Since its full enforcement on June 1, 2022, the Personal Data Protection Act B.E. 2562 (2019) (PDPA) has served as Thailand's primary legal framework for safeguarding individuals' rights and freedoms with respect to the privacy of their personal data. The Act imposes obligations on every party involved in data processing, including collection, use, or disclosure of personal data to ensure that all activities are carried out in accordance with established standards.
Despite numerous public and private sector organisations having been penalized by the regulatory authorities for non-compliance in recent years, many organisations in Thailand, as data controllers, continue to operate under certain misconceptions about the PDPA which might lead organisations to significant legal liability and negative business impacts. This article, therefore, will examine the top three common misconceptions about the PDPA.
1. Consent Is Always Required?
One of the most frequently encountered misconceptions is the belief that organisations must obtain consent prior to any collection of personal data. Without consent, the data cannot be collected or used under any circumstances.
In fact, consent is merely one of seven lawful bases under the PDPA that legitimize the processing of personal data. Additionally, consent is usually considered the last resort among the available lawful bases, given that if a data subject withholds or withdraws consent, the data controller will no longer be permitted to process such personal data any further. The other lawful bases that should be considered before resorting to consent are as follows:
- Contract
- Legal Obligation
- Public Interest
- Legitimate Interest
- Vital Interests
- Scientific or Research
Each of the above lawful bases carries an equal legal claim, and the application of each basis is subject to its own distinct criteria and requirements. Therefore, the improper use of consent may result in an unnecessary burden, or cause misunderstandings in subsequent data usage.
2. Contractors / Platform Service Providers Bear Full Responsibility in All Cases?
Another commonly encountered misconception is the belief that once an organisation engages the services of contractors or external platform service providers, all responsibility will be transferred to those service providers. In fact, responsibility remains with the organisation itself in its capacity as the data controller, given that it retains the authority to make decisions regarding data processing.
Therefore, in order to limit potential liability arising from personal data breaches — whether deliberately or otherwise — organisations must ensure that the service providers or contractors (data processors) have adequate data security measures and are fully capable of complying with all applicable legal requirements.
In addition, entering into a Data Processing Agreement (DPA) with external service providers to define the terms and scope of the data processing procedure is considered an effective measure to outline the responsibilities and obligations of both contractual parties. It should be noted that providing DPA is also a legal obligation of the data controller under the PDPA.
Some organisations may assume that if certain personal data elements are concealed or removed from a dataset, the remaining data will no longer be considered personal data. However, in fact, data that can still be linked to an individual remains personal data under the PDPA, even if the person's name does not appear. This is because an individual may still be identifiable through a combination of the remaining data elements (indirect identification), such as gender, age, workplace, and similar attributes.
Therefore, to prevent re-identification of the data subject, data controllers must establish operational processes to ensure that the data can no longer be used to identify the data subject — whether directly or indirectly — and such anonymisation must be irreversible.
A thorough understanding of the PDPA’s requirements and their proper implementation is a matter that every organisation should treat as a strategic priority. Robust compliance not only mitigates the risk of lawsuits and regulatory sanctions, but also enhances the organisation's reputation and builds trust among the public and customers — demonstrating that their personal data will be handled responsibly, securely, and in accordance with standards of protection.
Reference:
