In February 2019, Thailand’s National Legislative Assembly approved the draft Personal Data Protection Act (PDPA) in its third and final reading. In May 2019, the Act was published in Government Gazette under Personal Data Protection B.E. 2562. The law was renewed due to current issues related to the advancement in technology, thus it was a necessity to enact a law to make the collection, compilation, use and disclosure of personal data easy, convenient and prompt.
While the act has already been promulgated, its main provisions will take effect after a one-year grace period on 27th May 2020. Therefore, it is essential for all stakeholders that collect personal data, including employers, to oblige and fulfil the duties and obligation of the legislation.
PDPA establishes the Office of Personal Data Protection Commission (PDPC’s Office) to promote and support the development of Personal Data Protection. It is a government agency and will have the status of a juristic person. Personal Data that is protected is information related to a natural person which is directly or indirectly identifiable to such a natural person, excluding information of a deceased person.
Further, the Act states “the collection of personal data shall be limited to the extent necessary in relation to the lawful purpose of data controller”, meaning employers are not permitted to collect unnecessary data from employees. It is stipulated that data must solely be collected from employees and collecting data regarding employee’s race, ethnic background, political opinion, religious affiliation, sexual orientation, and biometric data, among others, is prohibited unless they consent to give out this information in accordance with Section 26.
Likewise, employers should note that they are required to make an explicit request for consent prior to collecting sensitive data from employees unless certain circumstances, such as suppressing bodily harm, are met. It is also necessary for employers to provide appropriate security measures to prevent unauthorised losses, alterations, or disclosure of employees’ personal data and must report any security breach to the Office of the Personal Data Protection Committee within 72 hours of becoming aware of it.
Employees have the right to request for access to personal data that is relevant to them, and employers are obligated to fulfil the request. The data must be submitted in a format that is legible to the employee and in a form that is commonly used, meaning it can be handed over using digital tools.
Employees also have the right to object to the collection, use, or disclosure of their own personal data if there are compelling grounds for doing so according to the law.
Employees also have the right to restrict the use of or request the destruction of their personal data if they feel it is no longer necessary for the employer to have them or if they object to its purpose use.
Failure to comply with the provisions of the Act, whether intentionally or unintentionally, will force an employer to compensate the employee for damages caused, including all expenses borne by the employee to offset the damages on top of punitive charges. In addition, employers whose violation of the Personal Data Protection Act impairs the employees’ reputation will be punished with imprisonment for a maximum period of six months and/or a fine not exceeding 500,000 Baht in damages. Yet, if the court finds that the violation was done in order to unlawfully benefit the employer, the employer will be punished for one year and/or a fine of 1 million Baht.
According to the Act section 79, violating the Act also incur administrative fines ranging from 500,000 Baht to 5 million Baht depending on specific violation.