Thailand PDPA Law was enacted in May 2019 and is going to be effective on 27 May 2020. Here are some key highlights from the EDTA workshop.
Essential Features of Thailand’s PDPA Law
1) It has comprehensive protection of both public and private entities. This is unlike some countries’ law which only applies to private companies. The approach is sanction based or mainly fines (but there are also jail term as well)
2) PDPA law is adopted from European’s GDPR law. This means that if you are GDPR compliance, high chance that you will be PDPA compliance as well.
3) This law is extraterritorial reach. It also applies to companies or organizations that located outside Thailand but the data subjects (the people you are collecting data) are in Thailand.
4) The law is “Risked-based approach”. Bigger organization has more responsibility than smaller organizations.
What’s Personal Data Covered?
There are 2 levels of personal data covered:
- Personal Data – the data that could identify a person either directly or indirectly such as name, address, phone, location, etc.
- Sensitive Personal Data – the data that are more sensitive to collect and process such as nationality, race, religious, etc.
The law highlights more importance on sensitive personal data than personal data.
Key Parties Involved in PDPA