What the PDPA means for businesses and people

  • ธุรกิจ
  • May 21, 2020
What the PDPA means for businesses and people
Thailand's Personal Data Protection Act is set to come into force in 2020. We’ll take a look at what it will mean for both businesses and individuals.

What the PDPA Means for Businesses and People in Thailand

thailand pdpa regulation

Thailand's Personal Data Protection Act (PDPA) was originally scheduled to be enacted at the end of May 2020. But because of the burdens of compliance facing many businesses, The Thai cabinet recently ruled that companies will be given another year to update their processes and hire additional staff in order to comply. The PDPA will impact the internet and companies offering services and products online.

A significant part of the act is a set of rights that apply to businesses as well as individuals. These rights include:

  • Right to access
  • Right to data portability
  • Right to erasure
  • Right to be informed
  • Right to object
  • Right to rectify
  • Right to restrict processing

The PDPA also consists of a number of enforcement mechanisms that businesses and individuals can use to ensure their rights are respected and to seek redress when they are violated. Online organisations are required to have a data controller in their employment who will be responsible for adherence to these rights under the PDPA.

Foreign organisations doing business with online users based in Thailand must also comply with the directives of the act when it concerns processing personal data, offering goods and services, or monitoring online behaviour.

pdpa online data protection thailand

Intended as an Organisation-regulated Safeguard

The PDPA, as written, is intended as an organisation-regulated safeguard. The PDPA stipulates that an organisation conducting personal data processing as part of the transactional nature of its business must name a data controller to be legally liable in the event the organization breaks any of the rules contained in the act.

This data controller must contact the Office of Personal Data Protection Commission within 72 hours of the discovery of any violation of personal data. Failure to do so may lead to criminal prosecution of the data controller.

For large organisations conducting many transactions a day, this may be a tough pill to swallow. Entire departments may need to be set up to monitor the data processing and ensure compliance with the act.

The organisation data controller responsible for compliance should set up a close relationship with the Office of Personal Data Protection to ensure they are following all the rules. The law is written to put a lot of the burden of oversight on the organisation itself.

It’s going to be a matter of time before we find out whether this self-regulating approach to enforcement will be successful, or whether the government will be forced to play a larger role in enforcement. Reasons why the government would have to play a larger role would be because of organisations that fail to report breaches and violations of the law, only to have their violations reported by the individual victims.

User Retribution

For users who have had their data stolen or misused, the act represents a recourse, and a means to identify and punish responsible parties. The act serves as a concrete set of laws that target organisations who sell a user's data without obtaining consent.

Although the user would have to go through existing legal channels within Thailand’s justice system, the PDPA puts the onus on the organisation to prove its innocence. This will empower more and more users to stand up for their rights when entering into online transactions.

For online organisations, they need to review their data protection plans and ensure they are fully compliant under the new laws contained in the PDPA. The act is broadly written to include all personally identifiable data. This means that an organisation that wants to stay in business must review and possibly re-write their terms of use policies to ensure they are explicit in how a user's data will be processed and the end-use for the data.


  • Business

You May Like

ติดต่อทีมงานทรู ดิจิทัล พาร์ค

หรือเข้าชม สถานที่