Get Ready! The PDPA Guidelines That Every HR Professional Should Be Aware Of

Personal data is the data that can identify a person. It contains information such as a person’s name, surname, address, ID number, phone number, email, educational background, photos, and financial information.

In terms of business and organization, data collection through direct and indirect methods helps analyze target customers and improve products or services to satisfy customer needs. The organization performs data collection on the customers and employees.

Breakneck technological advancement gives birth to various communication channels, thus leading to personal data infringement and privacy breaches. As a result, the data subject becomes a victim of potential danger, while the country’s economy suffers from such actions.

A law is necessary to protect personal data, leading to the legislation of the PDPA, or Personal Data Protection Act, B.E. 2562. The act imposes rules, procedures, and regulatory measures to protect personal data under various organizations (public and private sectors) and ensure the data subject’s rights.

Following the standards, the act includes determining an adequate remedy for the personal data subject appropriate to the case. Despite the legislation, the PDPA, or Personal Data Protection Act, becomes effective on 1st June of 2022 instead of 2021.

The COVID-19 pandemic is the reason for the postponement, whereas new cases arise each day. As a result, society and the economy face its negative impact, obstructing personal data protection procedures under the act.

When Does PDPA Come Into Play in Organizations?

The PDPA, or Personal Data Protection Act, affects all organizations. Both entrepreneurs and the Human Resource department must adapt to it. The latter is responsible for collecting personal information of employees within the organization, applicants, and the resigned.

Examples of Data that HR Encounters

● The name, surname, address, and other contact information for employees and executives in business units

● The resume or CV (Curriculum Vitae) of the applicants that the organization or HR has received.

● Employment records of employees (resigned, transferred, or laid off) that remain within the database. The data allows other organizations to inquire into a specific employee.

● Contact information for the invited lecturers to train employees.

In the future, larger businesses may hire advisors, experts, or management service providers to help organize all information structures according to the PDPA while heightening security. The said business should have adequate budgets for the adjustment.

Smaller businesses, such as startups, SMEs, and brand-new ones, may lack the necessary budget on the other hand. Entrepreneurs, executives, and HR must be aware of the PDPA and perform all tasks in accordance.

With PDPA, What Becomes a Consideration for HR?

All HR personnel should consider that the personal data in their possession is under the protection of PDPA, alongside GDPR and other data protection laws if a data import or export to international organizations occurs.

For this reason, there must be a written policy to handle the data collection, usage, and disclosure. HR personnel can adapt the following examples of operation guidelines following the Personal Data Protection Act.

● While collecting personal data, HR personnel must ask for the consent of the data subject. Whether it is a resume or a personal profile, both must originate from the data subject himself. However, notifying the person regarding data retention is necessary, especially in a failed job application. The retention should not exceed the specified period written in the data processing policy of an organization.

● HR personnel should refuse to ask for the applicant’s ID card, either the original or a copy, until after the screening process and official employment.

● Retain the resume and personal profile of failed applicants for a short time, and destroy them with a secure method.

● Forwarding the applicant’s data for the different position assessment requires consent likewise. As such, the HR personnel must inform about the policy in the recruitment announcement. According to PDPA, an explicit consent statement is necessary, otherwise a separate consent form.

● HR personnel should create policies for data retention and data destruction of resigned or discharged employees’ data.

● If verifying and monitoring employees’ activities on email through computers or mobile devices is necessary, there should be a notification to the data subject, alongside the reasoning for the actions.

7 Things for Entrepreneurs to Prepare When Adjusting to the PDPA

With the things to consider in the act, here are the suggestions for preparing for PDPA.

1) Perform a thorough study of the information and relevant roles according to the act.

2) Organize documents and various forms as checklists for internal use, together with the consent form or procedure to gather personal data.

3) Impose the regulations according to the PDPA within the organization and create countermeasures against personal data breaches.

4) Search for systems and programs to assist in secure personal data storage while allowing ease of access, following the PDPA.

5) Provide necessary knowledge of PDPA and personal data to all personnel for better understanding and correct usage.

6) Revise the adjustment of data within various terms and policies of the organization for transparency.

7) Assign the duty to HR personnel or others responsible for starting the operation following the act.

Employees and Privacy

HR personnel and people involved with it should be considerate of the personal data of employees. The assessment of rights varies depending on the contract, where the organization informs the employee about data retention and allows the employee to make a request about it.

● Consent to store photos, ID numbers, and passports

● Consent to access data regarding various medical treatments

● Allow consent withdrawal

● Delete, destroy, or anonymize the data

● Reject the collection, usage, or disclosure of employees’ personal data.

● Restrict the use of employees’ personal data

● Correct the employees’ personal data

● Allow inquiry and copy of the personal data and permission to disclose the data’s origin

● Allow compliant submission to the Personal Data Protection Committee if the data controller and data processor violate or ignore the PDPA

Dealing with Resignation, Laid Off, and Applicants as HR

For the case that HR personnel or the organization still have data about the resigned or laid-off employee or the applicant, there must be a comprehensive security measure to prevent data theft and leakage, breaching the consent agreement with the data subject.

The measures should support the event that the data subject has revoked the consent, covering the data retention, duration of retention, and effective data destruction upon reaching the duration limit. Without the measures, the penalties of imprisonment and fines according to the act will ensue.

Notes Before Putting Them into Practice

With all that said, the HR personnel requires data subject to consent when processing the data of current employees (resigned or laid off) and the applicants following the act.

Defining the scope of consent is necessary for collecting the photos, ID number, and passport, together with access to medical treatment info such as social security or sick leaves. The data subject can protect his data within his rights.

Whatever the circumstances, data usage requires the consent of the data subject. The person can give consent, deny it, and be aware of the data purpose and retention duration.

Whether there is a consent withdrawal or not, if HR personnel or the organization violate the agreement or use the data for purposes other than those specified, they must terminate the data usage or retention. It includes the illegal usage of personal data beyond the initial agreement.

Violating PDPA is Guilty and Subject to Punishment

Civil offense: provide compensation for the data subject based on the damage that occurred

Criminal penalty: maximum imprisonment of up to one year or a fine of up to one million baht, or both

Administrative penalty: maximum fine of up to five million baht, having the penalty divided between both the controller and the processor, and other administrative penalties.

To avoid losing assets or imprisonment, HR personnel must have an operational guideline that complies with the Personal Data Protection Act, B.E. 2562. When HR personnel hold the highest authority over the personal information of all personnel levels, it is imperative to plan and execute in advance for utmost accuracy and clarity.

#PDPA #ข้อมูลส่วนบุคคล #กฎหมายคุ้มครองข้อมูลส่วนบุคคล #GDPR #สิทธิส่วนบุคคล



We use cookies to enhance your browsing experience on our website and analyze our traffic. By clicking “Accept All”, you consent to our use of cookies. For more information, please click Privacy Notice

Privacy Preferences

คุณสามารถเลือกการตั้งค่าคุกกี้โดยเปิด/ปิด คุกกี้ในแต่ละประเภทได้ตามความต้องการ ยกเว้น คุกกี้ที่จำเป็น

Allow All
Manage Consent Preferences
  • Always Active