Thailand’s Personal Data Protection Act

Personal data protection is a hot topic in Thailand as new legislation was passed in 2019 regarding companies who collect data from customers or employees. If you run an SEO agency in Thailand or if you operate any type of business in Thailand or run it remotely from another country, you need to understand this new legislation and maintain your compliance. Here’s everything you need to know about Thailand’s Personal Data Protection Act.

What is the Personal Data Protection Act?

Data is exchanged every second of every day. Employers collect personal information from their employees during onboarding, thus making the employer the data controller. When data controllers abuse their role, there are serious implications for the person that data belongs to. Hence why Thailand instated the Personal Data Protection Act (PDPA) on February 29, 2019.

Data controllers had over one year of grace to implement the new legislation and become compliant with it. As of May 27, 2020, all data controllers in Thailand will be expected to be compliant. It’s important for data collectors, like employers and business owners, to understand the Act so they don’t face penalties. Employees and customers need to also understand the Act in order to protect their rights.

Key Factors of the Personal Data Protection Act

What changes do data collectors need to make to be compliant with the Act? To start, they must get express written consent from the data provider that they are allowed to process the information in whatever way they choose. If the data is sensitive, there are extra hoops to go through and permissions the collector must get.

The Act also applies to data collectors living abroad. If you are collecting information from Thai citizens, you must adhere to the Act’s legislation. And, you are obligated to secure a data collector representative present in the country.

What Are Employers’ New Duties?

This legislation is especially important for business owners to follow if they have Thai employees. According to the Act, employers are restricted from collecting data that is unnecessary or relates to the employee’s race, sexual orientation, gender, religion, politics, etc. Employers may only collect the employee’s data from the employee themselves, not a family member or other third party.

Employers must give explicit reasoning for why they’re requesting information and how they will be using the data. In the request for data, they must state how long they will keep the data for and if it will be disclosed.

It is the employer’s duty to ensure the data they collect is secure. If there is a breach of data, they must let the Personal Data Protection Committee know about it within 72 hours. When data is no longer needed, it must be destroyed in an appropriate and secure manner.

What Rights Do Employees Have?

Employees have certain rights when it comes to the collection of their personal data. They can request to see their personal data at any given time. In most instances, the controller is obligated to give the employee access to their personal data. Employees can also deny the request for their data if the reason for requesting it isn’t just or clear. When employees feel that their data is no longer useful to the employer, they can restrict its use.

What Happens if Employers Don’t Comply?

If data collectors, or employers, don’t comply with the new laws, there are serious consequences. Even if they unintentionally fell out of compliance, they are still responsible for the consequences.

If damage was caused to the employee, the employer must pay the employee to offset the damages. They will also be obligated to pay penalty fines.

When the damage caused to an employee is destruction of their reputation, the employer can be imprisoned for up to six months and pay a 500,000 Baht fine. However, the penalty increases from there based on the specific violation. In some cases, the employer could be imprisoned for up to a year and fined up to 5 million Baht.

How to Ensure Your Business is Compliant

The penalties for not complying with the Act are harsh, but they’re equal to the damage the victims in these cases face. As a business owner and data controller, it is in your best interest to comply with the new laws and take them seriously.

If you are confused about any aspects of the Act or how to implement these practices into your business, contact a lawyer. It’s highly recommended to bring all your HR and onboarding documents to your lawyer for their review. They will ensure all the forms you request employees to fill out are in compliance with the Act.

Personal data protection is an imperative aspect of running a business in Thailand. For more information on securing data, securing your website, and expanding your online reach, contact SEO Heroes Bangkok today.