Professional Documents
Culture Documents
June 2019
There is a one-year grace period for organisations to become • The PDPA applies to all organisations that collect, use or disclose
compliant with the PDPA and for the formation of the regulator personal data in Thailand. This is regardless of whether they are
and issuance of subordinate regulations. formed or recognised under Thai law; and whether they have
residence, office or place of business in Thailand.
WWW.DLAPIPER.COM
• Cross-border transfer of personal data outside of Thailand requiring compliance through a prescribed form may prove
is prohibited, unless the recipient country’s data protection challenging, given that Data Administrators may develop their own
standard is equivalent or higher than the PDPA. Limited mechanisms for gaining and assessing consent.
exceptions are available.
If a Data Administrator uses or discloses personal data beyond
• There is a one-year grace period before the PDPA is enforced.
the original purpose for which the data subject had given
Non-compliance may attract fines, imprisonment, or both.
consent, further specific consent is required for each separate
PDPA KEY DEFINITIONS purpose.
• Personal Data is defined as “any data pertaining to a person
that enables the identification of that person, whether directly or Data subjects have the right to refuse to consent, and the right
indirectly, but specifically excluding data of the deceased”. to withdraw any consent they have given, at any time. Following
any such refusal or withdrawal of consent, Data Administrators
• Person is defined as a “natural person”. This means that the
should be wary of proceeding with the proposed data
PDPA only protects the data of natural persons.
processing activity.
• Data Administrator is defined as “a person or an entity who
determines the purposes for which and the manner in which any Sensitive Personal Data is described in the PDPA as information
personal data are, or are to be processed.” Data Administrators on a person’s race, ethnicity, political opinion, religious or
have primary responsibility for ensuring that processing philosophical beliefs, sexuality, health, genetic, criminal record,
activities are compliant with the PDPA. physical or psychological condition. The PDPA requires Sensitive
Personal Data to be handled carefully. We expect the Regulator
• Data Processor is defined as “a person or an entity that collects,
to provide further guidance on this in due course.
uses, or discloses personal data on behalf of, or in accordance
with, the instructions of a Data Administrator.”
EXEMPTIONS
THE REGULATOR Organisations are not required to obtain consent from data
The Personal Data Committee (“Regulator”) will be established subjects in the following scenarios:
to regulate compliance with the PDPA, under the supervision of
the Minister of Digital Economy and Society. Data Administrators • It is necessary in order to enter into or perform a contract with
are therefore required to cooperate with the Regulator. the data subject;
2
WWW.DLAPIPER.COM
RESTRICTIONS TO CROSS-BORDER TRANSFER Data breaches may attract administrative fines of up to THB
Personal data may not be transferred outside of Thailand, 5,000,000, a maximum of one-year imprisonment, or both.
unless the recipient country has data protection standards
commensurate or better than the PDPA, except in cases where: The amount of a fine and imprisonment (if any) is dependent
on the nature of the data breach. For example, a person found
• The data subject has given consent and proper notification guilty of collecting and disclosing personal data for unlawful
has been given by the Data Administrator; purposes may be liable to a fine not exceeding THB 1,000,000 or
to imprisonment for a term not exceeding one year, or both.
• The transfer is necessary for the performance of a contract
between the Data Administrator and data subject; or
WHAT SHOULD ORGANISATIONS DO
• The transfer is necessary in order to protect the vital interests Consent will likely prove to be one of the biggest obstacles for
of the data subject. It will be interesting to see guidance to be many organisations, particularly relating to the processing of
published by the Regulator on what constitutes “vital interests” sensitive personal data.
of the data subject.
Organisations should review their data protection policies and
This will have an impact on multinational organisations that
practices to ensure that they can take any necessary steps to
routinely transfer data across borders. However, given that many
ensure compliance with the PDPA, particularly in relation to
organisations in Europe will already comply with similar (and
transfer of personal data-to-data processors. Steps should also
likely more stringent) data protection laws, the impact of the
be taken to nominate Data Administrators and identify Data
PDPA may be limited regarding cross-border transfer of data.
Processors. Equally, existing personal data within organisations
should be adequately protected to avoid unauthorised access or
NOTIFICATION OF DATA BREACH
misuse of personal data.
In the event of a data breach, Data Administrators must report
the breach to the Regulator without undue delay, and in any
Organisations without a presence in Thailand, but who target or
event within 72 hours of becoming aware of it.
monitor Thai individuals, should understand the impact of the
PDPA and prepare plans to ensure its business is compliant.
ENFORCEMENT GRACE PERIOD
There is a one-year grace period before the PDPA is enforced.
Given the sanctions associated with mishandling personal
The Regulator will issue guidelines shortly to assist Data
data, organisations and Data Administrators should have in
Administrators’ compliance plans.
place stringent internal procedures to ensure compliance
with the PDPA.
SANCTIONS
The Regulator have authority to pursue data breaches against
organisations or Data Administrators in the criminal courts.
Key Contacts
Peter Shelford Chadaporn Ruangtoowagoon
Country Managing Partner Of-Counsel
Bangkok Bangkok
+66 2686 8500 +66 2686 8579
peter.shelford@dlapiper.com chadaporn.ruangtoowagoon@dlapiper.com
Sarita Prukaroon
Associate
Bangkok
+66 2686 8554
sarita.prukaroon@dlapiper.com
3
WWW.DLAPIPER.COM
4
WWW.DLAPIPER.COM
(iii) the significant Cyber Threat incident. In case of emergency and critical Cyber Threats, the National
Security Council will take over the role of the CSSC whilst
The CSA requires the immediate reporting of a Cyber Threat to the NCSC is also empowered to proceed with preventive
the regulatory authorities. On the face of it, this appears overly and remedial actions as necessary prior to the issuance of
burdensome, given that Critical Information Infrastructure the emergency court warrant. Further, the NCSC or CSSC is
Entity is likely to focus its time on dealing with the Cyber Threat. permitted to request real-time information from any person
We anticipate there to be further guidance on the reporting linked to a critical Cyber Threat.
requirements in the yet to be published NCSC’s Cyber-security
Policy and Plan. It is also important to note that the CSA only allows appeals
in respect of governmental orders regarding non-severe
Rectification of Unstandardized Cyber-security Cyber Threats.
If the Cyber-security of a Critical Information Infrastructure Entity WHAT ARE THE PENALTIES IMPOSED BY THE CSA FOR
does not meet specified minimum standards, the CSSC may NON-COMPLIANCE?
order the entity to undertake remedial action. The NCSC may file criminal proceedings against a Critical
Information Infrastructure Entity for a breach of the CSA.
Annual Assessment and Inspection
A wide-range of sanctions (i.e. fines and imprisonment) may be
A Critical Information Infrastructure Entity is required to conduct imposed. The fine and term of imprisonment will depend on
an annual risk assessment and inspection relating to the nature and severity of the offence. The CSA may additionally
Cyber-security. impose a daily administrative fine in cases where a regulatory
order has been disregarded during a severe Cyber Threat
Surveillance of Cyber Threats incident.
A Critical Information Infrastructure Entity must have in place For example, the criminal court may impose a daily fine of up to
procedures in relation to surveillance of Cyber Threats, including THB 10,000 for a breach of certain provisions of the CSA until
solutions to preserve Cyber-security. A Critical Information the breach is cured or impose a maximum fine of THB 300,000
Infrastructure Entity also needs to conduct an operational for failing to comply with a CSSC Order during a severe Cyber
readiness test in respect of tackling Cyber Threats. Threat; or impose a maximum term of imprisonment of 3 years.
It is important to note that there are violations that may attract
In cases where Cyber Threats have occurred or may potentially both a fine and a term of imprisonment.
occur, a Critical Information Infrastructure Entity is required to
assess the situation and proceed with the measures set out Directors or responsible persons of juristic entities may be
in its Code of Conduct and Standard Framework, including personally liable under the CSA if a violation of the CSA results
immediately reporting to the NCSC and its supervisory authority. from their order, action or omission.
WHAT SHOULD CRITICAL INFORMATION INFRASTRUCTURE WHAT ARE THE NEXT STAGES OF CSA IMPLEMENTATION?
ENTITIES BE AWARE OF IN CASE OF CYBER THREATS? Although the CSA has now come into force, subordinate
A Critical Information Infrastructure Entity should be alert to legislation and guidelines have yet to be published. The most
“Government Intervention” possibly taking place in cases of anticipated regulations include the criteria for a Critical
severe and critical Cyber Threats. Information Infrastructure Entity and the centralised Cyber-
security Policy and Plan. These regulations are necessary so that
In cases where severe Cyber Threats occur or are likely to occur, affected entities may prepare its Code of Conduct and Standard
the CSSC is authorised to access to information, enter into Framework in compliance with the CSA.
premises of relevant or suspicious persons, and confiscate
computer equipment relating to the Cyber Threat, upon the
issuance of an emergency court warrant. However, if there are
credible grounds that a computer or computer system is linked
to a Cyber Threat, the CSSC may take action without the need to
obtain a court warrant.
5
WWW.DLAPIPER.COM
Key Contacts
Peter Shelford Don Rojanapenkul
Country Managing Partner Partner
Bangkok Bangkok
+66 2686 8500 +66 2686 8500
peter.shelford@dlapiper.com don.rojanapenkul@dlapiper.com
Thawalkorn Pattanachote
Legal Assistant
Bangkok
+66 2686 8573
thawalkorn.pattanachote@dlapiper.com
DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com.
This publication is intended as a general overview and discussion of the subjects dealt with, and does not create a lawyer-client relationship. It is not intended to be,
and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on
the basis of this publication. This may qualify as “Lawyer Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
Copyright © 2019 DLA Piper. All rights reserved. | JUN19 | A01018