11 July 2024

After a two-year postponement, Thailand’s Personal Data Protection Act (PDPA) will come into force on June 1st, according to Deputy Government Spokesperson Rachada Dhnadirek.

She said that the law will provide assurance to members of the public that their personal data will be protected and will not be used by unauthorised people.

Under the law, people or entities responsible for controlling or processing personal data must receive consent from the data’s owner for the collection, use of or disclosure of their personal data. They must also inform the data’s owner about the reason for using their personal data and to what purposes it will be put.

Additionally, the law recognises the right of data owners to access their personal data, the right to rectification (if the data contains errors) and the right to object to, withdraw or erase the data if it is against the principles of personal data protection or related laws.

Organisations which control or process personal data are required to have standard measures in place for the safe keeping and management of these data, said Rachada.

Rachada also said that the National Digital Economy and Society Commission is in the process of developing a platform for the government sector to accommodate this law, expected to be completed within this year, and the private sector will be able to use the platform.

There will be a system for the collection and processing of the data, a system for the management of the consent of the data’s owner, another system for the management of the rights of the data’s owner and a system for the handling of any breaches of personal data privacy or use.

There are two types of personal data, namely those which include general information, such as name, date of birth, phone number etc., and sensitive data, such as racial, sexual, religious, health, political and biometric information.

There are both criminal and civil liabilities for breaches of personal data privacy. For instance, collection, use or disclosure of sensitive personal data illegally is liable to a fine of five million baht on conviction. Collection, use or disclosure of general personal data without a legal basis is liable to a three million baht fine on conviction and failing to get consent from data’s owner or refusing the data’s owner access to their personal data is liable to a one million baht fine on conviction.

If the unauthorised use or disclosure of personal data causes damage to other people or subjects other people to hate, shame or contempt, violators may face six months in prison and/or a fine of 500,000 baht on conviction.