The Phuket News Novosti Phuket Khao Phuket

Login | Create Account | Search

Legal Matters: Moving from GDPR to PDPA compliance – the lowdown

Legal Matters: Moving from GDPR to PDPA compliance – the lowdown

Effective from June 1, Thailand’s Personal Data Protection Act (PDPA) B.E. 2562 [2019] regulates the collection, use and protection of personal data and establishes corrective measures against data misuse. The good news is that if you’re already compliant with the equivalent EU legislation (GDPR), like many companies in Thailand, you probably don’t need to worry.

Saturday 11 June 2022, 10:00AM

Thailand’s PDPA is heavily based on the EU’s GDPR and was proposed by the government in May 2018, though not identical in all respects. While following the GDPR does not guarantee compliance with the PDPA, it does get very close.

PDPA applies to all entities located in Thailand, whether they collect and use the data in Thailand or not. It also applies to entities outside Thailand offering goods and services to users in Thailand. PDPA employs a risk-based approach. Businesses are required to prevent misuse of the data they collect and PDPA compliance always starts with a data privacy policy and procedures that comply with the PDPA.

Because the PDPA is based on the GDPR, there are significant similarities. Both contain comparable rules concerning data processing since both are concerned with consent, contract performance, legal responsibilities, and legitimate or vital interests. Both laws guarantee data subjects’ rights such as the right to be informed, the right to data portability, the right to access, and the right to be forgotten.

However, the PDPA and the GDPR do have some differences. Specifically, the PDPA is less precise than the GDPR regarding its definitions and the protection guaranteed is less strong under the PDPA, though the enforcement is more punishing, and the material scope is slightly different.

Unlike the GDPR, the PDPA does not apply to certain public agencies, and the GDPR’s definition of “personal data” is more precise, including IP addresses and cookie identifiers, which the PDPA does not cover. Unlike the GDPR, the PDPA does not define anonymised or pseudonymised data, even though it provides that a data subject has the right to anonymise their personal data.

The PDPA requires that a website owner verify that their existing data policy complies with the PDPA or it needs to be updated. Businesses should review and upgrade all internal personal data policies, agreements, and procedures if non-compliant. If you already comply with GDPR, then you probably meet these standards already.

Ensure the validity of the consent
Businesses must obtain users’ consent to collect their data, perhaps via pop-ups or a click affirmation to give clear and explicit consent. You should also clearly inform the user about the purpose of data collection and the possibility of withdrawing it. When switching from GDPR to PDPA-compliant websites and vice versa, the website owner needs to contact users to obtain their consent to collect or retain their data or give them the choice to clear the data already collected.

CBRE Phuket

Cross-border data privacy transfer
The GDPR recognises data privacy transfer between countries. This is not the case under the PDPA as it does not automatically allow an international data transfer outside Thailand, and then only when the receiving jurisdiction has established data protection measures that are equivalent to the PDPA or under restricted conditions. We would expect countries that meet GDPR standards to comply, but this hasn’t been tested.

Enforce the rights guaranteed
Businesses must enact appropriate mechanisms to ensure they respect individuals’ rights to their personal data. A small difference is data portability; when refusing a request for data portability, PDPA requires that data controllers save the justification of objection for each request to verify the data subject and the competent authority involved. This is not the case under GDPR.

In Summary…
If you are already GDPR compliant, there is not much to do to comply with PDPA since the GDPR is broader, more precise, and has a stronger legal framework and history.

As always, if in doubt consult with an experienced law firm as there are significant penalties if you get it wrong. Silk Legal has been advising clients on PDPA and GDPR compliance since the Thai law was announced and can be contacted for a compliance audit or simply consult on questions around the PDPA.

By Dr Paul Crosio

Those interested in the legal aspects of PDPA compliance are welcome to contact Silk Legal for more information. Please reach out to them at info@silklegal.com or by using the contact form on their website.

Comment on this story

* Please login to comment. If you do not have an account please register below by simply entering a username, password and email address. You can still leave your comment below at the same time.


Be the first to comment.


Have a news tip-off? Click here


Phuket community
PM ’upbeat’ over tourist numbers

A perfect storm of a global recession , high fuel prices which will flow through to ticket prices on...(Read More)

Expats caught up in Phuket visa scams face being forced to leave the country

Best to get the embassies involved. Spread the word about this scam, which most likely is a "jo...(Read More)

Phuket Governor addresses tsunami fears

Given that he is such a clever airport damage engineer and road flooding engineer.Maybe get out and ...(Read More)

Expats caught up in Phuket visa scams face being forced to leave the country

This highlights a obvious flaw in the current system, what happens if you lose your passport. Emerge...(Read More)

Chinese investors courted

Is anyone keeping count of the hubs- its off the scale. Just another vassal state for the future. Ju...(Read More)

Crew rescued as cargo boat sinks in storm

I wonder if the alleged millions of baht worth of cargo was insured?...(Read More)

Expats caught up in Phuket visa scams face being forced to leave the country

" No mercy for Expats" is the sett up of Immigration and their Agents friends. Their aim i...(Read More)

Expats caught up in Phuket visa scams face being forced to leave the country

Expats caught in visa scam of 2 Agents and Phuket Immigration being forced to leave the country, eve...(Read More)

Officials assure Phuket is prepared for tsunami warning

DDPM-Phuket Chief talks 'keep calm' nonsense. Telling Phuket- (and Phang Nga) people that P...(Read More)