By Pardorn Suchiva, Legal Director

RSM Focus PDPA Last Call Article by Pardorn Suchiva – Legal Director RSM Thailand Limited

This article was put together by Pardorn Suchiva an experienced Thailand Lawyer who heads up the RSM Law Firm in Thailand. Since the Personal Data Protection Act B.E. 2562 (“PDPA”) will become effective on 1 June 2022, here is a quick summary of key actions and documentation required to be prepared by business operators / organizations.

1. Record of Processing or ROP

The ROP or data inventory must include

2. Data Subject Action Request Form

The PDPA has granted rights to data subjects to access their personal data and request such data from the data processer. The Data controller shall take action per any requests received within 30 days.

3. Privacy Policy & Notice

Business operators are required to provide their privacy policies and notices to data subjects on their websites, which include at least the following matters:

  • Information collected;
  • How information will be used;
  • Method of processing and protection of the data;
  • Retention period; and,
  • Rights of data subject.

4. Consent

Consent from data subjects is also a key requirement in accordance with the PDPA, which may include consents for customers, employees and candidates.

5. Cookie Consent

Business operators / organizations are required to obtain cookie consent from data subjects / users before setting cookies up on their devices. Cookie consent requires business operators to clearly inform users about the cookies present on their website, the purpose of cookies and give users the choice to accept or reject cookies.

6. Data Breach Notification

All data controllers are required to notify data subjects and the Office of Personal Data Protection Commission (the “PDPC”) of any breach or leakage of any personal data or any illegal transfer together with estimation of damages and remedy measures.

7. Legal Contracts and Agreements

Business operators are required to enter into certain legal contracts and agreements with data controllers and/or data processors in order to access, process, use, disclose, and transfer of personal data that they have obtained to secure such data. Such legal agreements include Data Processing Agreement, Data Transfer Agreement, etc.

8. Rights of Data Subjects

The PDPA provided the following rights to data subjects, which must be notified by business operators / data controllers:

  • Right to be informed: The Data controller is required to inform the data subject, prior to or at the time of the collection of the personal data, of required details such as the purpose of the collections, retention period, and rights of the data subject.
  • Right to access: The Data subject has the right to access or request a copy of their personal data collected, used, and disclosed by the data controller.
  • Right to rectification: The Data subject has the right to have incomplete, inaccurate, misleading, or out-of-date personal data held by the data controller rectified.
  • Right to erasure: The Data subject has the right to request that the data controller delete their personal data.
  • Right to object: The Data subject has the right to object to certain collection, use, and disclosure of their personal data such as objecting to direct marketing.
  • Right to data portability: The Data subject has the right to obtain the personal data that the data controller holds about them in a structured electronic format and to send or transfer such data to another data controller.
  • Right not to be subject to automated decision-making: The Data subject has the right to restrict the use of their personal data in certain circumstances.
  • Right to withdraw consent: The Data subject has the right to withdraw consent given to the data controller any time.

9. Penalty for Non-Compliance

The PDPA consists of non-compliance penalties which are summarized below.

  • Administrative penalty: Fine of not exceeding THB 5 million.
  • Criminal penalty: Imprisonment not exceeding 1 year, or fine of not exceeding THB 1 million, or both.
  • Civil liabilities will be calculated based on the actual damage incurred, and capped at 2 times of the actual damage.

RSM Thailand Limited

Should you wish to receive any additional advice with respect to this article or require any other service that we offer here in Thailand, please do not hesitate to contact the RSM Thailand Law firm on [email protected]