PDPA Services
Cloudsec Asia’s PDPA Service covers an extensive ranges of activities as shown below :
- TRAINING : Online training and PDPA preparation workshop for organization
- RISK ASSESSMENT : Organization’s system security and risk analysis with recommendation of vulnerability solutions for future data safety.
- CONSENT MANAGEMENT : Direct and indirect user’s consent requisition consulting service for organization including related documents management mentoring and software for consent management.
- DATA PROTECTION : Network, data and endpoint security solution service with internal data management consulting service to prevent future attack
- INCIDENT RESPONSE (IR) : 24×7 security monitoring and support service by expert with additional log record (1 TB max/day) according to PDPA standard requirement and digital forensics service in case of unfortunate attack.
PDPA (PERSONAL DATA PROTECTION ACT)
PDPA (Personal Data Protection Act) is Thailand’s laws governing personal data protection and privacy in Thailand that all organizations are obliged to follow. Cloudsec Asia can lead you through all steps and requirement from staffs training, vulnerability assessment, consent management, data security and incident response.
Personal Data – refers to data or Information that can identify an individual or link to that person, which contains direct/indirect personal data including sensitive personal data.
DIRECT PERSONAL DATA
- Name-surname
- ID card number
- Passport number
- Driver’s license number
- Address, email, phone number
- Detail of device information such as IP address, MAC address
- Biometric information such as fingerprint, face, iris
SENSITIVE PERSONAL DATA
- Medical or health-related records
- Genetic and biometric information
- Political opinion
- Belief and religion
- Gender and sexual preference
- Criminal record
** According to this act, information of entity and the deceased is not personal information.
PERSONS INVOLVED IN PERSONAL DATA
DATA SUBJECT
Individuals that own the data or their authorized representatives having the right to consent to the use of the information, request consent details, modify the information. and withdraw consent at any time.
DATA PROCESSOR
Individuals or entities that use, collect, publish, or disclose personal information on the order of the data controller.
DATA CONTROLLER
Individuals or entities who have the authority to collect, transmit, control and disclose personal information with the duty of preserving, preventing, destroying and reporting any breach of personal information within 72 hours.
DATA PROTECTION OFFICER (DPO)
A person or entity assigned by the Data Controller has a duty to advise, establish a policy for use and protect of personal information including coordinate with external agencies in case of problems about the use of personal information.
PERSONAL DATA PROTECTION ACT PENALTIES
1. Civil penalties require the offender to pay compensation and substitute fee for the owner of the data and pay compensation. Penalty fines is 2 times the actual amount of damage.
2. Criminal penalties are divided into imprisonment and fines. Committee or persons responsible for the operations of the company will be punished which has both imprisonment and criminal penalty, up to 1 year imprisonment or a fine of 1 million baht or both.
3. Administrative penalties are penalties that are fined in money starting from 1 million baht to 5 million baht.
CLOUDSEC ASIA PDPA SERVICE PACKAGES
Let Cloudsec Asia prepare your organization for smooth PDPA compliance for your website
PDPA STARTER PACK
World-class online training service in Thai
System Vulnerability Assessment Service with vulnerability scan report of your website are provided. (Vulnerability Scanning)
Consent Management Document Form Service for organization internal use and external use.
Log record service from security devices and corporate servers up to 1 GB/day for 90 days.
PDPA STANDARD PACK
World-class online training service in Thai
System Vulnerability Assessment Service with vulnerability scan report of your website are provided. (Vulnerability Scanning)
Consent Management Document Form Service for organization internal use and external use.
Log record service from security devices and corporate servers up to 1 GB/day for 90 days.
Network security administration for 1 device.
Endpoint security administration for 50 devices.
Free Endpoint Security with DLP service for internal organization up to 30 devices.
Additional Security Gateway and Network Segmentation service starting at 3,000 Baht.
1-month free trial.
PDPA GOLD PACK
World-class online training service in Thai
Operational Training Services and functionality test under PDPA requirement
System Vulnerability Assessment Service with vulnerability scan report of your website are provided. (Vulnerability Scanning)
PDPA compliance operation and regulating check service.
PDPA process’s requirement consulting service.
Consent Management Document Form Service for organization internal use and external use.
Cookie Consent generating service for website.
Network security administration for 2 devices.
Endpoint security administration for 100 devices.
Endpoint Security with XDR + DLP service for internal organization up to 100 devices.
Log record service from security devices and corporate servers up to 5 GB/day for 365 days.
Issue alert and analysis service.
Incident Response in case of issue 4 times/year.
Additional Security Gateway and Network Segmentation service starting at 3,000 Baht.
1-month free trial
PDPA PLATINUM PACK
World-class online training service in Thai
Operational Training Services and functionality test under
PDPA requirement
System Vulnerability Assessment Service with vulnerability scan report of your website are provided. (Vulnerability Scanning)
Data classification organizing consulting service.
PDPA compliance operation and regulating check service.
PDPA process’s requirement consulting service.
Red Teaming service with recommendation.
Consent Management
Document Form Service for organization internal use and external use.
Cookie Consent generating service for website.
Data usage consent process service with usage management software for automatic consent of personal information usage revoking.
Network security administration for 5 devices.
Endpoint security administration for 500 devices.
Endpoint Security with XDR + DLP service for internal organization up to 500 devices.
Data encryption tools installation and Key Management.
Data access management service with data masking.
Log record service from security devices and corporate servers up to 10 GB/day for 365 days.
Issue alert and analysis service.
Generate and provide security information and usage of information technology systems usage dashboard.
Incident Response in case of issue 12 times/year.
Additional Security Gateway and Network Segmentation service starting at 3,000 Baht.
1-month free trial
According to PDPA (Personal Data Protection Act), any business that collects or processes personal data, that business must create a Privacy Policy, Otherwise, an offense under PDPA Acts may occur, with the following penalties:
The civil penalty: Compensation for actual damages is not exceeding twice the amount of the actual damages.
The Criminal punishment: the offender shall be punished with imprisonment not exceeding 1 year or fined not exceeding 1 million Baht, or both
Every business or website that collects, uses or discloses personal information of users.
- Examples of businesses that require a Privacy Policy
- Any business that collects customer or user information, whether it be their name, email address or phone number, to offer products, services or marketing.
- Websites that collects login information with email or Social Network accounts.
- Online selling business that collects payment information
The PDPA and the Spam Control Act (SCA) operate jointly but cover different areas.
The SCA regulates the sending of unsolicited commercial electronic messages (electronic mail, text and multimedia messaging sent to instant messaging identifiers) in bulk. Among other requirements, the SCA requires organisations to:
- provide an unsubscribe facility within the spam message; and
- include a header in the subject field of the message, or as the first words in a message with no subject field.
The PDPA regulates the sending of specified messages to Singapore telephone numbers (Do Not Call Provisions), and the collection, use and disclosure of individuals’ personal data (Data Protection Provisions).
While an organisation may not obtain consent for the collection, use or disclosure of personal data that is publicly available, it may still have to comply with all other obligations under the PDPA.
In particular, the PDPA provides that an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances. In this regard, the circumstances would need to be taken into account in determining whether the purpose is appropriate.
Given that publicly available personal data is already made available to the public, the PDPC recognises that for the purposes of the PDPA, it would not be practical nor useful to unduly limit the purposes for which such data can be collected, used or disclosed, unless it is for clearly unreasonable purposes, for example, the purpose is in violation of a law or would be harmful to the individual concerned.
In any case, organisations should note that their collection, use or disclosure of personal data from publicly available sources may be bound by terms and conditions imposed and enforceable by the data source.
Yes. Because the business is considering as the data controller that collects personal data of employees. B2B business also collect contact information of employees or business partner’s employees, which are considered as personal data.
