Summary of PDPA laws that Entrepreneurs Should Know 企業家應該知道的個人資料保護法摘要 @ IBC泰國法律金融會計事務所International Business Consultancy

Summary of PDPA laws that Entrepreneurs Should Know

企業家應該知道的個人資料保護法摘要

Personal Data Protection Act (“PDPA”) is a law that aims to preserve personal information in order to prevent malicious people from infringing personal information and intimidating or seeking benefits either from the owner of the data himself or from the person in charge of the data. The Personal Data Protection Act B.E.2562 (2019) came into force on May 1, 2020 but only in some categories. Due to the impact of the Covid-19, the original enforcement has been postponed to May 31, 2021, and has been officially announced on June 1, 2022.

《個人資料保護法》(“PDPA”)是一項旨在保護個人資訊、防止惡意人員侵犯個人資訊，用於恐嚇或向數據所有者或數據負責人謀取利益的法律。佛曆2562年(2019)《個人資料保護法》於 2020 年 5 月 1 日生效，但僅限於某些類別。受Covid-19的影響，原執行時間推遲到2021年5月31日，並已於2022年6月1日正式宣布。

Penalties for non-compliance with PDPA

未遵守 PDPA 的處罰

The Data subject should consider carefully before providing his/her personal information each time to prevent the personal data from being used in unlawful ways. In addition, data controller must know the extent of access to the customer's personal information. A company should have a system to control or to verify the identity of access of information, and it is necessary to set corporate policies for those who are responsible for keeping or accessing customer personal information to comply with PDPA. Failure to comply with PDPA will be considered an offense under the following laws:

當事人應在每次提供個人資料之前仔細考慮，防止個人資料以非法方式使用。此外，數據控制者必須知道接觸客戶個資的範圍。公司應該有一個系統控製或驗證接觸客戶個人資料，並且有必要為負責保存或接觸客戶個資的人制定公司政策以遵守PDPA。未遵守PDPA將被視為犯下以下法律：

Civil penalties: for actual damages and may be subject to additional compensation up to a maximum of 2 times the actual damages;

民事處罰： 實際損害賠償，最高可達實際損害賠償額的2倍；

Criminal penalties: imprisonment for a maximum of 1 year or a fine of not more than 1 million baht, or both;

刑事處罰： 最高1年的監禁或不超過100萬泰銖的罰款、或兩者併罰；

Administrative penalties: a maximum fine of not more than 5 million baht;

行政處罰： 最高罰款不超過500萬泰銖；

Who will be deemed to be involved in personal data?

誰將被視為涉及個人資料？

Private and Government (individuals or juristic persons), including juristic persons established in foreign countries which collect, use, disclose and /or transfer the personal information of persons in Thailand, which can be divided into 4 parts as follows:

(自然人或法人)，包括收集、使用、披露和/或轉移在泰國的個人資料的在外國設立法人。可以分為以下4個部分：

Data Subject is the owner of the information;

當事人是資料的所有者；

Data Controller is an individual or juristic person who has the authority to make “decisions” regarding the collection, use, or disclosure of personal data;

數據控制者是有權 “決定”個人資料收集、使用或披露做出的個人或法人；

Data Processor is an individual or juristic person that processes the collection, use, or disclosure of personal data. “According to the order or on behalf of the Personal Data Controller”, the person or legal entity doing so must not be a controller of personal data;

“根據代表命令或代表個人資料控制者”，這麼做的個人或法人不得為個人資料的控制者；

Data Protection Officer is an officer of a government agency to check whether the operator has complied with the PDPA or not;

資料保護官是政府機構的官員，負責檢查運營商是否遵守 PDPA；

How can organizations use information legally?

組織如何合法 使用資訊？

For information that the company can use for various marketing activities that does not violate PDPA, it must be information that the owner of the information has already given consent to or be allowed to use it. Such information is prohibited from obtaining from other sources without the consent or permission of the data subject. The permission to use information from the data owner can be either being requested in written or online data collection, provided that the content about permission must be easy to read and understand clearly.[1]

公司可用於各種營銷活動且未違反 PDPA的資訊，必須是資訊所有者同意或允許使用的資訊。未經當事人同意或許可，嚴禁從其他來源獲取此資訊。向當事人請求使用資訊的許可，可以通過書面或線上資訊收集，前提是許可的內容必須易於閱讀和清楚地理解。

PDPA的資訊，必須是資訊所有者同意或允許使用的資訊。未經當事人同意或許可，嚴禁從其他來源獲取此資訊。向當事人請求使用資訊的許可，可以通過書面或線上資訊收集，前提是許可的內容必須易於閱讀和清楚地理解。

The exceptions to which the Company can disclose personal information of customers are as follows:[2]

公司可以披露客戶個資的例外如下：

Obtain consent of the owner of the personal data;

徵得個人資料所有者的同意；

Prepare historical documents or archives for the public benefit research studies or statistical preparation;

為公益性研究或統計編制準備歷史文獻或檔案；

Prevent or suppress danger to life, body, or health of a person;

防止或抑制對人的生命、身體或健康的危險；

Necessary to perform a law or contract;

為履行法律或合約所必需；

Necessary for the legitimate interests of the personal data controller or of another person;

為個人資料控制者或他人合法利益所必需；

Necessary for the public interest and the performance of duties in the exercise of state power;

為公共利益和行使國家權力履行職責所必需；

The existence of the Personal Data Protection Act B.E.2562 (2019) is to protect the right for the unauthorized use of personal data and to prevent exploitation from the misuse of the information. The data owner or the data controller should know the details of PDPA. This Act is intended for the benefit and security of personal information for businesses to be more respectful of the use of customer information in order to prevent misuse or exploitation of customer's personal information.

佛曆2562年(2019)《個人資料保護法》的存在在於保護未經授權使用個人資訊的權利並防止濫用資訊。當事人或數據控制者應了解PDPA詳細資訊。該法案旨在保護個人資訊的利益和安全，讓企業更加尊重使用客戶資訊，防止濫用或利用客戶的個人資訊。

IBC International Business Consultancy is a law, finance and accounting firm located in Bangkok, Thailand with experienced lawyers, accountants, and financial advisers. We provide services including investment, tax and legal advice in Thailand. Should you have any questions, please do not hesitate to contact us via Line: @ibcfirm for further information.

IBC泰國法律金融會計事務所 (International Business Consultancy) 為一間位於曼谷的泰國法律金融會計事務所，由經驗豐富的律師、會計師、及財務顧問組成，可提供泰國投資、泰國稅收及泰國法律諮詢等服務。如果有什麼問題，可以隨時通過Line: @ibcfirm與我們聯繫。