How is the PDPA applied in Thailand?
Since the law was enacted, data controllers and data processors, those who possess the personal data of others (data subjects), have been required to comply with the law to protect that personal data. The legal obligations include:
• Implementing appropriate security measures, preparing a personal data protection policy, and having an auditable data management system that corresponds to the risks involved in storing and using personal data.
• Establishing control systems to prevent unauthorized access or disclosure of personal data without the consent of the data subject or a lawful authority.
• Setting up a system to review the personal data in their possession, and to delete or destroy it when the retention period for the purposes of collection expires.
• Reporting personal data breaches to the Personal Data Protection Committee within 72 hours of a breach.
• Appointing a data protection officer (DPO) within the organization or a representative in Thailand.
• Maintaining a record of processing activities (RoPA) so that the data subject and the Personal Data Protection Committee can inspect it. Data controllers and data processors who fail to establish these protective measures and systems will be considered in violation of the law and may face administrative penalties, including fines, compensation to data subjects, punitive damages, and possible criminal prosecution.
On 31 July 2024, the Personal Data Protection Committee issued a decision on a complaint by a personal data subject who suffered harm due to a data leak from a seller of IT goods in Thailand, where personal data was leaked to call centres. The committee imposed a fine totalling THB 7 million on the business, broken down as follows:
• THB 1 million for failing to appoint a data protection officer.
• THB 3 million for failing to implement proper data security measures, resulting in the data leak.
• THB 3 million for neglecting the complaint and failing to report the data breach to the committee within 72 hours.
This penalty requires the business to pay the fine to the Personal Data Protection Committee, but the business also remains liable for civil and criminal damages suffered by the data subject. The data subject may claim civil damages based on actual harm incurred, as well as punitive damages of up to twice the actual damages. Additionally, they have the right to ask the court to impose criminal penalties on the business, which may include a prison sentence of up to one year and a fine not exceeding THB 1 million. Furthermore, executives or managers responsible for the legal entity’s operations may also face penalties under Section 81 of the PDPA.
To mitigate the risk of violating the PDPA in Thailand, businesses should comply with the law by preparing a personal data protection policy, implementing control systems for the collection, use, and disclosure of personal data, appointing a data protection officer, having a system to notify authorities of personal data breaches, and maintaining a record of processing activities (RoPA) for inspection by both data subjects and state authorities.