PDPA (Personal Data Protection Act 2019) is an act that was announced in the Royal Thai Government Gazette on 27 May 2019 and parts of the act were official on 28 May 2019. By 27 May 2020, this act was then fully official.

The reason that PDPA has become official is due to the development of technology. There are many more types of online platforms and communication channels that cause the violation of personal data to happen easier and, most of the time, it brings about problems and losses for the data’s possessors as well as affects the nation’s economy. Thus, there has to be a law regarding the protection of personal data to set the standard or measure to oversee the protection of personal data which includes the collection, usage, and disclosure of information.

Personal Data

Is the information about an individual that allows others to directly or indirectly detect that individual in which the information of the deceased and juristic person is not considered as personal data under this act.

Personal Data The general personal data is, for example, name – surname, identification number, address, mobile number, date of birth, email, educational background, occupation, photo, and financial information. Apart from that, personal data also includes Sensitive Personal Data such as medical or health records, genetic and biometric information, race, political opinion, religion and belief, gender preference, criminal record, labor union information, etc.

Data Subjects are

• Right to be informed 
• Right of access
• Right to data portability
• Right to object
• Right to erasure (also known as the right to be forgotten) 
• Right to restrict processing
• Right of rectification 

People who are involved in personal data

• Data Subject is the individual that the information refers to.
• Data Controller is the individual or juristic person that has the power to “decide” on the collection, usage, and disclosure of personal information.
• Data Processor is the individual or juristic person who processes the collection, usage, and disclosure of personal information “under the order or on behalf of the data controller”. Nevertheless, this individual or juristic person must not hold the position of the data controller.

The collection, usage, and disclosure of personal information can be done under the following conditions:

• Obtained consent from the data subject
• To make historical records or records that will be beneficial to the public, education, and statistic
• To prevent or stop danger to the life, body, and health of the individual
• For legal issues or contract
• For the benefit that is legal of data controller or other people
• For the benefit of the public and the performance of state power

Cross-border Personal Data Transfer

The destination or international organization that receives personal data will have to have a reliable standard to protect personal information. Otherwise, consent from the data subject has to be obtained or it goes according to law/contract or the benefit of the public only.

Penalty for violation of PDPA

For the personal information to be used in the right way and have more pros than cons, careful consideration will have to be taken before any disclosure of information. For example, the information for delivery purposes. If there is any information that is not related to the delivery, the data subject has the right to refuse to provide the information. Also, the data collector will have to know the limit to get personal information. There must be a system to control/verify identity to access the information and there must be an organizational policy for people who are involved to follow otherwise it will result in the following punishments:

• Civil Liability: compensation according to the actual losses and more compensation might have to be paid with the maximum cost of not more than 2 times of actual losses.
• Criminal Liability: jailed not more than 1 year or charged not more than 1 million baht or both.
• Administrative Liability: charged not more than 5 million baht.