identify if they have complied with this act prior to collecting personal information. If not, we highly recommend to learn the details of this act, verify, and adjust internal processes to comply with PDPA before it’s too late.
For website owners – there’s one thing that can be done right away – that is a consent form that indicates what data will be collected when using the website and why. For those with tools such as Google Analytics, Facebook Pixel, and other analytic tools in place, a cookie banner should be set-up to ensure compliance with PDPA. You can also consult one of our experts for additional guidance and implementation methods.
At the end of the day, the publication of this act is a good start to developing meaningful measures for the Thai economy and society in this digital age. It is regarded as a concrete standard to control the use of personal data and also conforms with other developed countries that have enforced similar regulations such as the European Union’s GDPR (General Data Protection Regulation) and Singapore’s PDPA which was enacted prior to Thailand.