Thailand's first law on personal data protection came into effect on June 1 after much delay. The Personal Data Protection Act (PDPA) of 2019 was postponed twice due to COVID-19 pandemic, but it came into effect despite some efforts from private sector to delay the implementation for another two years.
The PDPA applies to data controllers, businesses and state agencies regarding the collection, processing, use and disclosure of personal information. Even if the companies are outside Thailand, but process personal data of data owners in Thailand and offer services or monitor the behaviour of those data owners, the PDPA will be applicable. These data controllers are required to seek permission from data owners for the use, collection or disclosure of their personal information.
PDPA comes with hefty penalties
It is the penalty that is making the headlines in the new PDPA law. If anyone violates Thailand's data law, they will be liable for civil and/or criminal penalties, which can go as high as 5 million baht and up to one year imprisonment.
As per the act, which has seven chapters and 96 sections, fraudulent use or disclosure of personal data can result in maximum imprisonment of six months or fine of up to 500,000 baht. However, in case of illegal abuse of personal data will fetch up to one year in jail or a fine of up to 1 million baht. Additionally, there's also administrative fines ranging from 500,000 baht to 1 million baht and the damaged party can file a civil suit for compensation.
The PDPA defines personal data as names, date of birth, phone number, home address, e-mail address, ID card number, passport number, educational and financial information, weight, height, medical and criminal records, fingerprints, and facial and iris patterns, Thai PBS World reported.
Data collectors cannot collect personal information on racial, ethnic origin, political opinion, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data and biometrics.
There are exemptions in cases of fulfilling contractual obligations, serving in the public interest, and preventing danger to an individual. Data owners have the right to be informed, the right to access their personal data, the right to rectification, objection, and withdrawal at any given time.