In May 2019, Thailand joined the growing list of countries adopting a comprehensive privacy law, the Personal Data Protection Act, B.E. 2562 (2019) (PDPA). Although many of the principles and obligations under the PDPA were adapted from the EU's General Data Protection Regulation (GDPR), businesses operating in Thailand or handling the personal data of data subjects in Thailand should familiarize themselves with this new law and operationalize its requirements before the compliance date of May 28, 2020.
The PDPA adopts the concepts of "data controller" and "data processor" consistent with the GDPR and other privacy regimes. It also has broad extraterritorial scope. The PDPA applies to the collection, use, or disclosure of personal data by a data controller or a data processor that is in Thailand, regardless of whether such data collection, use, or disclosure takes place in Thailand or elsewhere. Its obligations extend to businesses outside of Thailand engaged in either of the following activities:
The PDPA prescribes data subject consent requirements, addresses the collection, use, and disclosure of personal data to third parties within and outside of Thailand, and provides penalties for violations, including civil penalties, administrative fines, and criminal liability. As in other privacy regimes, the PDPA permits a data subject to request access to his or her personal data and to submit requests to delete, destroy, or anonymize his or her personal data.
How CENTRL's Privacy360 helps:
By using CENTRL's Privacy360, your organization can easily manage a multitude of templates, checklists and questionnaires while providing the control to monitor, evaluate and create audit reports allowing you to focus on the results instead of the process.