Moving from GDPR to PDPA compliance – the low down

Effective from June 1, 2021, Thailand’s Personal Data Protection Act (PDPA) B.E. 2562 [2019] regulates the collection, use, and protection of personal data and establishes corrective measures against data misuse. The good news is that if you’re already compliant with the equivalent EU legislation (GDPR), like many companies in Thailand, you probably don’t need to worry.

Thailand’s PDPA is heavily based on the EU’s GDPR and was proposed by the government in May 2018, though not identical in all respects. While following the GDPR does not guarantee compliance with the PDPA, it does get very close.

PDPA applies to all entities located in Thailand, whether they collect and use the data in Thailand or not. It also applies to entities outside Thailand offering goods and services to users in Thailand. PDPA employs a risk-based approach. Businesses are required to prevent misuse of the data they collect and PDPA compliance always starts with a data privacy policy and procedures that comply with the PDPA.

Because the PDPA is based on the GDPR, there are significant similarities. Both contain comparable rules concerning data processing since both are concerned with consent, contract performance, legal responsibilities, and legitimate or vital interests. Both laws guarantee data subjects’ rights such as the right to be informed, the right to data portability, the right to access, and the right to be forgotten.

However, the PDPA and the GDPR do have some differences. Specifically, the PDPA is less precise than the GDPR regarding its definitions and the protection guaranteed is less strong under the PDPA, though the enforcement is more punishing, and the material scope is slightly different. 

Unlike the GDPR, the PDPA does not apply to certain public agencies, and the GDPR’s definition of “personal data” is more precise, including IP addresses and cookie identifiers, which the PDPA does not cover. Unlike the GDPR, the PDPA does not define anonymized or pseudonymized data, even though it provides that a data subject has the right to anonymize their personal data. 

Update your policy – it’s easy!

The PDPA requires that a website owner verify that their existing data policy complies with the PDPA or it needs to be updated. Businesses should review and upgrade all internal personal data policies, agreements, and procedures if non-compliant. If you already comply with GDPR, then you probably meet these standards already.

 

Ensure the validity of the consent

Businesses must obtain users’ consent to collect their data, perhaps via pop-ups or a click affirmation to give clear and explicit consent.  You should also clearly inform the user about the purpose of data collection and the possibility of withdrawing it. When switching from GDPR to PDPA-compliant websites and visa versa, the website owner needs to contact users to obtain their consent to collect or retain their data or give them the choice to clear the data already collected. 

Cross-border data privacy transfer

The GDPR recognizes data privacy transfer between countries. This is not the case under the PDPA as it does not automatically allow an international data transfer outside Thailand, and then only when the receiving jurisdiction has established data protection measures that are equivalent to the PDPA or under restricted conditions. We would expect countries that meet GDPR standards to comply, but this hasn’t been tested.

Enforce the rights guaranteed

Businesses must enact appropriate mechanisms to ensure they respect individuals’ rights to their personal data. A small difference is data portability; when refusing a request for data portability, PDPA requires that data controllers save the justification of objection for each request to verify the data subject and the competent authority involved. This is not the case under GDPR.

In Summary

If you are already GDPR compliant, there is not much to do to comply with PDPA since the GDPR is broader, more precise, and has a stronger legal framework and history.

As always, if in doubt consult with an experienced law firm as there are significant penalties if you get it wrong. Silk Legal has been advising clients on PDPA and GDPR compliance since the Thai law was announced and can be contacted for a compliance audit or simply consult on questions around the PDPA.

Author

  • Dr. Paul Crosio

    Paul is partner at Silk Legal who specializes in restructuring, CAM (Complementary and Alternative Medicine), regulatory, R&I and general corporate law.