Thailand Personal Data Protection Act (PDPA)

What is Thailand’s PDPA?

On February 28th, 2019, the National Legislative Assembly approved the Thailand Personal data protection Act (PDPA) after almost twenty years in the making. The act will pass into a law after it receives royal endorsement. The PDPA aims to govern data protection and will use GDPR as a blueprint, adopting some of the largest European articles to the Thai context. Organizations will need to bring their practices into compliance by May 27, 2020 or they will face penalties. 

What are the penalties?

The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class action lawsuit. The director of a company could also be subject to penalties under the PDPA.

 

Requirements

Right of Access:

Thai data subjects will have the right to request access to their personal information relevant to them except in cases where the request is not under the provisions of applicable laws or court orders.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

 

Right to Erasure / Right to be Forgotten:

In the event that the data controller is not compliant with the PDPA, Thai data subjects have the right to request that their personal information be deleted, destroyed or anonymized. Additionally, Thai data subjects will also have the right to data portability.

How SecuPi Helps:

On the application level, SecuPi redacts information on customer who requested to be forgotten (referred to as “logical deletion”). On the database level, SecuPi applies Format Preserving Randomization (FPR) Anonymization, ensuring that both the personal data is anonymized, as well as randomized on different databases, to prevent correlation of the same anonymized value between different data sets.

 

Right to Restriction of Processing:

Individuals have the right to restrict the processing of their personal information in certain cases. What it means is that an individual can limit the way organizations use their data. It is an alternative to requesting the erasure of their information. Individuals have the right to restrict the processing of their personal information when they have a particular reason for wanting so.

How SecuPi Helps:

Using Dynamic Masking and redaction, SecuPi can disable access to data subjects where consent wasn’t given or where the customer requested to restrict the processing of personal data.

 

Consent Requirements for Processing:

Data controllers must obtain consent for personal information processing. These requests must be phrased clearly and not deceive or be misleading. Consent should be approved in writing or through electronic means unless it is impossible by its nature. Consent can be foregone in different situations such as in case of legitimate reasons, public interest or the performance of contractual obligations.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

 

Breach Notification:

In addition, the data controller has an obligation to inform the “Office of Personal Data Protection Commission” of any breach or violation regarding the personal data within 72 hours.

How SecuPi Helps:

In the unfortunate case of a breach, SecuPi’s audit logs and behavior analytics can pinpoint exactly which data was exposed and breached, and significantly shorten the reporting time, while providing accurate and accountable information. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

Want to see our product in action? Join us for a Demo!
Apply for this Job

Or send your resume at text@secupi.com
Thank for you applying
We will be in touch shortly.