In order to prevent violations of right of privacy from personal information which cause affliction, annoyance and damage to data subjects as well as an economy as a whole; accordingly, Thailand has enacted the Personal Data Protection Act.
The term "Personal Data" under this Act refers to any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular, whereby the term "Person" refers only to a natural person, but not including a juristic person.
Scope of Application
This Act applies to a collection, use, or disclosure of personal data by a "Data Controller" or "Data Processor" which is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not. In addition, this Act also applies to a case where a Data Controller and a Data Processor are outside the Kingdom, but offer products or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subjects; or a case where there is the monitoring of the data subject’s behavior which takes place in the Kingdom of Thailand.
However, this Act does not apply to the following cases:
Collection, use, or disclosure of Personal Data by a Person who collects such Personal Data for personal benefit or household activity of such Person only;
Operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity;
A Person or a juristic person who uses or discloses Personal Data that is collected only for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for public interest;
The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case may be;
Trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
Operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.
Personal Data Collection
The Data Controller can collect Personal Data as necessary under the lawful purposes of the Data Controller which must be collected directly from the data subject. In addition, the Data Controller must notify the data subject prior or at the time of such collection. This includes the purpose of collection, the period for which the Personal Data will be retained, the categories of Persons or entities to whom the collected Personal Data may be disclosed Information about the controller of personal information, etc., etc. A request for consent must be made in a written statement, or via electronic means, unless it cannot be done by its condition. Such request for consent must be presented in a clear manner, and does not deceptive or misleading to the data subject in respect to such purpose. However, the data subject must be able to withdraw his or her consent at any time, unless there is a prescribed by law.
In the event that Personal Data is collected from any other source, apart from the data subject directly; the Data Controller must, without delay, notify the data subject of the collection of Personal Data from other source which must not exceed 30 days upon the date of such collection, and obtain the consent from the data subject.
Any collecting of Personal Data containing sensitive content, such as race, ethnicity, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which affect the data subject in the same manner is explicit consent of the Personal Data subject is also required, except for cases as prescribed by law only.
Use or Disclosure of Personal Data
The Data Controller may use or disclose Personal Data on the condition that the consent of the data subject is obtained. The Person or juristic person who obtains the Personal Data may not use or disclose such Personal Data for any purpose other than the purpose previously notified to the Data Controller.
In the event that the Data Controller wishes to send or transfer the Personal Data to a foreign country, the destination country or international organization that receives such Personal Data must have adequate data protection standard. In the event that the Personal Data is sent or transferred to a foreign country which is in the same affiliated business, or is in the same group of undertakings, in order to jointly operate the business or group of undertakings, such sending or transferring can be carried out on the condition that there is a Personal Data protection policy which has been reviewed and certified by the Office.
Rights of the Data Subject
The data subject is entitled to request access to and obtain copy of the Personal Data related to him or her, and to request the disclosure of the acquisition of the Personal Data obtained without his or her consent. In addition, the data subject is entitled to move, to object and to delete the Personal data as well.
Duties of the Data Controller
The Data Controller is a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data. The law has; therefore, stipulated duties of the Data Controller, that is, to provide security measures.In the event that the Personal Data is to be provided to other Persons or juristic persons, apart from the Data Controller, the Data Controller must prevent such person from using or disclosing such Personal Data without authorization or unlawfully. The Data Controller must put in place the examination system for erasure or destruction of the Personal Data as prescribed by the law. The Data Controller must also notify the Personal Data Protection Commission (PDPC) of any Personal Data breach. In the event that the Data Controller is outside the Kingdom of Thailand, the Data Controller shall designate in writing a representative of the Data Controller who must be in the Kingdom of Thailand.
Duties of the Personal Data Processor
The Data Processor is a Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller unless such order is against the law, and such Person or juristic person is not the Data Controller.
The Data Processor has a duty to provide security measures and to notify the Data Controller of the Personal Data breach that occurred. This includes preparing and maintaining records of Personal Data processing activities.
Legal Liability
In the event that there is any violation of the Personal Data Protection Act, it is noteworthy that in addition to the civil liability and criminal liability prescribed by the law, it is also aimed at protecting the common interests. Therefore, administrative liability are also prescribed which can be divided as follows:
1. Civil Liability
Persons who are obliged to civil liability under this law are both “Data Controller” and “Data Processor”, whereby the scope of Personal data breach emphasizes on a violation of and non-compliance with the provisions which cause damages to the data subject. In this regard, the Data Controller or the Data Processor must compensate the data subject for such damages. In addition, this law also stipulates punitive damages by requiring the court to have the power to order the Data Controller or the Data Processor to pay punitive damages in addition to the actual compensation, but not exceeding two times of such actual compensation amount.
2. Criminal Liability
Any "Data Controller" who violates or fails to comply with the provisions must be punished with a fine and an imprisonment.
Any person who comes to know the Personal Data of another person as a result of performing duties and discloses it to any other person may be obliged to criminal liability under this law as well.
In the case where the offender is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director, manager or person who is responsible for such act of the juristic person, or in the case where such person has a duty to instruct or perform any act, but omits to instruct or perform such act until the juristic person commits such offense, such person must also be punished with the liability as prescribed for such offense.
3. Administrative Liability
This law also provides administrative liability. Such administrative liability set forth as administrative fines, whereby those who may be subject to administrative liability include "Data Controller", "Data Processor" and "Representative of the Data Controller or of the Data Processor ". This also includes any person who fails to comply with the order given by the expert committee or fails to provide statement of facts, or fails to facilitate government officials as prescribed by the law as well.