If an employer collects employees’ personal information, the employer must comply with the Personal Data Protection Act (PDPA).
Thailand’s PDPA, which was enacted earlier this year, contains significant new requirements for employers that collect employees’ (called “data subjects” in the PDPA) personal information. Most sections of the PDPA will become effective on May 27, 2020, so employers should be aware of their duties and liabilities.
Important PDPA requirements that relate to employers include the following:
- Employees’ personal information can be collected only to the limited extent necessary for the employer’s lawful purpose.
- Employers cannot collect employees’ personal information from any source apart from the employees themselves.
- Employers must prevent employees’ personal information from being disclosed, lost, or altered.
- Employers must delete employees’ personal information after a certain time period.
- Employers must receive consent from employees to collect, use, or disclose the employees’ personal information.
- Employers must inform a special government-run Personal Data Committee if an employees’ personal information is leaked.
Employers who violate the PDPA could face civil or criminal liability, as well as administrative fines, depending on the claim and breach.
If an offender is found to be civilly liable (e.g. an employee sues the employer for damages arising from a breach of the PDPA), the court can order the offender to pay punitive damages capped at twice the actual damages.
The PDPA also contains criminal liability for certain offences. Penalties are set at a maximum of six months’ imprisonment, a fine of up to THB 1 million (approximately EUR 30,000), or both. If the offender is a corporate entity, and the offence is committed because of an order or act by a director, manager, or any associated persons responsible for the act, those individuals would face criminal liability and be subject to the above penalties. Moreover, a person who has a duty to order or perform any act but fails to carry out his or her duty, resulting in the company committing an offence, is also criminally liable and subject to the above penalties.
Companies can also face administrative fines for violation of the PDPA, which range from THB 500,000 to THB 5 million (approximately EUR 15,000 to EUR 150,000).
If an employer collects, uses, or discloses employees’ personal information, then the employer should be aware of the PDPA’s requirements. Otherwise, the employer can face criminal, civil, or administrative penalties.