The PDPA: Thailand’s First Leap into Nation-Wide Data Protectionputri
Thailand has joined together with other Asian countries such as South Korea and Japan with regard to data privacy. The Personal Data Protection Act (PDPA) of Thailand became effective on May 27, 2019, after being published in the Thai Government Gazette. It is the newest law regulating how businesses in Thailand must handle personal data related to Thai citizens.
The PDPA in general
Most of the PDPA is created based on the GDPR (General Data Protection Regulation). Therefore, there are some similarities between the two. For example, both rules have similar provisions regarding the legal basis of data processing, i.e., requiring approval, performance of contracts, legal obligations, legal interests, or vital interests as a legal basis.
In addition, the PDPA reflects the extraterritorial application of the GDPR. It then applies it to data controllers and data processors located outside of Thailand if they handle data subjects, sell products or services to data subjects in Thailand, or monitor the conduct of data subjects in Thailand.
The right to delete, be informed, reject, data portability, and the right of access are granted to data subjects under both the PDPA and the GDPR.
However, the PDPA and GDPR vary in significant ways. Unlike the GDPR, the PDPA does not apply to specific public agencies. In addition, the GDPR’s definition of “personal data” is significantly more comprehensive, since IP addresses and cookies are officially included. In the meantime, such information is not stated in the PDPA.
The effect of the PDPA on background screening practices
Due to the pandemic, the implementation of the PDPA was postponed to June 1, 2022, which has given organizations more time to prepare.
As a company that provides background screening services with regional coverage in several countries, Integrity Asia complies with data protection laws that apply globally and in every country, including Thailand’s PDPA.
The PDPA does not indicate the data retention terms in detail. However, data controllers must notify data owners how long their personal data will be stored.
In practice, we impose a one-year data retention term, but we also accommodate client requests. There are occasions when clients request the deletion of data less than a year following the end of a project.
In addition, we give a letter of permission for the applicant to sign before commencing the background check. The letter said that we, as data controllers, guarantee the security of the candidate’s personal data transfer. In addition, we also guarantee that the candidate’s personal data will only be used for the background check process, and that data will be stored for a period of time determined by the client policy.
Integrity Asia, a company that has two decades of expertise in compliance, is devoted to producing goods and services of the highest quality by offering the type and amount of service that best meets the needs of the client. Prisma, a screening tool that can be connected with our customers’ HR information systems, is used for our screening processes.
Contact us for more information about our background check services.