Personal data under the PDPA law

On May 27, 2019, the PDPA (Act BE 2562), which is the equivalent of the RGPD for the European Union, is published. However, the latter will come into force from June 1, 2022. Both pieces of legislation aim to provide some degree of data protection for individuals’ personal data circulating on the Internet, without hindering the trade of such data. Companies have to comply with this act and adapt their website’s legal mentions.

It is necessary to define what personal data is. Section 6 of the PDPA provides a broad definition of personal data, which is any data that directly or indirectly identifies a person, such as first and last name, address and telephone number.

Additional protection of so-called sensitive data is envisaged by the same text. This includes data concerning the person’s state of health, sexual orientation, political and religious opinions, among others.

Legal mentions of website

Requirements for compliance with the regulation on legal mentions

Some of the key elements and legal mentions that must be met to be in compliance with the PDPA proposal include:

➤ Have a "privacy policy" section containing the legal mentions of your website, detached from the "terms and conditions" section that uses relatively simple and clear language
➤ Data owners must be informed of how their data will be processed (collected, used, disclosed to third parties)
➤ The purposes for which the data will be used must be appropriate and discernible from an objective point of view, depending on the circumstances, and from a subjective point of view according to the reasonable person test
➤ The request for consent must not be misleading or false
➤ Consent must be express and not implied, e.g., the individual must click to validate their consent
➤ The website must allow the individual to withdraw consent at any time

As for the language used by your site, it must use both the language spoken in the country and English. Although the language requirement is not mandatory, it can be included in the clarity of language requirement.

In addition, the site will need to include a notice regarding the privacy of the site’s users in relation to the data collection being conducted according to legal mentions. Indeed, the person designated as the personal data controller will need to ensure that certain information is included in legal mentions:

➤ The type of data that will be collected
➤ The purpose of the collection, even if it is based on legal considerations
➤ The length of time the data will be retained
➤ The names of the entities or persons to whom the data will be transferred
➤ The contact person(s) responsible for personal data within the company
➤ The rights of the owners of the data: the right to withdraw their consent, the right to access the data collected and to obtain a copy. Finally, the right to request the transfer of their data to another personal data controller
➤ In a readable format, another part of this notice must list the different main rights: the right to object to any form of data processing, the right to request a suspension of use or even erasure, but also the right to obtain an accurate update of their data and finally the right to lodge a complaint for any violation of these listed rules

Exceptions to the requirements imposed to legal mentions of your website

However, the law provides for three cases that its scope does not cover:

➤ Where it concerns contractual relationships, which contain rights and obligations that sometimes relate to such data
➤ When it is a matter of public interest, which then takes precedence over the private interest in question
➤ When it is a matter of legitimate interest, a notion that remains relatively vague

The notion of legitimate interest covers the following cases:

➤ If the purpose of the data collection is the realization of archives, research or the elaboration of statistics. This is the case if the necessary guarantees concerning the rights and freedoms of the persons concerned are put in place and respected
➤ If the purpose of the data collection is to prevent or eliminate a risk to a person's health
➤ If the purpose of the data collection is to make the request for consent of the holder contractual in nature
➤ If the purpose of the data collection is to comply with any other applicable law to which the Data Controller is subject

Risks of not complying with the requirements of the PDPA

There are three types of penalties: civil, criminal and administrative:

criminal: a prison sentence of up to 1 year
civil: a fine of 1,000,000 to 5,000,000 baht or 4% of the company's total revenue. In addition, punitive damages may be awarded in addition to compensation

The PDPA also provides an opportunity for victimized personal data holders to form a class action lawsuit to seek redress for their injury. This type of action has a very broad media reach and as a result, the brand image will be strongly tainted. So you have to comply your legal mentions to PDPA regulations.

Comply with PDPA regulations on legal mentions of your website

Ask your detailed question and receive legal advice in minutes from a lawyer that specializes in IP law

Talk to an expert

310 client reviews (4.8/5) ⭐⭐⭐⭐⭐