Most of the operators in the petroleum or oil and gas industries are large international companies that correspond and coordinate with their parent companies or contractors, subcontractors, suppliers or vendors who are based around the globe. In addition, such petroleum or oil and gas operators may employ a significant number of employees, and therefore, they may need to collect, use or disclose personal data relating to their contracting parties, or their employees, in their business operations.
Thailand announced the Personal Data Protection Act (“PDPA”) in the Government Gazette on 27 May 2019, which relates to operators who need to collect personal data. The PDPA prescribes the duties and responsibilities of a natural or juristic person who has the power and duty to make decisions regarding the collection, use or disclosure of personal data (“Data Controller”), and a natural or juristic person who undertakes the collection, use or disclosure of personal data pursuant to the orders given by the Data Controller (“Data Processor”). The Data Controller and the Data Processor can collect, use or disclose personal data based on the conditions stipulated under this Act. For example, a Data Controller must obtain consent from the Data Subject prior to, or at the time of, such collection, use or disclosure. Moreover, such consent must be explicitly provided in writing or via electronic means. However, the consent can be exempt if the collection of personal data is to prevent a danger to a person’s life, body or health, or for the public interest, or for the legitimate interests of the Data Controller.
In addition, the PDPA also prescribes the rights of the Data Subject, such as: (i) the right to access and obtain a copy of the personal data that is related to themselves; (ii) the right to request a Data Controller to transfer the personal data to other Data Controllers; (iii) the right to object to the collection, use or disclosure of the personal data; and (iv) the right to ask the Data Controller to erase or destroy the personal data or to anonymize the personal data.
In addition to the abovementioned principles, the PDPA prescribes that a Data Controller who wishes to send or transfer personal data overseas must ensure that the destination country receiving such personal data has adequate data protection standards. The Data Controller must also ensure that the usage of the personal data is carried out in accordance with the rules for the protection of personal data, as prescribed by the Personal Data Protection Committee.
A Data Controller or Data Processor located in the Kingdom of Thailand will have to provide a personal data protection policy related to overseas transfers of personal data to another Data Controller or Data Processor located overseas, and show they are affiliated, or within the same group of companies, in order to jointly operate the business or the group’s undertakings. If such overseas transfer of personal data policy has been reviewed and approved by the Office of the Personal Data Protection Committee, the personal data transfer in accordance with that policy can be carried out and will be exempt from the requirements that will be prescribed by the Personal Data Protection Committee. Therefore, operators in petroleum or oil and gas industries, who collect personal data (as Data Controllers) and who wish to transfer personal data to their parent companies or contracting companies abroad, must comply with these principles.
A Data Controller who uses or discloses personal data without the consent of the Data Subject, or who sends or transfers personal data to a foreign country without ensuring adequate data protection standards, is liable to be punished with imprisonment for a term ranging from six months to one year and a fine of THB 500,000 to THB 1,000,000.
With respect to other violations, the criminal liabilities vary in accordance with the type of offenses. With respect to civil liability, the Data Controller and the Data Processor will be required to pay punitive damages of up to twice the amount of the actual compensation, depending on the discretion of the court. In addition, a Data Controller may be punished with administrative fines ranging from THB 500,000 to THB 5,000,000 depending on the type of violation under the PDPA. For a juristic person, if the offender is a director, manager or other person responsible for such violations, the juristic person will also be subject to punishment.
In conclusion, only Chapter 1 (Personal Data Protection Committee) and Chapter 4 (Office of the Personal Data Protection Committee) of the PDPA came into effect on 28 May 2019. The provisions of the other chapters, such as the collection, disclosure, use, of personal data, and the duties of the Data Controller or the rights of the Data Subject, will come into effect in May 2020. Therefore, operators have a period of one year to adjust or amend their internal rules or policies, and correct their practices to be in compliance with the PDPA in order to avoid any violations.
This article first appeared in the April 2019 edition of PTIT Focus, the Petroleum Institute of Thailand’s monthly newsletter. The article was published in both English and Thai. For the original publication, please see the PDF below.