HomeIntellectual propertyData protection

Learn more about Data Protection in Thailand

It is necessary for companies operating in Thailand or managing Thai resident data to get acquainted with data protection. The person in charge of a file, computer or paper, must respect obligations (legality of the file, data security, information of people, etc.). You have the right to control the use that is made of your data. In particular, you can ask to access your data, have it corrected, or object to appearing in a file. With the enforcement of the new data protection act, the companies shall immediately examine their internal control of personal data and initiate regulatory action. The enforcement of the crucial provisions of the PDPA Documents that focuses on collecting, using, and sharing personal information began on May 28, 2020.

Table of contents


What is data protection?

In everyday life, you transmit personal data to various organizations as administrations, employers, associations, commercial companies (e.g., bank, telephone, internet social network, internet search engine, etc.). With some exceptions, the person responsible for a file containing personal, computer, or paper data must provide you with the following information:

➤ Purpose of the file (for example to manage the consumer's online purchase)
➤ Legal basis of the record (e.g., your consent, the performance of a contract, compliance with a legal obligation)
➤ Who has access to the data (for example, competent internal services, service provider)
➤ Data retention period

The controller must prevent your data from being distorted, damaged, or accessed by unauthorized persons. It must set a reasonable retention period, depending on the purpose of the file.

What is the PDPA?

Like the GDPR, the PDPA’s purpose is to prevent Thai data owners from inappropriately storing, utilizing, or exchanging personal details. The PDPA works mainly on shielding data owners against the unauthorized compilation, usage, or dissemination of personal data. Like the GDPR, websites are expected to have a simple and clear language in their privacy policies, seek users’ active consent at the point of collection, share the data with third parties, and outline the purpose of collecting this information.

As such, data proprietors’ privileges under the PDPA include:

➤ The need to know
➤ The right of entry
➤ The Software Portability Standard
➤ The freedom to talk out
➤ The opportunity to be lost
➤ The ability to limit production
➤ The right to make amends

Who needs to comply with the PDPA?

The PDPA scope covers companies not headquartered in Thailand that market or track their behavior to Thai residents for goods or services. Most importantly, this law applies irrespective of whether any payment is required for those activities.

Any of PDPA’s critical differences to GDPR include:

➤ A collection of ethical frameworks for personal knowledge processing
➤ Personal Privileges
➤ Establishment of a data protection oversight body
➤ Under the PDPA, consent, legal obligation, public interest, and legitimate interest are the legal bases for processing personal data

What are the Thai regulations?

The Data Protection Act BE 2562 (2019) (PDPA) was published in the Official Gazette of Thailand on May 27, 2019. The PDPA is overseen by the Ministry of Digital Economy and Society, and the leading authority for PDPA oversight is the Data Protection Committee (Bureau).

The PDPA is expected to transform the data security environment in Thailand, as it is the country’s first unified legislation. The purpose of PDPA is to protect data owners in Thailand from the unwanted or unlawful compilation, use, or disclosure of their personal data and its processing.

PDPA refers to non-Thai entities that provide goods and services to individuals in Thailand (regardless of whether payment is required) or follow individual actions in Thailand. The legislation is expected to have a significant impact on internet service providers not based in Thailand, which plans to start serving the Thai sector.

PDPA refers to the processing, use, and disclosure by a data controller or data processor based in Thailand, even if the personal data is obtained, used, and published outside of Thailand.

Besides, the PDPA applies to data controllers and data processors outside Thailand, but only in the following cases:

➤ When goods or services are offered in Thailand to relevant persons, whether or not payment has been made
➤ In Thailand, the activity of the people concerned is monitored

The collection, use, and disclosure of personal data must comply with one of the six legal bases listed below. For all of these situations, the authorization would be required for the recipient of the data to access, use, and report personal information.

The identified terminology used in the PDPA is, for the most part, consistent with other European legislation, further suggesting that Thailand could follow an EU-inspired agreement.

Personal data: generally described as anything that can recognize an entity explicitly or indirectly, except for details of a deceased person and private sector records such as contact details, names, or addresses
Data controller: a person or entity authorized to decide on the collection, use, or disclosure of personal data
Data processor: a person or organization that collects, uses, or discloses personal data in accordance with the orders of the controller

What are the PDPA requirements?

Similar to GDPR, Thailand’s PDPA explicitly states that clear and express consent must be requested before or before collecting personal information. The statute then specifies that authorization requests will not be misleading or ambiguous.

Another important feature of the PDPA consent criteria is that data owners have the right to revoke their consent at any specified period. The deletion, however, does not affect the compilation, retrieval or distribution of the legally consented personal data.

However, the law also waives the need for consent in specific circumstances to collect personal information. It includes:

➤ Respect of mutual commitments
➤ Community concern
➤ Relevant value
➤ Regarding children, data protection regulations in Thailand require parental consent for those under the age of 10. This clause differs from the GDPR, which covers all children under 16 who need parental consent

What is the Data Protection Act enforcement?

The Thai companies shall take the appropriate measures to ensure that all PDPA regulations are complied with by May 27, 2020. Some of the steps include:

➤ Data mapping shows how the company collects, processes, transmits and stores data, including the legal basis for collecting and using personal information
➤ Reviewing existing protection policy, arrangements, and procedures
➤ Implementation of applications and operating systems in the data processing
➤ Updating current privacy alerts and providing correct legal records
➤ Ensure the managers and personnel are professionally qualified according to the PDPA's applicable criteria
➤ Carrying out a distance review to evaluate existing enforcement rates
➤ Processes in place which exercise the rights of individuals with respect to their data

What are the consequences of infringement?

A violation of the PDPA can result in civil liability, criminal liability, and administrative fines. For example, a controller who collects uses or discloses personal data without the consent of the data subject (where consent is required) will be liable to administrative fines not exceeding THB 3 million.

In addition to the penalties, the PDPA frequently requires courts to impose punitive liability of up to twice the value of direct losses and a one-year prison sentence. Finally, the PDPA let’s data owners lodge lawsuits for the class action.

When shall the Data Protection Act be effective?

After several legislative attempts, Thailand’s Personal Data Protection Act (PDPA) was approved in February 2019. The PDPA was published in the Royal Thai Government Gazette. However, following the COVID situation, the government postponed the application of Thailand’s Privacy Act, B.E. 2562 (AD 2019) (the “PDPA”) until May 31, 2021.

The application by these controllers of the main regulatory requirements related to personal data protection (including those relating to approval requests from data subjects; collection/use and disclosure of personal data; rights of data subjects; complaints; and liability and penalties), which was initially scheduled to come into effect this year, has been postponed for another period of one year.

Update: The Thai government issued an Interim Statement of Guidelines for the Protection of the Security of Personal Information (the “Statement”) on July 17, 2020. The notice is meant to serve as an interim solution to ensure that personal data is covered until the PDPA deferred protections come into effect in 2021. Application with the PDPA is mandatory. Under the notice, all controllers must automatically apply specific protective controls and precautions, including, among others, financial, technological, and physical protections for the security of personal data and the preparation and awareness of the staff.

How to protect your company data?

Corporate espionage is a reality that no responsible business owner can ignore. The consequences can go as far as leading business to bankruptcy or legal action. The secure storage of digital data is, therefore, an essential element in the survival of companies.

1. Identify the risks for your company

For companies, data theft has led to their takeover or even disappearance. This is the case, for example, if the company has a pirated research and development file. The competitor who will have recovered the data will be able to launch a product at a much lower price.

Another risk: Internet connections by wi-fi terminal, which are becoming widespread and increasing the risk of their PCs being hacked.

Protecting your computer files from unauthorized access is essential for your business. Indeed, managers or employees are not immune to the theft of sensitive documents such as customer databases, patents, private photos, financial information, lawyers‘ instruction files, confidential reports or projects, calls for offers, industrial plans, quotes… Thefts that can occur both while traveling and within the company itself by unscrupulous staff.

2. The ultra-secure storage solution

The only solution to protect your most sensitive files and not compromise years of work is to use encrypted storage means (external or internal). The key or hard drive provides military-grade protection: unauthorized attempts to retrieve your files, the key self-destructs, rendering it’s content inaccessible and unusable. Note that using the USB key or hard drive leaves no trace on the PC hard drive, all information is stored on the key or disk.

3. Exceptional protection - No rear door

No digital data recovery in the world, or any specialized software, can access the encrypted contents of the USB stick or hard drive without the super-protected password. Recovering files without the correct password is merely impossible, as the key reformats after ten failed entry attempts destroy data forever. Therefore, we recommend that you make a previous backup to another key or hard drive.

Share information