The reach and liabilities of the Personal Data Protection Act
text size

The reach and liabilities of the Personal Data Protection Act

Earlier this year, Thailand enacted its Personal Data Protection Act (PDPA), which was published in the Government Gazette on 27 May 2019. Most parts of the PDPA will become effective one year after this, on 27 May 2020. As the PDPA will have broad impact across multiple aspects of most businesses—including their human resources operations—lawmakers provided this one-year period for those affected to prepare for compliance with the PDPA.

While the definitions and mechanics of the law in relation to HR operations were covered in a previous Human Resource Watch column (29 April 2019), this article will take a closer look at the civil, criminal, and administrative penalties applicable in the event of non-compliance with the PDPA.

It is important for employers to understand that these liabilities apply to them even if they outsource their company’s HR work. Some employers misunderstand that if they turn over their HR functions to an HR service provider, the employer will not have any liability under the PDPA. Indeed, even if HR functions are outsourced, the employer will still have the same liabilities under the PDPA if the HR service provider breaches the PDPA.

For instance, if an employer assigns an outsourced provider to manage the paying of wages and calculation of social security deductions, where the providers must collect, use or disclose the personal information of employees, both the employer and the HR service provider will be acting in roles defined by the PDPA. In this scenario, the employer would be considered a ‘data controller’, while the HR service provider would be considered a ‘data processor.’ Therefore, both the employer and the HR service provider will have potential liability under the PDPA.

If the employer or HR service provider violates a PDPA provision, such as selling employees’ personal information to a financial institution or other third party without the employees’ consent, the employer as data controller would not only be liable for paying compensation to the employees who own the personal information, but could also face criminal penalties and administrative liability under the PDPA. In addition, the HR service provider, as a data processor, could face civil liability.

The PDPA provides for three types of potential liability for violation of its provisions:

1. Civil Liability

Employers or HR service providers who are found to have violated the PDPA must pay compensation to the employees who own the personal information and who received damages from the violation, regardless of whether the violation was done intentionally or negligently, except where the offender can prove that the damages were caused by force majeure or the employees’ own actions. In addition, offenders who can prove that the violation was a result of their compliance with an order of a government officer exercising his or her duties under the law will not be liable. The compensation includes all necessary expenses associated with actual or likely damages, whether for purposes of prevention or mitigation.

In addition, the court is entitled to award punitive civil damages, up to two times the amount of actual damages.

The prescription period for claiming compensation under the PDPA is three years from the date that the employees who own the personal information became aware of the violation and the identity of the offenders, or ten years from the date on which the violation of the personal data took place.

2. Criminal liability

If an employer as data controller violates the PDPA by the use or disclosure of personal information without consent in a manner that is likely to cause the other person to suffer any damages, impair his or her reputation, or other reason, the offender will face imprisonment of up to six months, a fine of up to Baht 500,000, or both.

In addition, if the offender uses or discloses personal information in order to receive unlawful benefits (or secure benefits for others), the criminal penalties that the offender will face include imprisonment for up to one year, a fine of up to Baht 1 million, or both.

The criminal offence under the PDPA is a compoundable offence, which means that it can be settled by negotiation and agreement between the parties before a court issues a final judgment.

In a case where the offender is a juristic person and the offence occurs as a result of the order or act of any director, manager, or other person in a role of responsibility, those persons must be liable for the relevant penalties. Likewise, these persons can also be penalized for their omission of an instruction or act resulting in the commission of the offence by the juristic person.

3. Administrative liability

The PDPA also imposes administrative liability on any offender in the form of an administrative fine from Baht 500,000 to Baht 5 million, depending on the nature of the violation. The PDPA establishes an expert committee with the authority to order offenders to pay an administrative fine, issue an order for rectification, or issue a warning to the offender. In determining whether to impose an administrative fine, the expert committee will consider the severity of the circumstances of the offence, the size of the business of the data controller (e.g., an employer) or data processor (e.g., HR service provider or HR department), or other circumstances.

It is possible that specific classes of data controller could be exempted from the application of all or part of the provisions of the PDPA (in addition to the excepted activities, on which see the previous article on this topic). However, these exemptions would have to be made by royal decree.

As it stands now, though, exceptions for classes of person have not been promulgated, and employers should not expect that they will be automatically exempt from PDPA compliance. Recent news from Europe of companies being heavily fined for their violations of the EU’s General Data Protection Regulation (upon which much of the PDPA is based) underline the dangers of continuing to neglect the protection of personal data. With Thailand only months away from joining the EU and other jurisdictions around the world in implementing a robust data protection regime, businesses must ensure the compliance of all of their operations—including in-house or outsourced HR functions—to avoid such costly penalties.


Author: Chusert Supasitthumrong, a partner in the Dispute Resolution Department at Tilleke & Gibbins in Bangkok. Please send any comments or questions about the content of this article to Andrew Stoutley at andrew.s@tilleke.com.

Series Editor: Christopher F. Bruton, Executive Director, Dataconsult Ltd, chris@dataconsult.co.th. Dataconsult’s Thailand Regional Forum provides seminars and extensive documentation to update business on future trends in Thailand and in the Mekong Region.

Do you like the content of this article?
COMMENT