Compliance

Thailand PDPA vs GDPR: Differences Unraveled

thailand pdpa vs gdpr

The Thailand PDPA and GDPR are two totally different laws you probably need to know about.

Thailand’s PDPA is a newer data protection law that provides up-to-date rights to Thai residents. On the other hand, the General Data Protection Regulation (GDPR) is one of the first major data privacy regulations and is known for its strict rules.

With the establishment of the new PDPA law, you may be wondering how it differs from the GDPR. At first, this seemed like a huge task, but the Thailand PDPA and the GDPR are actually fairly in reality.

So, what are the differences between the two data protection laws? In this guide, we'll unravel the differences between the Thailand PDPA vs GDPR so you don't have to.

Let's dig in.

Key Takeaways

  • Both the Thailand PDPA and the GDPR ensure data subjects (individuals) have control over their personal information.
  • The Thailand PDPA was modeled on the key provisions provided in the GDPR.
  • Some of the key differences between the two laws can be seen in the scope of application, DPIA requirements, data subject rights, and penalties with the PDPA offering criminal sentences.

Thailand PDPA Law Thailand

The Thailand PDPA (Personal Data Protection Act) is a relatively new data protection law for Asia that was created to protect how personal data is collected, used, shared and transferred.

The PDPA was first introduced in 2019 but was only fully enforced in June 2022 after waiting for Cabinet approval of a royal decree. The Personal Data Protection Committee (PDPC) enforces the rules set out by the data protection law.

There are three scopes of application outlined in the PDPA:

  • Personal scope
  • Territorial scope
  • Material scope

So, regardless of whether you're an individual or a business that is acting as the data controller, you are bound to the rules and regulations outlined in the PDPA. There are some exceptions to this, like if you are using the collected data for household activities.

The law also applies to businesses that are not based in Thailand but are processing, sharing or transferring collected data from Thai data subjects. This collected data applies to both personal data and sensitive personal information as outlined in the GDPR.

There are a number of rights that data subjects have been given by the Thailand PDPA, and it is up to your business, as the data controller, to ensure that these data privacy rights are not violated.

Some of these rights include the right to be informed of the collection of personal data. According to Section 19 of the Thailand PDPA, data controllers must receive consent from the data subject before beginning the collection process.

Other provisions made include issuing a data processing notification, appointing a Data Protection Officer (DPO), and ensuring there is adequate protection for cross-border data transfers.

GDPR Privacy Law Thailand

Before the Thailand PDPA was fully enforced, businesses and individuals had to remain compliant with the GDPR. An EU regulation that was introduced in 2018 by the European Union (EU).

The GDPR was created to safeguard the privacy rights of data subjects and reshape how businesses handle and use personal data.

The GDPR is currently enforced by individual data protection authorities (DPAs) from all 27 EU member states.

The general purpose of the GDPR was to empower data subjects and give them greater control over their personal data and how it is used. The policy also sought to make businesses more accountable for their data processing practices.

The GDPR comprises a set of key principles that enforce fairness and transparency, purpose limitation, accuracy, integrity, and added security measures, as well as imposing storage limitations on how collected personal data can be stored.

Much like the Thailand PDPA, the GDPR also includes a set of data subject rights that data controllers need to be aware of. Some of these rights include the right to the restriction of processing data and the right to access.

Thailand PDPA vs GDPR Differences

While the Thailand PDPA was modeled on the provisions and data subject rights provided in the GDPR, there are some differences between the two data protection laws.

Taking note of the difference between the two data protection laws will help ensure that your business remains compliant with both if you're handling both EU citizens' and Thai data subjects' personal data.

Scope

Both the Thailand PDPA and the GDPR have three scopes of application:

  • Personal scope
  • Territorial scope
  • Material scope

When it comes to personal scope, there is one difference between the two data protection laws: the GDPR law applies to both data controllers and processors who may also be public bodies.

However, the PDPA does not apply to public bodies that maintain the security of the state.

According to Sections 4-6 of the PDPA, public bodies that carry out duties to prevent and suppress money laundering, cybersecurity and forensic science are not bound to provisions laid out in the act.

The GDPR applies to all natural persons regardless of their nationality or where they reside, whereas the PDPA applies to data subjects within Thailand but makes no mention of their nationality or place of residence.

The territorial scope is obviously different, with the PDPA covering all Thai residents while the GDPR covers all EU residents. There are also quite a few differences in the material scope of application. For example, the GPDR excludes anonymity from its application, whereas the PDPA does not.

Another big difference between the two laws is the GDPR does not exempt law-making organizations from its application, but the PDPA has exempted the House of Representatives, the Senate, the Parliament, and credit companies.

Data Transfer Requirements

One of the other key differences between the GDPR and the Thailand PDPA is the data transfer requirements.

While the GDPR states that cross-border transfers are allowed based on international agreements, the PDPA does not specifically address these transfers with the purpose of complying with a court judgment or another country's authority.

The GDPR recognizes cross-border transfers that include transfers being made from a register with the intent to provide information to the public. However, the PDPA does not recognize cross-border transfers made from a register.

DPIA Requirements

As businesses are dealing with personal data, there needs to be some form of data privacy and adequate data protection. This is where a Data Protection Impact Assessment (DPIA) becomes important.

Data controllers use a DPIA to identify data privacy risks of data subjects, specifically to evaluate the potential impacts on data subject rights during data processing. This type of tool evaluates the risks to determine if adequate security measures are put in place.

The GDPR has stricter guidelines that data controllers need to abide by. For example, the GDPR requires businesses to conduct a DPIA if:

  • Processing may result in a high risk to data subject rights
  • systematic evaluation of personal aspects of an individual based on automated processing
  • There is a large-scale processing of data

The Thailand PDPA only states that a DPIA needs to be conducted when necessary or when there are changes in policy. Data controllers do not need to consult with the authority when processing data according to the PDPA, but under the GDPR, they are required to if they are dealing with high-risk data processing.

DPO Requirements

While both the GDPR and the Thailand PDPA require that data controllers appoint a Data Protection Officer (DPO)%3B%20and), there are some key differences.

For example, Articles 13-14 and Articles 37-39 state that a [DPO](https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/data-protection-officers/does-my-companyorganisation-need-have-data-protection-officer-dpo_en#:~:text=Examples-,Answer,and systematic monitoring of individuals.) must be appointed when a public body is carrying out data processing. However, the PDPA only requires that specific public bodies be required to appoint a DPO.

Data Security Standards

To maintain proper data security measures to prevent risks like a data breach, the PDPA and the GDPR have set out data security standards that businesses need to maintain to ensure compliance. This includes data breach notification requirements. However, the GDPR does seem to be stricter.

The GDPR provides requirements that include a notification of a personal data breach where the nature of the data breach and the consequences of the data breach must be explained. The PDPA makes no requirements for this.

The GDPR also has a list of technical and organizational measures that data controllers must use as a reasonable measure against data breaches. These include access management, data loss prevention, encryption, and third party risk management among other things.

The difference between the two personal data protection laws is that the GDPR states that data processors must notify the data controller of a breach without undue delay, whereas the PDPA does not specify a timeline for this.

Data Subject Rights

While many of the rights in the Thailand PDPA model are the rights provided in the GDPR, there are a number of differences between the two.

Both personal data protection laws recognize that the data subject has the right to access their personal data. The difference between the two laws is that the GDPR states that data controllers must be replied to within one month, with a two-month extension if necessary. There is no extension period provided by the PDPA.

Under the right to erasure, the GDPR states that data controllers must reply to the data subject's request for erasure within one month from the receipt, but the PDPA provides no timeline.

Data controllers under the GDPR are also supposed to put in place mechanisms to ensure that the request is carried out, while the PDPA does not require this.

Another difference between the two laws is that under the right to be informed, the GDPR states that data subjects must be informed about automated decision-making, like profiling, during the time that personal data is collected. The PDPA makes no mention of this.

Both laws deal with consent and state that data subjects have the right to object and withdraw previously given consent. The GDPR requires data controllers to address requests for withdrawn consent within 30 days, but the PDPA has no defined time limit.

Fines & Penalties

Both the GDPR and Thailand PDPA issue monetary fines and penalties for non-compliance.

The maximum fine a business can be handed for non-compliance is a monetary fine not exceeding THB 5 million (approx. €149,000). The GDPR penalty depends on the violation, so the fine could be 2% of the global annual turnover or €10 million, or it could include 4% of the global annual turnover or €20 million.

The GDPR does not make provisions for criminal penalties, whereas the PDPA states violations can result in a one-year imprisonment.

FAQs

Is GDPR applicable in Thailand?

If your business in Thailand is processing personal data collected from EU citizens, then yes.

Learn more about GDPR compliance.

What is the DPO requirement for GDPR?

The GDPR does not have a specific list of data protection officer requirements, but it does state that the DPO has expert knowledge of data protection laws.

Discover if your business needs to hire a DPO.

What are the key differences regarding consent between the GDPR and PDPA?

PDPA allows for implied consent, whereas the GDPR requires that explicit consent is given.

Learn how to stay GDPR compliant.

What is the data retention period for PDPA in Thailand?

The Thailand PDPA provides no guidelines on a data retention period.

Remain compliant and learn more about the Thailand PDPA.

How Can Captain Compliance Help?

You'll need to ensure your business's compliance with relevant laws like the PDPA and GDPR if you want to avoid potential fines or imprisonment.

Captain Compliance can help you guide you through the complex world of personal data protection laws. We offer both corporate compliance and outsourced compliance solutions, like compliance training, to help your business comply with all the PDPA regulations in Thailand and those of the GDPR.

Get in touch with Captain Compliance today for a free consultation so you can find out how to comply with your applicable laws.