Dr. Roland Amoussou (Ph.D)

Partner and team leader



The Thailand Personal Data Protection Act

Why Join

This seminar’s objective is to create awareness among the ........................

What will the seminar cover

This seminar will cover....

Learning Outcome

By the end of the training, you will have a sound understanding of the..........

Our Speaker

Dr. Roalnd

Discounted Package

If you would like to take advantage of our discounted package, please select the option in your booking form. If you would prefer to request an invoice for tickets for this training day, please email info@aitnbangkok@in.th letting us know:
  • The number of attendees
  • Attendee(s) names and emails
  • Your organisation address

  • Personal Data Protection Act, B.E. 2562 (2019)
  • Prepared by the Ministry of Digital Economy and Society.
  • Published in the Royal Gazette on 27 May 2019.
  • Reflecting global trends in personal data protection (e.g. EU GDPR).
  • One year grace period for enforcement – effective from 27 May 2020.


The reach and liabilities of the Personal Data Protection Act

Earlier this year, Thailand enacted its Personal Data Protection Act (PDPA), which was published in the Government Gazette on 27 May 2019. Most parts of the PDPA will become effective one year after this, on 27 May 2020. As the PDPA will have broad impact across multiple aspects of most businesses—including their human resources operations—lawmakers provided this one-year period for those affected to prepare for compliance with the PDPA.

While the definitions and mechanics of the law in relation to HR operations were covered in a previous Human Resource Watch column (29 April 2019), this article will take a closer look at the civil, criminal, and administrative penalties applicable in the event of non-compliance with the PDPA.

It is important for employers to understand that these liabilities apply to them even if they outsource their company’s HR work. Some employers misunderstand that if they turn over their HR functions to an HR service provider, the employer will not have any liability under the PDPA. Indeed, even if HR functions are outsourced, the employer will still have the same liabilities under the PDPA if the HR service provider breaches the PDPA.

For instance, if an employer assigns an outsourced provider to manage the paying of wages and calculation of social security deductions, where the providers must collect, use or disclose the personal information of employees, both the employer and the HR service provider will be acting in roles defined by the PDPA. In this scenario, the employer would be considered a ‘data controller’, while the HR service provider would be considered a ‘data processor.’ Therefore, both the employer and the HR service provider will have potential liability under the PDPA.

If the employer or HR service provider violates a PDPA provision, such as selling employees’ personal information to a financial institution or other third party without the employees’ consent, the employer as data controller would not only be liable for paying compensation to the employees who own the personal information, but could also face criminal penalties and administrative liability under the PDPA. In addition, the HR service provider, as a data processor, could face civil liability.

The PDPA provides for three types of potential liability for violation of its provisions:

  1. Civil Liability

  2. Employers or HR service providers who are found to have violated the PDPA must pay compensation to the employees who own the personal information and who received damages from the violation, regardless of whether the violation was done intentionally or negligently, except where the offender can prove that the damages were caused by force majeure or the employees’ own actions. In addition, offenders who can prove that the violation was a result of their compliance with an order of a government officer exercising his or her duties under the law will not be liable. The compensation includes all necessary expenses associated with actual or likely damages, whether for purposes of prevention or mitigation.

    In addition, the court is entitled to award punitive civil damages, up to two times the amount of actual damages.

    The prescription period for claiming compensation under the PDPA is three years from the date that the employees who own the personal information became aware of the violation and the identity of the offenders, or ten years from the date on which the violation of the personal data took place.

  3. Criminal liability

  4. If an employer as data controller violates the PDPA by the use or disclosure of personal information without consent in a manner that is likely to cause the other person to suffer any damages, impair his or her reputation, or other reason, the offender will face imprisonment of up to six months, a fine of up to Baht 500,000, or both.

    In addition, if the offender uses or discloses personal information in order to receive unlawful benefits (or secure benefits for others), the criminal penalties that the offender will face include imprisonment for up to one year, a fine of up to Baht 1 million, or both.

    The criminal offence under the PDPA is a compoundable offence, which means that it can be settled by negotiation and agreement between the parties before a court issues a final judgment.

    In a case where the offender is a juristic person and the offence occurs as a result of the order or act of any director, manager, or other person in a role of responsibility, those persons must be liable for the relevant penalties. Likewise, these persons can also be penalized for their omission of an instruction or act resulting in the commission of the offence by the juristic person.

  5. Administrative liability

  6. The PDPA also imposes administrative liability on any offender in the form of an administrative fine from Baht 500,000 to Baht 5 million, depending on the nature of the violation. The PDPA establishes an expert committee with the authority to order offenders to pay an administrative fine, issue an order for rectification, or issue a warning to the offender. In determining whether to impose an administrative fine, the expert committee will consider the severity of the circumstances of the offence, the size of the business of the data controller (e.g., an employer) or data processor (e.g., HR service provider or HR department), or other circumstances.

    Microsoft advises AI regulation under Personal Data Protection Act
    Cisco mulls innovation centre, 5G testbed

    Govt to meet FB officials to talk violence prevention

    It is possible that specific classes of data controller could be exempted from the application of all or part of the provisions of the PDPA (in addition to the excepted activities, on which see the previous article on this topic). However, these exemptions would have to be made by royal decree.

    As it stands now, though, exceptions for classes of person have not been promulgated, and employers should not expect that they will be automatically exempt from PDPA compliance. Recent news from Europe of companies being heavily fined for their violations of the EU’s General Data Protection Regulation (upon which much of the PDPA is based) underline the dangers of continuing to neglect the protection of personal data. With Thailand only months away from joining the EU and other jurisdictions around the world in implementing a robust data protection regime, businesses must ensure the compliance of all of their operations—including in-house or outsourced HR functions—to avoid such costly penalties.

    Source: Bangkok Post (PUBLISHED : 3 SEP 2019 AT 16:20)