Incidents of unauthorized disclosure of personal information to third parties has raised concern over personal data security across the globe. In 2015, the General Data Protection Regulation (“GDPR”) was published, being the first personal data protection law passed to protect all European Union citizens. To comply with international standards, Thailand has adopted the provisions of the GDPR and introduced the Personal Data Protection Act B.E. 2562 (“PDPA”) on 27 May 2019, which was partially enacted on 28 May 2019, with a transitional period of one year. The Thai cabinet had further postponed the full enforcement of the PDPA until 1 June 2021 due to the pandemic.  However, on May 8 2021, a royal decree was issued to extend the full enforcement to June 1 2022 instead.

Need for PDPA

Many websites use “Cookies” to track customers’/users’ activities for the purposes of marketing development, research, and sales. What is collected by using cookies is “personal data” which can be used commercially. Therefore, personal data is considered as a valuable asset.

One example of how the data can be used is if a seller knows exactly what you need, then s/he would know how and what to sell to you, which may help in generating sales and increase in revenue. Another example is the case of Cambridge Analytica and Facebook in 2016 which were alleged to have links with the Trump campaign for the 2016 U.S. election. This case involved information of millions of Facebook’s users around the world and was regarded as the biggest leak in Facebook history.

As all public and private sectors keep personal data including sensitive personal information such as race, religion, and biometrics, from 1 June 2021, all sectors must implement data security and to prevent any unauthorized collection, use, and disclosure of such information.

Drafting privacy policy

The PDPA requires a Data Controller and a Data Processor to be responsible for personal data. All businesses must appoint both a Data Controller and a Processor. Any contravention is punishable under criminal, civil and/or administrative law. The following points must be considered when drafting a privacy policy:

Personal Data definition: The PDPA defines personal data as an information that is identifiable about a natural person but does not include those of the deceased. It includes direct information such as name, date of birth, ID card number, social security number, etc., and indirect information which means any information that could be used to identify the data subject, for instance, social media account, web browsing history, cookies, etc.

Privacy Notice: A Data Controller must clearly and sufficiently inform every owner of personal information (“Data Subject”), before or during the collection, about the following:

  • Purposes: for the collection, use, or sharing such data, and that under certain situation, the data could be collected without consent from Data Subjects;
  • Reason: for the data collection and the consequences if it is not done;
  • Duration: The length of time for storage of the data;
  • Third Party Disclosure: to whom data may be disclosed to (e.g. affiliates, subsidiaries, shareholders, or business partners of Data Controller); and
  • Contact information of the Data Controller and Data Processor.

Consent: Data Controllers need to ensure that all data subjects have given consent and acknowledged how their information will be collected, used and disclosed by Data Controllers and Data Processors.

Privacy Rights: Data subjects must be sufficiently reminded of their rights over their personal information including their rights to withdraw consent at any time and object to a data collection method.

Minors Code: Data Controller and Data Processor need to recognize the rights of minors. In Thailand, a person under 20 years old requires his/her parents’ consent before giving any personal data, therefore, such clause should be included in the privacy policy.

Cross-border data transfer: All foreign businesses, who are offering goods and/or services to data subjects in Thailand or observing the behavior of data subjects taking place in Thailand, may fall within the scope of the PDPA. Therefore, the data controller should inform data subjects in Thailand about any data transfer that may occur in the future.

Since the PDPA has been partially enacted, the Ministry of Digital Economy and Society (MDES) issued a notification setting out the temporary minimum security standards for personal data which has been effected since July 2020, and will expire on May 31 2021. Therefore, it is recommended that all businesses should be on the lookout for any new notification on the security measures from MDES and other supplemental regulations that may be issued further.

The recent one-year extension gives businesses in Thailand more time to prepare for and understand the requirements and impact of the PDPA before collecting any personal data from any individuals. It is important for all businesses to continue to provide sufficient security measures for personal data protection to avoid legal action and risk penalty.