If nothing changes, the Personal Data Protection Act of 2019 (“PDPA”) will come into effect on 1 June 2022, which will result in a major overhaul of business organizations. In order to make the transition smoothly, companies are advised to consult experienced legal advisors.
Mr. Wichai Somboonchokpisal, a legal partner at Mazars in Thailand, noted that the PDPA requires organizations to take certain steps in regard to personal data. There must be a data collection system, a system for monitoring the use of personal data, as well as a data protection officer in charge of coordinating with government officials, notifying data owners of their rights, and managing data for both employees and business partners. These processes must be completed before the law comes into effect on 1 June 2022.
In this regard, companies or business organizations which serve as data controllers and which process data have the duty to notify data owners about the purpose of the collection of data, collection procedures, details of data collected and data usage, and the length of time that data is to be collected and kept. In addition, data owners must be informed of the usage, transfer, deletion, and disclosure of data to government officials, as required by law. If personal data is handled illegally and used improperly, the company and the data committee are subject to legal penalties. Any individual whose data rights are violated will also be compensated under the law.
Mr. Wichai stated, “This Act is very sensitive. In the initial stage, to ensure its effectiveness, investing in technology is required, as well as hiring personnel with legal, IT, and data management knowledge. Therefore, it is not an easy task for those with no experience or expertise in this area. In the beginning, it is crucial to have knowledgeable people to assist in the operational process, as this is a new law in Thailand. To mitigate risks and limit damages that might occur and to reduce the complexity of procedures, companies are advised to consult experts on this particular matter.”
Mr. Wichai also said that Mazars in Thailand has experience providing legal services related to Europe’s General Data Protection Regulation 2016/679 (“GDPR”), which is the EU law on personal data protection and privacy, which also addresses the transfer of personal data outside the EU and European Economic Area. Mazars is one of the world’s leading legal service providers, as well as financial and accounting advisors, with its headquarters in France.
The aim of the GDPR is to protect the privacy of EU citizens. Thus, the GDPR must be followed to protect the personal data of Europeans residing and working in Thailand. Particularly when transferring data between Thailand and EU countries as part of e-commerce, advertising, and digital marketing, the issue of personal data security is an important one.
Mr. Wichai observed, “While the PDPA has been enforced with the guideline of the GDPR in the EU for a few years, something like it is new for Asian countries, including Thailand. Therefore, it is essential to choose a consulting firm that has experience and expertise in personal data protection, such as Mazars, which has offices in more than 90 countries around the world and nearly 2,000 clients worldwide. Its customers include more than 30% of the companies listed on the French stock exchange and more than 140 companies in China. The company also serves more than 50,000 private and family businesses, including individual customers, start-ups, and established multinationals.
For more information, please see our publication at https://www.mazars.co.th/Home/Insights/Doing-Business-in-Thailand/Legal/Personal-Data-Protection-Act-Published or visit our website at www.mazars.co.th