Thailand Jurisdiction: Physical Location/Residency of Data Subject in Jurisdiction

The factor of Physical Location/Residency of the Data Subject is explicitly used in Thailand's Personal Data Protection Act (PDPA) to determine the law's applicability. The PDPA applies to the processing of personal data of individuals who are physically present in Thailand, even if the data controller or processor is located outside the country.

Text of Relevant Provisions

PDPA, B.E. Sec.5(2):

"In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities: (1) the offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject; (2) the monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand."

Original (Thai):

"ในกรณีที่ผู้ควบคุมข้อมูลส่วนบุคคลหรือผู้ประมวลผลข้อมูลส่วนบุคคลอยู่ภายนอกราชอาณาจักร พระราชบัญญัตินี้ให้ใช้บังคับกับการเก็บรวบรวม ใช้ หรือเปิดเผยข้อมูลส่วนบุคคลของเจ้าของข้อมูลที่ อยู่ในราชอาณาจักร ทั้งนี้ กิจกรรมของผู้ควบคุมข้อมูลส่วนบุคคลหรือผู้ประมวลผลข้อมูลส่วนบุคคลเป็นกิจกรรมดังต่อไปนี้: (1) การเสนอขายสินค้าหรือบริการแก่เจ้าของข้อมูล ที่อยู่ในราชอาณาจักร ไม่ว่าจะมีการชำระเงินโดยเจ้าของข้อมูลหรือไม่ก็ตาม; (2) การติดตามพฤติกรรมของเจ้าของข้อมูล ที่เกิดขึ้นในราชอาณาจักร."

Analysis of Provisions

• PDPA Section 5(2) establishes that the law applies to the processing of personal data of individuals who are physically present in Thailand, even when the data controller or processor operates outside Thailand. This provision is critical for ensuring that foreign entities engaged in certain activities that impact data subjects in Thailand are subject to Thai data protection laws.
• The law specifically identifies two key activities that trigger its applicability:
  1. Offering of goods or services: The PDPA applies if a foreign entity offers goods or services to individuals in Thailand, regardless of whether payment is involved. This ensures that Thai residents' data is protected even when engaging with foreign businesses, such as online retailers or service providers.
  2. Monitoring of behavior: The PDPA also applies when foreign entities monitor the behavior of individuals in Thailand. This is particularly relevant for activities like online tracking, behavioral advertising, or profiling, which may involve collecting and analyzing data on Thai residents.
• By incorporating this factor, the Thai PDPA aligns with global trends in data protection, such as those seen in the GDPR, where the focus is on the location of the data subject rather than the location of the data controller or processor. This approach is designed to protect the privacy rights of individuals within Thailand’s jurisdiction, regardless of where the processing entity is based.

Implications

• For businesses, this means that any entity, regardless of its location, that targets Thai residents with goods or services or monitors their behavior while they are in Thailand, must comply with the PDPA. This includes ensuring that they have appropriate legal grounds for processing personal data, implementing data protection measures, and respecting the rights of data subjects under the Thai PDPA.
• An example of this would be a foreign e-commerce platform that sells products to consumers in Thailand. Even though the platform is based outside of Thailand, it must adhere to the PDPA when processing the personal data of Thai consumers.
• Companies involved in activities such as online advertising or analytics that monitor the behavior of individuals in Thailand must also consider the PDPA's requirements. Failure to comply could result in penalties or other regulatory actions from Thai authorities.