PDPA law
What PDPA Law ?
“The Personal Data Protection Act of 2019 (PDPA)” is a law created to protect the personal data of individuals and prevent unauthorized collection and usage of such data without prior consent or notification to the data owners.
To ensure security and privacy for data owners, this law grants essential rights, including the right to be informed and consent to the collection of personal data, the right to access personal data, the right to object to data collection and usage, and the right to request the deletion or destruction of personal data.
What is personal information?
Personal data refers to information that can directly or indirectly identify the data subject. Personal data can be categorized into two types.
- General personal data includes: name, surname, ID card/passport number, nationality, driver’s license number, mobile phone number, email address, address, medical/financial/educational information, vehicle registration/home ownership records, land deeds, height, date of birth, as well as any information that can identify an individual on the internet, such as usernames, passwords, and IP addresses.
- Sensitive personal data includes: ethnicity, political opinions, religious beliefs, sexual behavior/preferences, criminal history, sensitive health information (disabilities, chronic illnesses, medical certificates, genetic information), and biometric data (fingerprints, retinal scans, facial recognition).
The storage of sensitive personal data is of utmost importance because it contains highly detailed and delicate information that could potentially harm the data subject if it were to be exposed. If your personal data is compromised, it is advisable to seek legal counsel or hire an attorney to assist you.
Personal Data Collection and Retention and What Needs to Be Done
Individuals who must comply with the PDPA law include data subjects and data controllers. Data controllers, similar to system administrators, are responsible for collecting, organizing, and using personal data with the consent of the data subjects.
If an organization wishes to collect personal data, it can provide a ‘Privacy Policy’ that must include a notification of the purpose for which the data is being collected and inform data subjects of their right to withdraw consent at any time.
The minimum standards for personal data protection include confidentiality, accuracy, completeness, availability, management and organization, technical safeguards, and physical safeguards. This includes practices such as secure document storage, controlled access, and data encryption to prevent unauthorized access by malicious actors.
Collecting personal data is a matter of utmost importance. If you are drafting a privacy policy, it is advisable to consult or hire a legal counsel or legal consultant to ensure convenience and compliance with the law.
Personal Data Protection Act
- Civil liability: In civil cases, claims for compensatory damages and punitive damages may be brought to serve as a deterrent against further violations, with a penalty not exceeding twice the amount of the damage.
- ความรับผิดทางอาญา : หากใช้/เปิดเผยข้อมูลส่วนบุคคลที่อ่อนไหว โดยไม่ได้รับอนุญาตจากเจ้าของข้อมูลส่วนบุคคล
- Causing harm to reputation, defamation, hatred, or embarrassment through the unauthorized use or disclosure of personal data may result in criminal liability, punishable by imprisonment for up to 6 months or a fine not exceeding 500,000 Baht.
- Seeking unauthorized benefits for oneself or others in violation of the law may result in criminal liability, punishable by imprisonment for up to 1 year or a fine not exceeding 1,000,000 Baht.
- Using official duty under the law to access personal data and subsequently disclosing it may result in criminal liability, punishable by imprisonment for up to 6 months or a fine not exceeding 500,000 Baht, unless the disclosure is performed in the line of duty, for the purpose of aiding investigations, or is disclosed to government agencies or foreign authorities with written consent from the data owner, or in relation to public interest disclosures pursuant to a lawsuit.
- ความรับผิดทางปกครอง : หากผู้ควบคุมข้อมูลส่วนบุคคล กระทำการต่อไปนี้ จะต้องระวางโทษ ปรับไม่เกิน 1,000,000 บาท
- Not seeking proper consent.
- Not providing details to the data owner.
- Denying the data subject access to their data as per their rights.
- Not keeping records.
- Not appointing a data protection officer.
- Not providing support for the DPO’s duties.
- If a data controller engages in the following actions, they may be subject to criminal liability, punishable by a fine not exceeding 3,000,000 Baht.
- Collecting, using, or disclosing data without legal basis.
- Failing to notify the purpose of new data usage.
- Collecting data beyond what is necessary.
- Using deceptive consent language to mislead understanding.
- Failing to implement appropriate security measures.
- Not reporting breaches when they occur.
- Transferring data internationally without legal consent.
- Not appointing a representative in the country.
- If a data controller collects, processes, or discloses sensitive personal data without legal consent, they may be subject to criminal liability, punishable by a fine not exceeding 5,000,000 Baht.
Complaints under the PDPA, in cases where litigation is not chosen.
What needs to be notified to the data subject
- Notifying what personal data will be collected.
- Notifying the purposes for which the personal data will be used, why, and that it will not be used for any other purposes than what has been disclosed.
- Notifying the data subject of their rights under the Personal Data Protection Act of 2019, such as the right to withdraw consent, the right to access, the right to rectify, the right to erasure, the right to data portability, the right to object to processing, and the right to request the suspension of processing.
- Notifying how personal data will be stored and in what format.
- Notifying the method for the data subject to access their personal data.
- Other details can also be provided to enhance the data subject’s confidence, such as the number of data controllers, the transfer of personal data to individuals with specific roles, or the languages used.
Know or about PDPA?
- Journalists and mass media professionals reporting news for the benefit of the public by presenting personal data of others are not in violation, as the news is disseminated for public interest.
- If anyone wishes to install CCTV cameras in a location that can record other individuals entering or passing through their premises, they must post a sign to inform others that CCTV cameras are in use, in accordance with the law.
- The Personal Data Protection Act of 2019 (PDPA) is a relatively new law, and as such, there may not yet be established legal precedents or court judgments. Considering cases under this law may require time and careful consideration.
Reference source
- สรุป PDPA คืออะไร ฉบับเข้าใจง่าย พร้อมแนะแนว (2022) https://pdpa.pro/. Available at: https://pdpa.pro/blogs/in-summary-what-is-pdpa (Accessed: 14 July 2023).
- What Easy Company Group (2021) PDPA ? – PDPA summary about the business you should know! ฉบับเข้าใจง่าย, easypdpa. Available at: https://easypdpa.com/article/easypdpa-summary-what-is-pdpa (Accessed: 20 July 2023).
- Easy Company Group (2021) โทษปรับสุดโหด หากคุณยังไม่มี Privacy Policy, easypdpa. Available at: https://easypdpa.com/article/severe-fine-if-you-dont-have-a-privacy-policy (Accessed: 20 July 2023).
- สำนักงานพัฒนารัฐบาลดิจิทัล (องค์การมหาชน) (no date) FAQ เกี่ยวกับการคุ้มครองข้อมูลส่วนบุคคล (PDPA), pp. 1–7. Available at: https://www.dga.or.th/wp-content/uploads/2022/10/1.FAQ-เกี่ยวกับการคุ้มครองข้อมูลส่วนบุคคล-(PDPA).pdf (Accessed: 20 July 2023).
- โทษปรับสุดโหด หากคุณยังไม่มี Privacy Policy (2022) openpdpa. Available at: https://openpdpa.org/7-data-subject-rights-5-things-business-have-to-done-before-pdpa-use/ (Accessed: 20 July 2023).