Expanding your business in Asia?
Expanding your business in Asia? Here’s what is new in Data Protection Compliance in Thailand
29 March 2023
This article discusses the emergence of data protection regimes in the Asia Pacific region and the changes that have occurred in the past decade. Specifically, it focuses on Thailand’s Personal Data Protection Act BE 2562, which came into effect in June 2021, and the requirements for privacy and data protection under the current regulatory environment. The article highlights that violations of the PDPA can lead to civil penalty and criminal liability. Additionally, the article examines the legal basis for data processing, sensitive data, and processing data for research purposes under the PDPA. Unlike the GDPR, there are no specific rules for the collection, use, or disclosure of pseudonymized data, and the definitions of Data Controller and Data Processor are slightly different under the PDPA.
The emergence of data protection regimes has been increasing significantly globally, including across Asia Pacific region. The transformation in the data protection landscape has been dramatic in the past decade and will continue to change rapidly.
Along with our Asian neighbours, Thailand is one of the first five countries that has brought data protection rules into effect.
Thailand’s Personal Data Protection Act BE 2562 (“PDPA”)
Thailand’s Personal Data Protection Act BE 2562 (“PDPA”) has entered into effect during June 2021. The Act brings significant changes to the current data protection regulatory environment, and it is necessary for every business that operates in the region to know how to navigate of the new requirements for privacy and data protection under the current regulatory environment. It is important to note that violations of the PDPA can lead to both civil penalty and also criminal liability.
Under the PDPA, regardless of whether the collection, use, or disclosure of Personal Data takes place in the Kingdom of Thailand or not, the Act applies to of the processing of Personal Data by all Data Controllers and Data Processors located in the Kingdom of Thailand (Establishment Criteria).
In the event that a Data Controller or a Data Processor is established outside of Thailand, the Act applies to the collection, use, or disclosure of Personal Data of data subjects who are in Thailand, where the activities of such Data Controller or Data Processor are (Targeting Criteria) :
- the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject and;
- the monitoring of the data subject’s behavior, where the behavior takes place in Thailand.Unlike the GDPR, there are a broad range terms which are not defined under the PDPA such as pseudonymised data and the definifition of Data Controller and Data Processor are slightly different.
While GDPR defines the Data Controller as the person who defines the purpose and means of data processing activity, the PDPA defines it more specifically as a Person (or legal person) who has the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data. The “Data Processor” is a person, who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, and it must not be the Data Controller themselves.
The legal basis for the data processing are more or less aligned with the GDPR.
The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior to or at the time of such collection, use, or disclosure, except where it is permitted to do so by the provisions of PDPA or any other laws.
Unless it cannot be done due to its nature, a request for consent must be explicitly in writing, or via electronic means.
The data subject may withdraw their consent at any time.
Where a minor is below the age of 10 years, the consent of the person with parental responsibility over child must be obtained.
In accordance with the Transparency principle, prior to or at the time collecting the Personal Data, the Data Controller must inform the data subject of such collection as described in Article 23 of the PDPA.
Without consent, the Data Controller shall not collect Personal Data of the data subject, unless:
- it is for the achievement of the purpose relating to the preparation of the historical documents or archives of public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject’s rights and freedoms are put in place and in accordance with the notification as prescribed by the Personal Data Protection Committee (or so called the “Committee”);
- it is for preventing or suppressing a danger to a Person’s life, body or health;
- it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
- it is necessary for the performance of a task carried out in the public interest by the Data Controller, or it is necessary for the exercising of official authority vested in the Data Controller;
- it is necessary for the legitmate interests of data controller or any other natural or legal persons other than the Data Controller, except where such interests are overridden by the fundamental rights of the data subject regarding their Personal Data;
- it is necessary for compliance with a law to which the Data Controller is subject.
Article 26 of the PDPA provides an exhaustive list of special categories of data which includes data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the “Committee”.
Processing data for Research Purpose
Processing of special categories of data is prohibited, unless explicit consent obtained from the data subject, except where it is necessary for compliance with a law to achieve certain purposes such as, public interest in public health… or ensuring standards or quality of medicines, medicinal products, or medical devices, or the purpose of processing is for the scientific, historical, or statistic research purposes, or other public interests which must be carried out only to the extent necessary to achieve such purposes. In these case suitable measures must be implemented to safeguard the data and to protect the fundamental rights and interest of the data subject, as prescribed by the “Committee”.
Unlike GDPR, there are no specific rules for the collection, use, and disclosure of personal data defined for the processing of personal data for research purposes. It merely requires that “suitable measures” must be put in place. In addition, definition of scientific research is not defined under the PDPA.
Rules for Data Transfers to the country outside Thailand
Likewise, transferring data to the “foreign” country, the destination country or international organization must have adequate data protection standards, and must be carried out in accordance with the rules for the protection of Personal Data as prescribed by the “Committee” (as described in Article 28).
However, PDPA provides some exceptions in the following circumstances:
- where the transfer is for compliance with the law;
- where the consent of the data subject has been obtained, provided that the data subject has been informed of the inadequate Personal Data protection standards of the destination country or international organization;
- where it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
- where it is for compliance with a contract between the Data Controller, and other natural or legal persons for the interests of the data subject;
- where it is to prevent or suppress a danger to the life, body, or health of the data subject or other Persons, when the data subject is incapable of giving the consent at such time and;
- where it is necessary for carrying out the activities in relation to substantial public interest.
In addition, where there is an issue regarding the adequacy of the standard of data protection in the destination country or international organization, such issues must be submitted to the “Committee” for its decision.
The decision made by the “Committee” may be reviewed when there is new evidence demonstrating that the destination country or international organization who receives Personal Data has developed adequate Personal Data protection standards.
Multinational companies established in Thailand may transfer data to affiliated businesses, or within the same group of undertakings outside of Thailand, as long as it puts in place a Personal Data Protection Policy with regards to sending or transferring of Personal Data outside of Thailand that has been reviewed and certified by the Office of the Personal Data Protection Committee (the “Office”) .
In the absence of a decision by the “Committee” in accordance with Article 28, or without the Personal Data Protection Policy within subsidiary companies referred to above, the Data Controller or the Data Processor may transfer Personal Data to a foreign country under an exemption to Article 28 if the Data Controller or the Data Processor provides suitable protection measures which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Committee.
Data Subjects’ Rights
Data subjects are entitled to request access to and obtain copy of the Personal Data related to them, or to request the disclosure of the acquisition of the Personal Data obtained without their consent.
Data subjects also have the right to receive the Personal Data concerning them from the Data Controller in the format which is machine readable using commonly used tools and methods.
Data subjects have the right to request to restrict the use of the Personal Data, and to object the collection, use, or disclosure of the Personal Data concerning them, at any time, and have the right to request the erasure of the Personal Data or to have the Personal Data anonymized under particular circumstances.
In any event, Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and is not misleading.
Where a Data Controller does not take action regarding the request of the data subject, the Controller shall record the request of the data subject together with reasons for not complying with the request.
What are main duties of Data Controller?
The data Controller’ obligations are reasonably close to those defined in the GDPR:
To provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of Personal Data. Such measures must be regularly reviewed when it is necessary, in particular when technology has changed;
To take action to prevent people from using or disclosing such Personal Data unlawfully or without authorization;
To put in place procedures for the secure erasure or destruction of the Personal Data when the retention period has ended, or when the Personal Data is no longer relevant for the purpose for which it has been collected, or when the data subject has requested its erasure, or when the data subject has withdrawn consent. There are exemptions for erasure the data subject’s request for purposes of freedom of expression, or the purpose of the establishment, compliance or exercise of legal claims, or defence of legal claims, or the purpose of compliance with the law;
To notify the “Office” of any Personal Data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of the Data Subjects. If the Personal Data breach is likely to result in a high risk to the rights and freedoms of the Persons, the Data Controller shall also notify the Personal Data breach and the remedial measures to the data subject without delay. The notification and the exemption to the notification shall be made in accordance with the rules and procedures set forth by the “Committee”;
When the Data Controller is established outside of Thailand, a representative of the Data Controller must be designated in writing and be authorized to act on behalf of the Data Controller without any limitation of liability with respect to the collection, use or disclosure of the Personal Data according to the purposes of the Data Controller;
To designate a data protection officer in the circumstances described in Article 41 of the PDPA and;
To maintain records of data processing in order to enable review by the data subject and the “Office”. The records can be either in a written or electronic format.
The Act also defines specific rules for Data (Article 40), and duties and power of the Competent Officer in Chapter IV.
It is interesting that either the Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provisions of this Act and causes damages to the data subject, shall compensate the data subject for such damages, regardless of whether such operation is performed intentionally or negligently, except where the Data Controller or the Data Processor can prove that such operation was a result of:
- a force majeure, or the data subject’s own act or omission to act and;
- an action taken in compliance with an order of a government official exercising its duties and powers under the law;
The Court have the power to order the Data Controller or the Data Processor to pay punitive damages in addition to the actual compensation rendered.
Any Data Controller who violates the provisions under Article 27 (use or disclose personal data without consent), or fails to comply with Article 28 (Transfer rules), which relates to the Personal Data under section 26 (Collection of sensitive data) in a manner that is likely to cause a data subject to suffer any damage, impairment of their reputation, or expose such other persons to be scorned, hated, or humiliated, shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding five hundred thousand Thai Baht ($14.000) or both.
Any Data Controller who violates the provisions under section 27, or fails to comply with section 28, which relates to the Personal Data under section 26 (Collection of sensitive data) in order to unlawfully benefit themselves, or another person, shall be punished with imprisonment for a term not exceeding one year, a fine not exceeding one million Thai Baht ($28.000), or both.
Unlike GDPR, PDPA also defines a criminal liability on Any person who comes to know the Personal Data of another person as a result of performing duties under this Act and discloses it to any other person. They shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
Here’s it is to be noticed that the provision remains unclear whether the intentional factor and/or the damage to the data subjects are required.
Last, but not least, the criminal liability of the Company, who commits the offense under this Act and if the offense is conducted as a result of the instructions given by or the act of any director, manager or person, who shall be responsible for such act of the legal person. In the case where such a person has a duty to instruct or perform any act but omits to instruct or perform such act until the legal person commits such offense, then such person shall also be punished with the punishment as prescribed for such offense.
Interested to learn more about what are applicable in the context of a Clinical Trial or any other Asian Countries? Do not hesitate to contact us at MyData-TRUST, expertise in Data Protection in Life Sciences.