Introduction
The Thai Personal Data Protection Act (PDPA) and the European General Data Protection Regulation (GDPR), although originating in different regulatory and cultural contexts, share the common goal of protecting the rights of individuals with regard to the protection of personal data. However, they also have significant differences that reflect the specificities of their respective legal and social systems.
Similarities
- Fundamental principles: Both regulations are based on fundamental principles such as lawfulness, fairness and transparency of data processing.
- Data subjects‘ rights: Both the PDPA and the GDPR recognise a number of data subjects’ rights, including the right to access, rectification, erasure and portability of data.
- Obligations of data controllers: Both impose a number of obligations on data controllers, such as the appointment of a DPO (in some cases), impact assessment, data security and breach notification.
- International transfers: Both regulations regulate data transfers to third countries, imposing appropriate data protection safeguards.
Differences
- Scope: The GDPR has a broader scope, covering any processing of personal data of entities located in the EU, even if the data controller is not established in the EU. The PDPA focuses mainly on processing carried out in Thailand.
- Definitions: Definitions of some key concepts, such as ‘personal data’ and ‘processing’, may vary slightly between the two legislations.
- Consent: There may be some differences in the way consent is obtained, especially as regards form and content requirements.
- Sanctions: Sanctions under the GDPR are generally more severe than under the PDPA, especially for large companies.
- Supervisory authorities: The structures and competences of supervisory authorities differ significantly between the EU and Thailand.
Summary table
| Feature | PDPA | GDPR |
|---|---|---|
| Scope of application | Mainly Thailand | EU and EU subject data processing |
| DPO | Mandatory for some categories | Mandatory for some categories |
| Impact assessment | Mandatory in some cases | Mandatory in some cases |
| International transfers | Rules similar to GDPR | Detailed and flexible rules |
| Sanctions | Fines, suspensions, criminal liability | High fines, suspensions, criminal liability |
| Supervisory authority | PDPC | Various national data protection authorities |
Implications for businesses
Companies operating in both Thailand and the EU must adopt an integrated approach to ensure compliance with both regulations. This requires:
- Mapping data flows: Identifying all personal data processing involved in the company’s operations.
- Risk assessment: Assess the risk of a data breach and take appropriate security measures.
- Documentation: Maintain accurate documentation of all processing activities.
- Staff training: Make employees aware of data protection regulations.
- Continuous monitoring: Constantly monitor the evolution of the legislation and adapt its procedures accordingly.
Conclusions
The PDPA and GDPR represent two fundamental pillars of data protection at a global level. Although they have some differences, they share the common goal of protecting the rights of individuals. Companies operating in an international context must be able to navigate this complex regulatory landscape and take appropriate measures to ensure compliance with both regulations.
© 365TRUST – ALL RIGHTS RESERVED