Eight key characteristics form the foundation of the PDPA. Let’s dive into each one of these, so you can get a better understanding of what this new regulation means for your business.
1. National Data Protection Authority
The act’s first characteristic is to establish a Personal Data Protection Committee. They will serve as the enforcement agency to ensure that organizations comply with the PDPA.
2. Extraterritorial Effect
The PDPA has both a territorial and extraterritorial effect. This means that the legal applications of the PDPA apply if a state or organization has jurisdiction over Thai citizens while they are abroad.
In other words, any entity, business, website, or other organization that uses, collects, or discloses data about its citizens must comply with this regulation. Likewise, it prohibits personal data from being transferred outside of Thailand.
3. Operative Terms
The third characteristic of the PDPA is its operative terms, which define the core aspects of the law. Much of the terminology mirrors the GDPR, including the following:
- Data Controller: a natural or juristic person that has the power to make decisions about the collection, use, or disclosure of personal data
- Data Processor: an entity that collects, uses, or discloses personal data per the data controller
- Personal Data: Information that relates to a person and is directly or indirectly identifiable
The PDPA requires that you ask for – and obtain – explicit consent from users in Thailand before collecting data, using cookies and trackers, or disclosing any personal information. This consent must be received in writing or submitted electronically.
5. Sensitive Personal Data
The PDPA has a distinct category for sensitive personal data, which includes things like health data, sexual orientation, disability information, ethnicity, political opinions, religious beliefs, and more.
The new legislation prohibits the collection of any sensitive data without explicit consent from the individual unless the information is required by law or in a medical emergency.
6. Right of Data Subjects
Under the PDPA, data subjects have the right to access and correct their personal information. Likewise, they can withdraw consent at any point in time. Doing so would require the organization that collected the data to stop processing their information for marketing or other business purposes.
7. Transfer of Personal Data
Data controllers are prohibited from transferring personal data to third parties. However, they can proceed if the data subject has given their explicit consent.
8. Civil and Criminal Liability
The last characteristic of the Personal Data Protection Act addresses civil and criminal liability. Regulated entities that fail to comply with the PDPA could face civil liabilities that range from fines and punitive damage up to 5 million Baht.
Depending on the offense, perpetrators can also face up to one year in prison.