What is Personal Data?

It is any data about an individual can be considered as personal data. This includes personal identification number, mobile number, date of birth, home address, and email address.

Example in the payroll context, there are lots of sensitive information of employees that are stored and collected.  This falls on the HR and payroll department to ensure that the organization is compliant of the respective data privacy laws and regulation to safeguard the employees personal data.

What is GDPR?

GDPR stands for General Data Protection Legislation, is a European Law that protects fundamental rights of data subject whose personal information and sensitive data are stored in the organizations. This law also addresses the transfer of personal data outside of EU. It came into effect last May 25, 2018. The government, organizations, and individuals recognizes the importance of storing and keeping the personal data safe to prevent the use of personal info for illegal and fraudulent activities.

What is PDPA?

Thailand’s Personal Data Protection Act B.E. 2562 was first consolidated and initially signed last 2019 but it will take full effect on June 1, 2022. This will bring a significant change to data protection regulatory environment in Thailand. This is to make companies, employees or related persons to realize the importance of protecting personal data to be more secure. The purpose of the PDPA is to protect website users from unlawful gathering and use of personal data. The law entails that users must know what data us being collected on them, how it us used, and by who.

The differences between PDPA and GDPR are based on the following key elements:

1. Scope

2. Individual’s right

3. Key definitions

4. Enforcement

The Scope

PDPA

• Is not applicable to public agencies that oversee state security like forensic science, curbing money laundering and managing cyber security.

GDPR 

•  Applies to data controllers and processors that may be public agencies.

In terms of material scope;

PDPA

• Does not distinguish or identify automated and non-automated means of processing consumer data.
• Allows consumer to request their data to be anonymized, it does not clearly define it as exemption from the scope.
• Does not extend to the House of Representative, the Senate, Parliament and respective committees appointed by the entities. It exempts the activities undertaken by any credit bureau company from the scope.

GDPR

• Applies to the handling of user information by either automated or non-automated means of information in question is part of the filling system.
• Exempts anonymized data from

Individuals’ Rights

The right to access;

PDPA

• The PDPA has given data subjects the right to access their own data kept by the Controller by requesting actual access to or by obtaining a copy of their personal data. If any data subject finds his/her personal data incorrect, he is entitled to request that it be corrected.

GDPR

• explicitly states that data controller must inform consumers about the purpose of processing their data, the categories of personal information involved, the third parties to whom the data is disclosed.

The right to erasure;

PDPA

• does not provide a specific timeline within which the data controller needs to address a request. It allows consumers to notify enforcement authorities about the date controller’s failure to respond to an erasure request.

GDPR

• data controller is not required to institute strategies to identify a data subject that requests the deletion of their data.

The right to object;

Both PDPA and GDPR guarantee  the right of the user to objet to the processing of their information as well as the ability to withdraw their consent to the processing at anytime.

PDPA

• does not explicitly define the required duration of the data controller to address the request to limit the processing of the personal data.

Thailand’s PDPA imposes an obligation to the data controllers to keep the justification of the objection to a data portability request for the verification of consumers and the competent authority.

GDPR

• makes it clear that the data controllers need to address the request restricting the processing of personal data within 30 days.

Key Terms

PDPA

The the privacy law does not specifically consider IP addresses, cookie identifiers, and radio frequency identification tags as a part of what constitutes personal information

• Does not provide a definition of pseudonymized information.
• Does not explicit provisions on wether unique protection should be accorded to personal belonging to children when it is used for marketing or for the purpose of delivering social services directly to them.
• Thailand data privacy law does not have explicit requirements concerning the collection, utilization, or sharing of personal data on the basis of research. The data controllers are expected to ensure that they safeguard, consumer privileges, liberties, and welfare.

GDPR

States explicitly that the digital identifiers such as IP addresses, cookies, and radio frequency identification tags constitute personal information.

• Describes pseudonymized information as the handling of personal data in a way that ensures the information in question cannot be connect to a specific data subject.
• Describes children as vulnerable persons, the EU’s data privacy law creates provisions focused on ensuring that children are accorded special protection when their data is use for marketing or delivery of social services.
• Processing user data for research objectives is subject to particular regulations such as the right to erasure, data minimization, as well as pseudonymization.

Enforcement

PDPA

Non-compliance with Thailand PDPA has a fine of up to 5,000,000 baht. In some cases, entities found in violation of the Thailand’s data privacy regulation may get imprisoned for a term of not more than a year.

GDPR

Entities that violates GDPR can be fined either 2% of the global yearly revenue or 10 million euros, whichever is higher, or 4% of global annual turnover or 20 million euros whichever is higher.

However, the PDPA law has relaxed its enforcement. According to the announcement of 4 children's laws during the past June as follows:

Secondary Law No. 1

Announcement of easing of PDPA requirements for SMEs - community enterprises such as retail stores or companies with no more than 100 employees or income not exceeding 300 million baht.

Secondary Law No. 2

Announcement of rules for the preparation and keeping of records of activities, processing of personal data for processors of personal data with 180 days to prepare.

Secondary Law No. 3

Clearly declaring minimum security measures in line with the announcement of the Ministry of Digital that have been used in the last 2 years.

Secondary Law No. 4

Announcement of administrative sanctions taking into account the intent and to have mediation and warning according to the severity of the offense for non-serious cases to give warning or order to rectify, prohibit or limit the action for serious cases (In case of severe impact on a wide area) or a warning is not effective to punish the administrative by fine.

There are also four other important child laws pending. And expect to be able to take action on all 8 secondary laws soon.

In terms of policy, it aims to minimize the burden on those involved in compliance with the law. By starting to enforce in the early stages of this law. It shouldn't be too much of a burden. This emphasize on educating and admonishing not focusing on punishment."

In a nutshell PDPA, is to protect the publics personal data from unauthorized used. This is to inform the data owner the reason for the use of their personal data and to what purpose it will be put. The data owner shall have access to their information for any data correction and they have the right to withdraw or erase data if deemed necessary.