Data privacy in Thailand has taken a significant leap forward with the implementation of the Personal Data Protection Act (PDPA), which came into full effect on June 1, 2022. This legislation aligns with global standards, such as the European Union’s General Data Protection Regulation (GDPR), aiming to protect personal data and ensure privacy rights for individuals. This article explores the general duties of data controllers and data processors, the rights of data subjects, and the roles of the Data Protection Officer (DPO) and the Personal Data Protection Committee (PDPC).

General Duties of Data Controllers and Data Processors

Data Controllers

A data controller is an individual or entity that has the authority to make decisions about the collection, use, or disclosure of personal data. Under the PDPA, data controllers have several key responsibilities:

1. Lawful Basis for Processing: Data controllers must ensure that personal data is processed lawfully and transparently, with a legitimate basis, such as consent, contract, legal obligation, vital interests, public tasks, or legitimate interests.
2. Consent: Obtaining clear and explicit consent from data subjects is essential, except in cases where other lawful bases apply. Data subjects must be informed about the purpose of data collection and their rights before giving consent.
3. Data Minimization: Data controllers must collect only the data necessary for the specified purpose and ensure that it is relevant and not excessive.
4. Data Security: Implementing appropriate security measures to protect personal data against unauthorized access, disclosure, alteration, or destruction is a crucial duty. This includes both technical and organizational measures.
5. Data Breach Notification: In the event of a data breach, data controllers are required to notify the PDPC and affected data subjects within a specific timeframe.
6. Data Subject Rights: Data controllers must facilitate the exercise of data subjects’ rights, ensuring that requests for access, correction, deletion, or objection are handled promptly and efficiently.

Data Processors

A data processor is an individual or entity that processes personal data on behalf of the data controller. Data processors have the following responsibilities:

1. Processing Under Controller’s Instructions: Data processors must process personal data only in accordance with the data controller’s instructions and cannot use the data for their own purposes.
2. Data Security: Similar to data controllers, processors are required to implement adequate security measures to protect personal data.
3. Assisting Data Controllers: Data processors must assist data controllers in fulfilling their obligations, such as responding to data subject requests and ensuring data security.

Rights of Data Subjects

The PDPA grants several rights to data subjects, empowering individuals to have control over their personal data:

1. Right to Access: Data subjects have the right to access their personal data and obtain a copy, along with information about how it is being processed.
2. Right to Rectification: Individuals can request the correction of inaccurate or incomplete personal data.
3. Right to Erasure: Also known as the “right to be forgotten,” this allows data subjects to request the deletion of their personal data under certain circumstances.
4. Right to Restriction: Data subjects can request the restriction of processing activities in specific situations, such as when the accuracy of data is contested.
5. Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used format and transfer it to another data controller.
6. Right to Object: Data subjects can object to the processing of their personal data, particularly in cases involving direct marketing or processing based on legitimate interests.

Role of the Data Protection Officer (DPO)

The PDPA mandates the appointment of a Data Protection Officer (DPO) for certain organizations, especially those involved in large-scale data processing or handling sensitive data. The DPO’s responsibilities include:

1. Advisory Role: Providing guidance on data protection obligations and ensuring compliance with the PDPA.
2. Monitoring Compliance: Overseeing data processing activities and ensuring that policies and procedures align with legal requirements.
3. Point of Contact: Serving as the primary point of contact for data subjects, the PDPC, and internal stakeholders regarding data protection matters.
4. Training and Awareness: Conducting training sessions and raising awareness about data protection within the organization.

Personal Data Protection Committee (PDPC)

The Personal Data Protection Committee (PDPC) is the regulatory authority responsible for enforcing the PDPA and ensuring compliance. Key functions of the PDPC include:

1. Issuing Guidelines: Providing guidelines and recommendations to assist organizations in complying with the PDPA.
2. Investigating Complaints: Handling complaints from data subjects and investigating potential breaches of the PDPA.
3. Enforcement: Imposing penalties and sanctions on organizations that fail to comply with data protection requirements.
4. Promoting Awareness: Educating the public and organizations about data privacy rights and responsibilities.

Conclusion

Thailand’s PDPA marks a significant step towards enhancing data privacy and protection in the digital age. By outlining clear duties for data controllers and processors, empowering data subjects with rights, and establishing regulatory bodies like the DPO and PDPC, the law aims to foster trust and accountability in the handling of personal data. Organizations operating in Thailand must prioritize compliance with the PDPA to safeguard personal information and build a privacy-conscious culture.