[et_pb_section fb_built=”1″ _builder_version=”3.22″][et_pb_row _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.7.7″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”]
Thailand’s first comprehensive regulatory framework for protecting personal information – the personal data protection act (PDPA) – came into effect on May 27, 2020. The PDPA explains how businesses must process their customers’ personal data – i.e. collect, use, disclose, and transfer.
Data controllers play a critical role here as they must ensure that day-to-day operations meet all the obligations set out for handling personal data, including the collection, use and transfer of data subjects’ personal data.
Data processors must comply strictly with the controller’s legal instructions and not take any action outside the bounds of those instructions. This article discusses the obligations of data controllers and processors concerning Thailand PDPA laws.
Processor and Controller Obligations for Thailand PDPA
Collection, use and disclosure – basic elements
The data controller must acquire the consent of data subjects’ either in writing or electronic form before or at the time of collection, use, processing or disclosure of such personal data.
The collected data can only be used according to the indented purpose, which has already been relayed to the data subjects. Furthermore, the collection must be done from data subjects directly. Transferring personal data to a country outside Thailand is only allowed if recipients already have the required data protection standards in place.
Data processing notification
The data controller is required to inform the data subject of the purpose of data collection, the intended data retention period and the rights they are entitled to – either before or at the time of personal data collection. The only exception to this is if the data subject is already aware of such details.
Data processing records
Both the data processor and data controller are required to prepare and maintain records of all personal data processing activities for the data subjects’ knowledge and reference and the PDPC (Personal Data Protection Commission) Office. This can either be in written or electronic form. Thailand PDPA will lay out the rules around records of processing activities in a future sub-regulation.
Even though there is no localisation required around data transfers, businesses sharing personal data with any affiliate organisations outside Thailand must follow the PDPA mechanism, which is similar to the GDPR’s corporate rules. What this means is cross-border personal data transfers are permitted as long as the data processor or data controller follows an internal policy with specific safeguards for personal data cross-border transfer to the foreign affiliate – of course, provided that this internal policy is in the knowledge of and approved by the PDPC Office.
Even though the PDPC Office’s criteria for cross-border transfers of personal data has not been established yet, businesses are urged to take the necessary inter-party personal data privacy measures sooner rather than later.
During the personal data collection process, the data controller must inform data subjects of the set time frame or period for which the data shall be retained. This can either be done before or at the time of personal data collection.
However, if it is not feasible to specify a fixed retention duration, the expected data retention duration will be defined as per the current data retention standard.
Closing thoughts on Data Controller and Data Processor Obligations
For reference, Chapter 3 of Thailand PDPA explains the specific obligations of a data controller – e.g. such as ensuring that all personal data is up-to-date, accurate and complete, that it is not misleading and that the necessary security measures have been taken to prevent unauthorized personal data access.
In some cases, the data processor is not always a data controller – which means the data processor’s obligations apply to the designated data controller: to collect, use or disclose personal data only as per the data controller’s instructions and provide ample security while processing data, among other things.
Ensure that you are always compliant and fully aware of your data controller’s and data processor’s obligations – Formiti’s data privacy consultancy has you covered.
[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_column type=”3_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_code _builder_version=”4.9.4″ _module_preset=”default” background_color=”#73c2e0″ hover_enabled=”0″ sticky_enabled=”0″] [ninja_form id=6][/et_pb_code][/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_blurb title=”VinarcoPDPA PDPA Assessment” url=”https://www.vinarcopdpa.com/pdpa-assessment” _builder_version=”4.7.7″ _module_preset=”default” header_text_color=”#28952d”]
We offer a globally recognized gap analysis and remediation report, which can be completed within days. Depending on your organisation’s scale, our remediation consultant will conduct an onsite gap analysis assessment covering Ten core areas and seventy-three controls.