Significant developments have unfolded since Thailand's Personal Data Protection Act took full effect 1 June 2022.
That year, the official appointment of the Personal Data Protection Committee and the commission supervising the office added substantial weight to the PDPA's regulatory framework. The release of subordinate legislation, along with the legal interpretations of the Expert Committee — which is authorized to consider complaints, investigate and impose punitive measures — further enhanced the PDPA's effectiveness, as Thailand intensifies efforts to ensure the safety and security of personal data.
Imposing administrative fines: Empowering PDPA compliance
Failure to comply with specific provisions of the PDPA, such as neglecting to inform data subjects of required information, processing of personal data without a legal basis or obtaining consent through deception, may result in administrative fines issued by the Expert Committee.
In its criteria for issuing administrative fines and orders, the PDPC outlines factors the Expert Committee must consider. These include the severity of the offense, size of the data controller or processor's business, benefits derived by the data subject from regulatory action and impact on the data controller, processor or offender. Additionally, the consideration includes broad implications for related businesses or enterprises, the data controller or processor's level of responsibility, and remedial or mitigative action taken upon awareness of the offense.
Data controller security measures: Safeguarding personal data
One of the pivotal responsibilities entrusted to data controllers under the PDPA is the implementation of appropriate security measures to safeguard personal data from unauthorized or unlawful loss, access, use, alteration, correction or disclosure. In line with this, the PDPC issued a notice on security measures of the data controller, outlining the minimum standards expected from data controllers.
Security measures must consist of appropriate organizational and technical measures and ensure the ongoing confidentiality, integrity and availability of personal data. Among the stipulated measures are the implementation of access control for personal data, user access management and assignment of user responsibilities to prevent unauthorized or unlawful access and processing of personal data.
Furthermore, data controllers must periodically review these security measures when necessary or when technology changes, as well as in the aftermath of a data breach.
Record of processing activities: Relief for small businesses
The PDPC's Exemption to the Record of Processing Activities Requirement for Data Controllers that Are Small Businesses brings relief for certain organizations. The exemption spares certain small businesses from the obligation to maintain records concerning data processing activities, except for instances involving the rejection of a data subject's request or objection to data processing.
Eligible small businesses include small and medium-sized enterprises, community and social enterprises, cooperatives, foundations, associations, religious organizations, nonprofit organizations, household activities, or others of a similar nature. According to Thailand's law on SMEs promotion, SMEs in the manufacturing sector are defined as businesses with no more than 200 employees or an annual revenue not exceeding THB500 million (approximately USD14 million). Criteria for SMEs in the service, wholesale or retail sector, is no more than 100 employees or annual revenue not exceeding THB300 million (approximately USD8.5 million).
In addition, the PDPC released Rules and Procedures for the Preparation and Maintenance of the Record of Processing Activities by the Data Processor. These records must be readily accessible and, when requested, promptly presented to the Office of the Personal Data Protection Committee or the data controllers.
Alerting data breaches: Swift response to ensure rights
The PDPA makes it clear that data controllers must report any data breach incident to the PDPC within 72 hours of discovery, unless the breach poses no risk to individuals' rights and freedoms. If the breach carries a high risk to rights and freedoms, controllers must also notify affected data subjects.
The PDPC's Criteria and Procedures for Handling Personal Data Breaches, effective 15 Dec. 2022, breaks down what constitutes a "personal data breach" and clarifies such incidents can involve breaches of confidentiality, integrity or availability of personal data.
Once aware of a data breach, the controller has several responsibilities, including examining the facts, assessing the risk to individuals' rights and freedoms, and taking necessary and appropriate actions to rectify or remedy the incident.
The PDPC also details the method and information required for reporting to the PDPC and notifying affected data subjects. If, for some reason, the data breach incident cannot be reported within the 72-hour timeframe, the data controller could request an exemption from penalties. However, requests must be submitted no later than 15 days after becoming aware of the breach, accompanied by valid reasons for the delay.
Guidelines on transferring personal data abroad
When it comes to transferring personal data across borders, Section 28 of the PDPA stipulates the need for sending or transferring data to the destination country or international organization with adequate data protection standards. However, certain exceptions apply, such as when compliance with the law requires it, when a data subject gives informed consent despite inadequate standards or when it's necessary for fulfilling a contract.
In December 2023, the PDPC issued Criteria on the Protection of Personal Data Sent or Transferred Abroad pursuant to Section 28 of the PDPA. The regulation clarifies that "sending or transferring personal data" excludes data transit, where personal data is sent through an intermediary like cloud computing services. It doesn't itemize "adequate data protection standards," but states adequacy will be considered based on the following factors:
- Measures or legal mechanisms in the destination country or international organization consistent with the PDPA.
- Agencies or organizations enforcing data protection laws in the destination country or international organization.
Additionally, the PDPC issued rules on intragroup internal data transfers, namely the Criteria on the Protection of Personal Data Sent or Transferred Abroad pursuant to Section 29 of the PDPA. Section 28 will be exempted if data transfers within the same group of undertakings or group of enterprises follow binding corporate rules approved by the PDPC Office. Criteria for BCR approval includes legal effect, provisions for personal data protection and alignment with data protection laws.
The notification also outlines formats and criteria for "appropriate safeguards" of data transfers without adequacy decisions pursuant to Section 28 or BCRs pursuant to Section 29. Appropriate safeguards include standard data protection clauses, certification or legally binding agreements between Thai and foreign agencies.
Stay informed of ongoing developments
It is essential to note this is a concise overview of key concepts within certain PDPC notifications and numerous other details are not explored. Since 2022, the PDPC Office has been actively sharing information about the PDPA, including news, complaints and orders from the Expert Committee related to enforcement.