PwC Legal Insight # 01/2019

LEGAL UPDATE
TAX & LEGAL Services
*Issued Date: 08 March 2019

Heading : Thailand’s Personal Data Protection Act (PDPA)

The following report

All clients
may be of interest to :

Summary : Thailand’s Personal Data Protection Act (PDPA) was approved by the National
Legislative Assembly on 28 February 2019 and, after being signed and endorsed
by the monarch, it will be published in the Royal Thai Government Gazette and
passed into law. After this, several pieces of subordinate legislation will be enacted
to provide a procedural framework so that the PDPA can be practically enforced.

Many provisions relating to the collection, use, and disclosure of personal data will
come into force and into effect one year after the publication of the Act in the Royal
Thai Government Gazette. The table below provides the key elements of the
significant provisions of the PDPA.

Subject Key provision

Important Personal data - data that can directly or indirectly

defined terms identify a person, but not the personal data of a deceased
person. Sensitive personal data is also controlled under the
PDPA. Personal data doesn’t include business information
(e.g. the business title, address, and contact details).

© 2019 PricewaterhouseCoopers Legal & Tax Data controller - a natural or juristic person who has the
Consultants Ltd. All rights reserved. PwC
refers to the Thailand member firm, and may authority to decide on the collection, use or disclosure of
sometimes refer to the PwC network. Each personal data.
member firm is a separate legal entity. Please
see www.pwc.com/structure for further
details. Data processor - a natural or juristic person who collects,
This content is for general information uses or discloses personal data in accordance with the order
purposes only, and should not be used as a or on behalf of the data controller.
substitute for consultation with professional
advisors.
At PwC, our purpose is to build trust in
society and solve important problems. We’re Collection of The collection of personal data requires the consent of the
a network of firms in 158 countries with personal data data owner and must be for a lawful purpose and directly
more than 236,000 people who are relevant to, and necessary for, the activities of the data
committed to delivering quality in assurance,
advisory and tax services. Find out more and controller. Before or when personal data is collected, the
tell us what matters to you by visiting us data owner must be notified of the following:
at www.pwc.com.

1. The purpose for the collection

2. The need to give the personal data in order to comply
with laws or contracts, or enter into contracts. Also,
the possible consequences of not providing the
personal data
3. The data to be collected and the period of time to
retain the collected data
4. The person to whom the personal data might be
disclosed
5. The contact information of the data controller
6. The rights of the data owner.

Page 1 of 4
PwC Legal Insight # 01/2019
LEGAL UPDATE
TAX & LEGAL Services
*Issued Date: 08 March 2019

Subject Key provision

Consent Consent from a data owner is a key element of the

PDPA. It’s essential for personal data processing.

Legitimate consent is a form of consent that doesn’t

impose unnecessary conditions on the data owner in
any circumstance, and must be:

1. clearly expressed in writing or through an

electronic system before or at the time of the
collection, use or disclosure
2. in a form/detail that is easy to access and
understand, and
3. freely given by the data owner.

Extraterritorial The PDPA will apply to the collection, use or disclosure

effect of personal data, whether in Thailand or elsewhere, by
the personal data controller or the data processor who
is residing in Thailand. It also applies to those residing
outside Thailand if they offer products or services to the
data owner residing in Thailand, whether or not
payment is made, or if they monitor the activity of the
data owner in Thailand.

Data owner’s Data owners have legitimate rights under the PDPA.
rights They can do any of the following:

1. withdraw their consent, at any time.

However, this doesn’t affect the collection, use or
disclosure of the personal data that has already
been consented to.
2. request access to or make a copy of their own
personal data that is under the responsibility of the
personal data controller.
3. oppose the collection, use or disclosure of
their own personal data at any time.
4. request that the data controller delete or
destroy the personal data, make their personal
data anonymous or make it impossible for other
people to identify the data owner when keeping the
data is no longer necessary for the agreed purpose,
or when the data owner withdraws their consent.
5. request that the data controller suspend
the use of their personal data.
6. request the data controller to perform any
actions to make sure that the personal data is
accurate, up-to-date, complete and not
misleading.

Page 2 of 4
PwC Legal Insight # 01/2019
LEGAL UPDATE
TAX & LEGAL Services
*Issued Date: 08 March 2019

Subject Key provision

7. make a complaint if the data controller, the
personal data processor, its employee or contractor
violates or doesn’t comply with the PDPA.

Whenever the data owner exercises any of the rights

stated above, the data controller must act upon and
complete the data owner’s request within a period
specified by law. Any delay or failure may give rise to
adverse consequences.

Duties of the Duties of the data controller and data processor with
data controller respect to personal data processing
and data
processor Data controller

1. Inform the data owner of (i) the objectives of the

collection, use or disclosure of personal data and that
the data will be collected, used or disclosed
according to the objectives so informed, and (ii) the
impact of the withdrawal of consent.
2. Provide appropriate security measures to prevent
loss, access, use, change, correction or disclosure of
personal data without authorisation or in an
unlawful way.
3. Prevent the use or disclosure of personal data that is
given to parties other than the data controller
without authority or in an unlawful way.
4. Provide an inspection system to detect personal data
that has been kept for longer than necessary or is not
relevant to the objective.
5. Inform the Office of the Personal Data Protection
Board within 72 hours of being aware of or alerted to
an abuse of personal data.
6. Respond to the data owners’ requests when they
exercise their rights.

Data processor

1. Strictly follow the instructions of the data controller

when collecting, using, or disclosing personal data.
2. Provide appropriate security measures to prevent
loss, access, use, change, correction or disclosure of
personal data without authorisation or in an
unlawful way
3. Inform the data controller of any violation of the
personal data that occurs.
4. Prepare and maintain a list of the data processing
activities.

Page 3 of 4
PwC Legal Insight # 01/2019
LEGAL UPDATE
TAX & LEGAL Services
*Issued Date: 08 March 2019

Subject Key provision

Data protection The data controller and data processor must appoint a
officer (DPO) DPO under the circumstances specified in the PDPA. The
DPO must be independent and primarily responsible for
making sure that the processing of personal data of the
organisation’s staff, customers, providers or any other
individuals will comply with the data protection rules.

Violation of the
law Major sanctions (more
Liability details are included in the
PDPA)
1. Civil liability Compensation at the court’s
discretion

2. Criminal Imprisonment: not exceeding one

liability year, and/or
Fine: not exceeding Baht 1
million.

3. Administrative Fine: not exceeding Baht 5

liability million (the court has the power
to order the seizure and/or
freezing of the use of property so
that it can be auctioned to pay the
fine)

Important note:
Where a juristic person commits offences, the directors,
managers, or others with the authority to represent the
juristic person, who cooperate or are aware of the
commission of the offences or fail to take reasonable
action to prevent the offence, will be liable under the same
provisions as the juristic person.

For further information, please contact:

- Vunnipa Ruamrangsri at vunnipa.ruamrangsri@pwc.com or +66 (0) 2844

1284
- Nopparat Lalitkomon at nopparat.lalitkomon@pwc.com or +66 (0) 2844
2014
- Korapat Sukhummek at korapat.sukhummek@pwc.com or +66 (0) 2844
3091

Page 4 of 4