2. Presentation Topics
2
I. What are the key provisions of the PDPA and how
do they apply to our company?
II. How and when can our company collect, use and
disclose personal data of employees, customers,
suppliers and the public?
III. What can we do to reduce risks of failure to comply
with the PDPA and mitigate liabilities?
3. 3
I. What are the key provisions of the
PDPA and how do they apply to our
company?
4. 4
PDPA Overview
• Effective in part from 28th May
2019
• Effective in full from 27th May
2020
• No implementation rules has yet
been enacted.
• Chairman and 9 Expert
Committees of PDPC are being
selected.
Effective DatesKey Provisions
• Data Subject
• Personal Data Protection
Committee (“PDPC”)
• Office of the Personal Data
Protection Committee (“OPDPC”)
• Basis for Processing Personal Data
• Extraterritorial Applicability
• Data Protection Officer (“DPO”)
• Representative of Foreign Data
Controller
• Right of Data Subjects
• Liabilities
5. 5
PDPA Authorities
PDPC
• The Permanent Secretary of
the Ministry of Digital and
Economy and Society
(“MDES”) is now acting as
Chairman of PDPC
• The Deputy Permanent
Secretary of the MDES is now
acting as the Secretary
General of PDPC
• Chairman and Secretary
General of PDPC will be
selected and appointed
OPDPC
• To be established within
27th May 2020
• Office of the Permanent
Secretary of the MDES is
now acting as OPDPC
Expert Committee
• To be appointed within
90 days after the
appointment of the
Chairman of PDPC
6. 6
Within
27 May 2020
Start
27May2019
Appointment of Selection
Committee to select Chairman and
9 Expert Committees of PDPC
Cabinet establishes criteria for
selection of Chairman and 9
Expert Committees of PDPC
Selection and appointment of
Chairman and 9 Expert
Committees of PDPC
PDPC issues
implementation rules
PDPA Implementation Timeline
1 2 3 4
7. 7
Key Parties
Data
Controller
Data Subject
and
Personal Data
Data
Processor
• a person / juristic person
• having the power and duties to make
decisions as to the collection, use, or
disclosure of Personal Data
• a person / juristic person
• who collects, uses, or discloses
Personal Data on behalf of a
Data Controller
• any information relating to a data subject
• enables the identification of data subject,
whether directly or indirectly
9. 9
Types of Personal Data
Name
Address
Identification/Passport No.
Personal Phone No.
Bank / Credit cards
Personal Email address
IP Address
Cookies
Online Identifiers
PersonalData
Racial or Ethnic Origin
Political Opinions
Religious or Philosophical Beliefs
Sexual Orientation/Behaviour
Criminal Records
Health and Disability
Trade Union Membership
Genetic
Biometric
SensitiveData
any other data as prescribed by the PDPC
10. 10
Businesses Which Are Subject to PDPA
• All businesses in Thailand regardless of
where collection, use, or disclosure
(process) of Personal Data takes place
• All businesses outside Thailand if the
collection, use, or disclosure of Personal
Data of data subjects who are in
Thailand with the following activities:
(1) the offering of goods or services to the
data subjects who are in Thailand,
irrespective of whether or not any
payment is made by the data subjects.
(2) the monitoring of the data subject’s
behavior, where the behavior takes
place in Thailand.
Extraterritorial Applicability
11. 11
Rights of Data Subjects
Right to Be Notified - get information
what data is collected, how data is going to be
used (where stored, who will have access)
Right to Access Data
Right to Modify Data
Right to Transfer and Data Portability
Right to Delete Data
Right to Object and Withdraw Consent
12. 12
Data Protection Officer and Representative
Duties of Data Protection Officer (DPO)
• advising Data Controller or Data Processor and their employees with
respect to any collection, use or disclosure of personal data;
• Reviewing the operation of Data Controller or Data Processor in
relation to their compliance with the PDPA;
• coordinating with the OPDPC; and
• maintaining the confidentiality of the Personal Data obtained.
• Data Controller or Data Processor who (1) engages in a business of
collecting, using or disclosing Sensitive Personal Data or (2) handles a
large amount of personal data to be prescribed by the PDPC must
appoint a DPO.
• Data Controller and Data Processor outside Thailand who collect, use or
disclose a number of personal data which include sensitive personal data
must appoint a local representative in Thailand without a limit of
liabilities.
Who Must Appoint a DPO?
Who Must Appoint a Representative?
13. 13
Maximum Administrative Fines
If personal data is breached:
PDPA
FINES
OR
Data Controller
must report it to
the OPDPC within
hours
Face a fine up to
72 THB5 Million
14. 14
II. How and when can our company
collect, use and disclose personal
data of employees, customers,
suppliers and the public?
15. 15
Consent (Section 19)
Asking permission from data
subject
Contract (Section 24(3))
Required to fulfill contractual
obligations
Legal Obligations
(Section 24(6))
Required to establish, defend
and enforce legal rights
Vital Interest
(Section 24(2))
To save lives
Public Task
(Section 24(4))
Government work
Legitimate Interest
(Section 24(5))
Legitimate interests of Data
Controller outweigh privacy
rights of data subject
Basis for Processing Personal Data
16. 16
• Any collection, use and disclosure of personal
data cannot be made without express consent of
the data subject.
• Consent for collection and use of personal data
may be at any time revoked.
• Consent may be given either in writing or by
electronic means.
Consent General
Consent – General Principles
17. 17
1. contain the purpose of the collection, use or
disclosure;
2. be clearly distinguishable from other matters; and
3. be made in a clear and plain language that is easy to
understand and is not misleading to the data subject.
Request for Consent – Its Basic Requirements
Request for
Consent
must
18. 18
Consent – Its Exceptions
Exceptions
of Consent
1. preventing harm to life or the
health of an individual
2. lawful activities of non-profit
organizations
3. preparing historical or statistical
documents for the public benefit
4. carrying out duties to benefit of
the public or to perform
functions as allocated by the
State
5. complying with contractual
obligations
6. complying with the PDPA,
other laws and public policy
objectives (health and
research)
7. establishing and enforcing
and upholding legal claims
8. protecting the legitimate
interests of the employer.
19. 19
Mitigation of Risks – What Business Should Do
Mitigation
of Risks
1. compile information on how it
collects, uses and discloses
personal data, which requires
notice to data subjects
2. determine potential impacts on
the business if consent is
withdrawn
3. create a data retention policy for
various types of personal data
collected
4. create a data privacy policy
in line with the notice and
consent requirements
5. identify situations where
consent is required and
where exemptions may
apply
6. prepare and review its online
and offline consent request
to make it comply with
PDPA.
20. 20
Basis for Processing Personal Data without Consent (Section 24)
Vital Interest
Contractual Obligation Legal Obligation / Public Task
• Employers transfer personal data of
employees internally for internal
administration.
• Businesses record CCTV footage of
visitors for security reason.
Legitimate Interest
• E-commerce businesses collect and use
names and addresses of customers to
deliver products to them.
• Hotels keep passport information of
customers for the Immigration Office.
• Employers disclose employees’ wages to
the Revenue Department and the Social
Security Office.
• Hospitals disclose patient record to
other hospital for emergency
treatment.
21. 21
Limitations on Personal Data Collection, Use and
Disclosure
Purpose
Limitation
Any use of the collected
personal data outside the
notified purpose is prohibited.
Source
Limitation
Personal data can be
collected from data subject
only, except in certain
situations.
Proportionality
Limitation
Personal data can be
collected only in the amount
necessary to accomplish the
intended and lawful purpose
notified to the data subject.
22. 22
III. What can we do to reduce risks
of failure to comply with the
PDPA and mitigate liabilities
23. 23
Major Pitfalls to Avoid
Lack of legal documents required for PDPA
compliance
No clear understanding of where personal data
is kept or who owns it
Cannot identify legal basis for collection, use or
disclosure of personal data
No clear understanding of roles and obligations
of Data Controller and Data Processor
No PDPA compliance team, no DPO
24. 24
ASSESSMENT & PLAN DETERMINATION MEASUREMENT
REVISION & CREATION IMPLEMENTATION TRAINING &
MAINTAINING
PDPA
Compliance
Existing Privacy Policy, Privacy Notice
and Consent Form should be
reviewed and revised. If no
compliance documents, they should
be prepared and ready to be used .
Revision and Creation of
Privacy Policy and Other
Compliance Documents
To determine and implement
technical and internal policy,
procedures and record
keeping
Data Management Process
and Operation System
Key members of the management
and the compliance team are
trained and advised about the PDPA
and its potential impacts on the
business.
Legal Advice &Training
To assess risk criteria, risk
level and to generate
suitable plan to comply with
the PDPA.
Risk Assessment &
Data Treatment Plan
To determine legal
basis and applicable
obligations
Legal Basis & Data
Analysis To locate, quantify and
categorize the existing
collected personal data
and the current personal
data flow.
Data Mapping
Major Measures to Do
25. 25
Privacy Policy – Questions for Key Provisions
• What are the personal data collected and processed?
• Where is the source of the data?
• What are the purposes and legal basis for data collection and
processing?
• How to collect and process the data?
• How the data is stored and what is the data retention period?
• What are the rights of the data subject?
• How to contact the Data Controller, representative and DPO?
• What are data security measures?
26. 26
Privacy Notice – Questions for Key Provisions
• What are the data collected and processed and how?
• Where is the source of the data?
• What are the purposes and legal basis for data collection and use?
• How the data is stored and what is the data retention period?
• What are the rights of the data subject?
• How to contact the Data Controller, representative and DPO?
• What are the polices on cookies?
• What are data security measures?
• What are the marketing activities?
27. 27
The quick brown fox jumps over the lazy dog.
THB ≤ 500,000
Section 87
Offences in
relation to
Sensitive Data by
Data Controller
and Data
Processor.
Sections 83 & 86
Offences in
relation to core
duties of Data
Controller and
Data Processor to
Data Subjects.
Sections 82 &
85
Offences in
relation to duties
of Data Controller
and Data
Processor to
protect rights of
Data Subjects.
Section 89
Failure of a person
to comply with the
order of the PDPC
or to facilitate the
PDPA officials.
Major Administrative Fines
THB ≤ 1millionTHB ≤ 3millionTHB ≤ 5million