PDPA (Thailand) FAQ
This document provides answers to frequently asked questions about the Personal Data Protection Act of Thailand (PDPA) and its implementation in Adobe Experience Cloud.
Definitions for the various PDPA-related terms used in this document can be found in the PDPA (Thailand) terminology article.
Who does the PDPA affect?
The PDPA applies to businesses that are not headquartered in Thailand that market goods or services to Thai residents or track their behavior.
When does the PDPA go into enforcement?
The regulation goes into enforcement on May 27, 2020.
What are the penalties for non-compliance?
Organizations that violate the PDPA can be liable for both criminal and civil fines. Each offense is expected to attract administrative penalties of up to 5 Million TBH. The PDPA allows courts to enforce punitive compensation of up to double the amount of the actual damages and a one-year prison sentence. Aside from the fines, PDPA also allows data owners to lodge class action lawsuits.
What constitutes personal data?
Personal data is any information related to a natural person or data subject that can be used to directly or indirectly identify the person. It can be any data about a natural person. This does not include deceased persons.
What constitutes sensitive personal data?
The PDPA provides stringent requirements for the collection and storage of sensitive personal data which includes personal data pertaining to: racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union memberships, genetic data, biometric data, health records, and sexual orientation or preferences.
What is the difference between a data controller and a data processor?
A data controller is the person who has the power and responsibility to make decisions regarding the collection, use, or disclosure of personal data. A data processor is the person who operates in relation to the collection, use, or disclosure of the personal data and the direction of the data controller. Both data controllers and data processors must provide appropriate security measures that meet a minimum standard prescribed by the Personal Data Protection Committee (PDPC).
What is explicit consent by the data subject?
The PDPA follows the footprint of the European Union's General Data Protection Act (GDPR) in that it requires explicit consent from the data subject. Explicit consent requires the individual to take affirmative action to indicate that they agree, such as by checking a box rather than having it pre-checked or indicating consent is given by using a service. Consent provides a legal basis to collect, use or disclose personal data by the data controller.
Can data subjects under the age of 10 give consent?
Parental consent is required for the collection of personal data of children under the age of 10.