If an employer collects employees’ personal information, the employer must comply with the Thailand Personal Data Protection Act (PDPA).
Thailand’s PDPA, which was enacted earlier this year, contains significant new requirements for employers that collect employees’ (called “data subjects” in the PDPA) personal information. Most sections of the PDPA will become effective on May 27, 2020, so employers should be aware of their duties and liabilities.
Important PDPA requirements that relate to employers include the following:
- Employees’ personal information can be collected only to the limited extent necessary for the employer’s lawful purpose.
- Employers cannot collect employees’ personal information from any source apart from the employees themselves.
- Employers must prevent employees’ personal information from being disclosed, lost, or altered.
- Employers must delete employees’ personal information after a certain time period.
- Employers must receive consent from employees to collect, use, or disclose the employees’ personal information.
- Employers must inform a special government-run Personal Data Committee if an employees’ personal information is leaked.
- Employers who violate the PDPA could face civil or criminal liability, as well as administrative fines, depending on the claim and breach.