Here is the article in markdown format:
Understanding the Personal Data Protection Act (PDPA) in Thailand
The Personal Data Protection Act (PDPA) has been implemented in Thailand to protect the personal data of individuals. Here are some key aspects of the PDPA that you should know.
Data Breach Notifications
The PDPA requires Data Controllers to notify the Regulator in the event of a suspected personal data breach. The following guidelines apply:
- If there is reasonable ground to believe that a personal data breach has occurred, the Data Controller must notify the Regulator without undue delay, and where feasible, within 72 hours.
- If the breach has a high risk of affecting individual rights and freedoms, the Data Controller must notify affected data subjects together with remedial measures taken.
Enforcement
The PDPA has come into force in Thailand, and here are some key statistics on its enforcement:
- There have been approximately 354 complaints and 382 reports of data breaches submitted to the Regulator.
- Administrative orders have been issued, but details are not publicly available.
- Penalties under the PDPA include civil, criminal, and administrative fines, with a maximum fine of THB 5,000,000.
Exemptions
Certain authorities in Thailand are exempt from certain obligations under the PDPA. These exemptions apply to:
- The National Anti-Corruption Commission
- Department of Revenue
- Customs Department
- Excise Department
Even though these Data Controllers are exempt, they must still provide security measures prescribed by the Regulator to ensure that exemptions do not unreasonably affect personal data protection principles.
Other Provisions
The PDPA also includes other key provisions:
- The Act requires Data Controllers to implement an opt-out function for direct marketing, whether electronic or not.
- General rules of the PDPA apply to online privacy.