Personal Data Protection Act (PDPA): Companies are Responsible for Data Privacy
Last year, Thailand passed the Personal Data Protection Act (PDPA) to ensure data privacy in the Kingdom. The official Royal Gazette announcement was on May 27, 2019, and the law provided a year for relevant parties to ensure compliance. As there are only a few months from this article’s publication date before the law comes into full effect, we would like to remind employers and employees of their rights and responsibilities under the PDPA.
Most Companies Must Comply with the PDPA
Reading about the PDPA, you might think that your company does not have any liability. “Data processor” and “data controller” may seem like terms that do not describe your operations. But they do. A data controller if any person or entity who decides whether data is required and from whom. A data processor is any person or entity who collects, uses, or otherwise manages the data at the data controller’s instructions. If you are an employer or employee who collects and uses customer and/or employee data (both considered “data subjects”), you are very much a data controller as well as a data processor.
The PDPA does make a distinction between a data controller and data processor, but you may ultimately be liable either way. Even if you outsource certain data processing functions, such as human resources or payroll, you are still responsible under the law.
The PDPA is based on but not the same as the GDPR
Anyone dealing with EU citizens or entities would have heard of the General Data Protection Regulation (GDPR). While Thai legislators used the GDPR as a guide to draft the PDPA, you shouldn’t assume that they are both the same. Understanding the PDPA is vital for compliance and avoiding unnecessary regulatory actions.
Fundamentally, all companies need to receive consent from their employees, candidates, customers, and potential customers to be able to legally collect, use, or disclose information. There are certain exemptions, but as more jurisdictions are implementing similar safeguards, it’s better to be safe than sorry. Also, strict compliance to data privacy rules will also benefit companies in terms of their overall standing and reputation.
GPS Legal can help with PDPA compliance
From May 27, 2020, all relevant parties must comply with the PDPA. If you haven’t already implemented, or are still concerned about, PDPA compliant policies, GPS Legal can help you. We can review your current policies, including your arrangements with employees, customers, vendors, third party service providers, and any other relevant contracts to ensure compliance. Those who are not compliant may find themselves facing civil, criminal, and administrative liabilities. These include severe monetary fines and imprisonment, in addition to civil damages, all of which could add up to millions of baht and years in prison.