The Personal Data Protection Act (PDPA)The Personal Data Protection Act B.E. 2562 (2019) of Thailand, effective from 1 June 2022. It is the country’s first comprehensive data protection legislation. is Thailand’s first data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data., effective from 1 June 2022. As a new legislation, it brought significant changes for organisations operating in Thailand and reflects the ongoing global trend towards implementing stronger data protection measures.
Many of the provisions and obligations are influenced by the EU’s General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), with similar key definitions and principles. However, there are also certain differences.
In this blog, we compare the similarities and differences of these laws, exploring the nuances of key areas. Organisations operating in both jurisdictions must understand these nuances to ensure data protection compliance and avoid potential penalties.
PDPA vs GDPR: Key similarities
Thailand does not currently have an adequacy agreement with the EU. However, the adoption of the PDPA could be seen as a step towards aligning their data protection standards with those of the EU, potentially paving the way for such an agreement in the future.
Personal scope: Both the PDPA and the GDPR aim to give individuals more control over their personal dataInformation which relates to an identified or identifiable natural person. and have rules and regulations to ensure the safeguarding of that personal data
Extraterritorial scope: Both the PDPA and the GDPR apply beyond the respective jurisdictional borders. This means the data protection laws apply to organisations located within the respective countries AND to organisations outside the jurisdictional borders if they are processing the data of individuals within those respective countries
Key definitions: Both the GDPR and the PDPA have a broad definition of personal data, referring to any information relating to an identifiable or identified person; both define a Data ControllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. as person or entity that determines the purposes and means of processing personal data, and a Data ProcessorA third party processing personal data on behalf of a data controller. as a person or entity that processes personal data on behalf of the controller
Data protection oversight body: Both laws mandate the creation of an independent body to oversee the enforcement of data protection regulations, ensure compliance, investigate breaches and protect the rights of individuals. In Thailand, the Supervisory AuthorityAn authority established by its member state to supervise the compliance of data protection regulation. (SA) is the Personal Data Protection Committee (PDPC), under the supervision of the Minister of Digital Economy and Society. Europe’s independent data protection authority is the European Data Protection Supervisor (EDPS), and each member state also has its own individual Data Protection Authority (DPA)
Legal basis for processing: The PDPA and the GDPR both requires organisations to have a legal basis for processing personal data.
Data Protection Officer (DPO): Both laws have a mandatory requirement of appointing a Data Protection Officer (DPO) for certain organisations. The DPO is responsible for overseeing the implementation of data protection processes and strategies within the organisation. They also serve as a point of contact for authorities and individuals
PDPA vs GDPR: Key differences
Automated decision making:
The PDPA does not clearly define the right of data subjects to be informed about the use of profiling and automated decision-making
The GDPR states that data subjects must be made aware of profiling and automated decision-making at the time of data collection
Oral communications:
The PDPA does not explicitly state whether data subjects can be made aware of their rights orally
The GDPR states that data subjects can be informed of their rights orally, as well as with electronic and written notices
AnonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR. and Pseudonymised data:
The PDPA does not clearly define anonymised data as an exception from its scope and does not define pseudonymised data
The GDPR explicitly excludes anonymised data from its scope and defines pseudonymised data as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subjectAn individual who can be identified or is identifiable from data. without the use of additional information’
Non-compliance penalties:
PDPA compliance violation penalties include a possible prison sentence of up to 6 months and administrative fines of up to THB 5 million €29,
GDPR compliance violation could incur an administrative fine of up to €20 million or 4% of annual turnover, whichever is greater
Webinar & Infographic
Identifying challenges, elevating trust: Thailand’s new PDPA meets the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation).
The DPO Centre and DBC Group presented an exclusive webinar on 11 October 2023, exploring the similarities and differences between the two regulations, along with a discussion about some of the challenges organisations might have when operating across multiple jurisdictions.
We have worked with over 800 clients globally across the spectrum of industry sectors, supporting their data protection compliance and bringing peace of mind.
If you’d like to discuss how we can help your company, please contact us by filling in the form below.
For more news and insights about data protection follow The DPO Centre onLinkedIn
Enquire
Fill in your details below and we’ll get back to you as soon as possible
Alternatively click one of the options below to speak to us