คอร์สเรียน PDPA พรบ.คุ้มครองข้อมูลส่วนบุคคล EP.7 สิทธิของผู้ประกอบการที่ต้องปฏิบัติตาม PDPA

Aj. NesT the Series

27 Apr 202305:21

Summary

TLDRThis video provides a comprehensive overview of the duties and responsibilities of Data Controllers under the Personal Data Protection Act (PDPA). It explains the importance of obtaining consent before collecting, using, or disclosing personal information, conducting risk assessments, implementing data security measures, and preventing unauthorized access or breaches. Key topics include personal data retention and deletion, breach notification protocols, and the appointment of internal representatives to ensure compliance. The video emphasizes the need for proper documentation, transparency, and coordination with the Personal Data Protection Committee, guiding companies to safeguard personal information while adhering to legal requirements.

Takeaways

📌 Data Controllers must obtain consent from individuals before collecting, using, or disclosing their personal data.
🛡️ Companies must conduct personal data risk assessments to identify and mitigate potential privacy risks.
🔒 A personal data security policy should be established to protect against unauthorized access, hacking, or data breaches.
💻 Security measures must be updated regularly to adapt to changes in technology and prevent data misuse.
⚠️ Unauthorized disclosure or use of personal data must be prevented, and proper monitoring systems should be in place.
🗑️ Personal data that is expired, irrelevant, or when consent is withdrawn must be deleted or destroyed appropriately.
⏱️ In case of a personal data breach, the organization must notify the relevant authority within 72 hours and inform affected individuals.
📖 Data Controllers must maintain records of data collection, usage, disclosure, and related security measures, either in books or electronic systems.
👥 Organizations must appoint a Personal Data Protection Officer (PDPO) or internal representative to oversee compliance and provide guidance.
⚖️ The PDPO’s duties include advising the Data Controller, monitoring data practices, cooperating with the Protection Committee, and safeguarding personal data.
🇹🇭 For companies in Thailand, the appointed representative must reside in the country and be authorized to act on behalf of the Data Controller.
📋 Individuals have rights to access their data, be informed of collection purposes, and object to or deny certain data processing activities.

Q & A

What is the main role of a Data Controller under the PDPA?
-The Data Controller is responsible for collecting, using, and disclosing personal data in compliance with the Personal Data Protection Act (PDPA), ensuring data security, and protecting the rights of data owners.
When must a company obtain consent from a data owner?
-Consent must be obtained before collecting, using, or disclosing personal data. If the individual is of legal age, they can sign themselves; otherwise, consent must be obtained from their guardian or parent.
What is a personal data risk assessment and why is it required?
-A personal data risk assessment identifies potential risks related to the collection, use, and storage of personal data. It is required to prevent unauthorized access, data breaches, and misuse of personal information.
What should a company include in its personal data security or privacy policy?
-The policy should include measures to prevent hacking, unauthorized access, use, disclosure, modification, or destruction of personal data, and it should be reviewed regularly, especially when technology changes.
How should a company handle personal data that is no longer needed or for which consent has been withdrawn?
-The company must delete or securely destroy personal data that has expired, is irrelevant, or if the data owner has withdrawn consent.
What actions must a company take in the event of a personal data breach?
-The company must notify the regulatory office within 72 hours of becoming aware of the breach, assess the risk to individuals' rights and freedoms, and inform the affected data owners along with guidance on remedies.
What records must a Data Controller maintain regarding personal data?
-Records should include the purpose of data collection, collection period, methods of access, responses to requests or objections, and the security measures implemented.
Who must be appointed within a company to oversee PDPA compliance?
-A company must appoint a Personal Data Protection Officer (PDPO) or an internal representative who resides in Thailand and is authorized to act on behalf of the Data Controller.
What are the main duties of a Personal Data Protection Officer (PDPO)?
-The PDPO advises the Data Controller and employees, monitors data collection and usage, ensures compliance with PDPA, cooperates with the Personal Data Protection Committee (PDPC), and addresses any data protection issues that arise.
Why is consent and proper handling of personal data emphasized with practical examples like employee vacations?
-These examples illustrate the need to ensure that personal data is only used for its intended purpose, with proper consent, and highlight the practical application of PDPA in everyday company operations.
How often should data security measures be reviewed?
-Data security measures should be reviewed regularly and whenever there are changes in technology to ensure they remain effective against new risks.