Control about a person’s data rights is becoming ever more commercialized, especially since big data volumes are required for training artificial intelligence. Conversely, increasing importance of personal data protection has led various countries to enact laws safeguarding the rights of individuals regarding their data. Two significant regulations in this domain are the European General Data Protection Regulation (GDPR) and the Thai Personal Data Protection Act (PDPA). Although the PDPA is largely influenced by GDPR, there are key distinctions that companies and natural parties must understand to ensure compliance in both regions.

Below, we explore the major differences between GDPR and PDPA, touching on scope, legal basis, penalties, and more.

1. Scope and Applicability

The GDPR has a broad territorial scope. It applies to any entity processing the personal data of individuals residing in the European Union, regardless of the entity’s location. This means that even non-EU organizations must comply if they offer goods or services to, or monitor, EU residents.

Similarly, the Thai PDPA extends its jurisdiction beyond Thai borders if an organization processes the data of individuals in Thailand. However, its application is more centered on local businesses. The PDPA also emphasizes domestic compliance, giving local organizations more explicit guidelines for how they should handle personal data within Thailand.

2. Legal Basis for Data Processing

Under GDPR, there are six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public interest, and legitimate interests. “Legitimate interests” can be broadly interpreted, although organizations must balance these interests against the rights of individuals.

The PDPA’s lawful bases for data processing mirror those of the GDPR but emphasize the role of explicit consent. In Thailand, companies are encouraged to prioritize consent when collecting and processing personal data, particularly sensitive data. The interpretation of “legitimate interests” under PDPA is somewhat narrower compared to GDPR, leaning more towards individual consent.

3. Consent Requirements

GDPR requires that consent must be “freely given, specific, informed, and unambiguous.” It should involve a clear affirmative action, and individuals have the right to withdraw consent easily at any time.

The PDPA takes a similar approach, requiring explicit consent for the collection of personal and sensitive data. However, PDPA also focuses on ensuring that the consent request uses clear and understandable language. There’s also an emphasis on the specific, defined purpose for which the data is being collected, often using more formal wording compared to GDPR.

4. Data Subject Rights

GDPR grants individuals several data rights: the right to access, rectify, erase (right to be forgotten), restrict processing, data portability, and object to processing. These rights are central to GDPR’s framework for empowering individuals.

PDPA offers comparable rights but has some notable differences. The right to data portability, for example, is not as clearly defined as under GDPR. The right to erasure also exists but with exceptions that align with Thai regulations, which sometimes provide more room for data controllers to deny erasure requests.

5. Data Breach Notification

GDPR mandates that data controllers report data breaches to supervisory authorities within 72 hours if the breach is likely to risk the rights and freedoms of individuals. Additionally, if the risk is significant, data subjects must be informed promptly.

PDPA similarly requires that data breaches be reported to the Thai data protection authority within 72 hours. However, PDPA is less stringent about informing affected individuals, allowing for more discretion based on the perceived level of risk.

6. Data Protection Officer (DPO) Requirements

GDPR mandates appointing a Data Protection Officer (DPO) for organizations engaged in large-scale processing of sensitive data, public authorities, or those conducting regular monitoring of individuals. The DPO must have independence and report directly to top management.

PDPA also requires a DPO for organizations that process a significant amount of sensitive data. However, the requirements are more lenient compared to GDPR, making it easier for smaller businesses in Thailand to comply.

7. Penalties for Non-Compliance

Non-compliance with GDPR can lead to substantial fines—up to €20 million or 4% of the company’s global annual turnover, whichever is higher. These fines are designed to ensure compliance, even among the largest organizations.

Under PDPA, penalties are generally lower but still significant, with administrative fines of up to THB 5 million (approximately €140,000). There are also criminal penalties, including possible imprisonment, which adds a different layer of enforcement compared to GDPR. The PDPA’s penalties are significant enough to deter non-compliance but take into account the economic context of Thailand.

8. Supervisory Authority Structure

GDPR features a decentralized structure, with each EU member having its independent supervisory authority responsible for enforcement. These authorities cooperate for cross-border cases through mechanisms like the European Data Protection Board (EDPB).

PDPA enforcement falls under a centralized body, the Personal Data Protection Committee (PDPC). This single central authority oversees all data protection matters, creating a more unified approach compared to the GDPR’s multi-authority system.

9. Local Cultural and Practical Considerations

GDPR applies uniformly across diverse EU cultures. Although member states have some flexibility, the regulation maintains a high standard of data protection for all individuals within the EU.

The PDPA is crafted to align with Thai cultural and business norms. It offers more flexibility to SMEs and takes into account the practicalities of local business practices, allowing for a gradual approach to enforcement and compliance.

Conclusion

The Thai PDPA and European GDPR have several commonalities as both aim to protect individuals’ personal data. However, the differences reflect the distinct regulatory, cultural, and business environments of the regions they govern. While GDPR is comprehensive, with stringent requirements and penalties, PDPA is more adaptable to the Thai context, focusing on flexibility and the realities of local businesses.

For companies operating globally, understanding these differences is crucial to ensure compliance in both jurisdictions. Tailoring data protection strategies to meet the stringent demands of GDPR and the nuanced requirements of PDPA can help businesses avoid costly penalties while gaining consumer trust in data privacy practices.

Legal Disclaimer

The information provided in this article is for general informational purposes only. While we have researched the content thoroughly and strived for accuracy and relevance, the data protection laws, including the GDPR and PDPA, are subject to change, and interpretations may vary. The content in this article does not constitute legal advice, and we recommend consulting with a qualified legal professional to address specific questions or ensure compliance based on your unique business needs.

We make no warranties about the completeness, reliability, or accuracy of the information presented. Any reliance you place on this information is strictly at your own risk. We are not liable for any loss or damage resulting from the use of this information or related materials.