Thailand Personal Data Protection Act (PDPA)

The Act applies to the collection, use, and disclosure of personal data by data controllers or data processors in Thailand, even if the collection, use, and disclosure of personal data is conducted outside Thailand. If an enterprise outside Thailand provides goods or services to data subjects in Thailand (regardless of whether the business is completed), and monitors data subjects' behaviors in Thailand, the Thailand PDPA is also applicable to data controllers and processers outside Thailand.

Thailand’s PDPA defines two roles: data controller and data processor, and defines their obligations based on those two roles.

The obligations of a data controller include obtaining data subjects' consent, securely processing data, responding to data subjects' rights, recording processing activities, preventing unauthorized disclosure to, or use of data by third parties, deleting data, notifying data breaches, appointing a DPO, and appointing a local representative.

The obligations of a data processor include: complying with instructions, providing proof of compliance, secure data processing, data breach notification, appointing a DPO, and recording processing activities.

For details about each obligation, see Huawei Cloud Compliance with Thailand PDPA.

The personal data processed by Huawei Cloud mainly includes the personal data in your content data and the personal data that you provide when creating or managing your Huawei Cloud account. You have control over your content data. When processing personal data in content data, Huawei Cloud generally acts as a data processor. Huawei Cloud serves as the data controller when processing the personal data in your Huawei Cloud account.

Based on the characteristics of Huawei Cloud services and Thailand PDPA requirements, the data processor and data controller have different obligations. Huawei Cloud actively responds to and fulfills its obligations. Huawei Cloud has analyzed the obligations of the data controller and data processor and formulated responses to each obligation. For details, see Huawei Cloud Compliance with Thailand PDPA.

As a customer of cloud products and services, you have the right to choose how to use these products and services and how to store and process content data, including personal data. Therefore, you are responsible for content data security and compliance. In brief, you are responsible for content security. Your specific responsibilities are as follows:

• Content data protection: You must correctly and comprehensively identify personal data on the cloud, develop policies to protect personal data security and privacy, and take appropriate privacy protection measures. Specific measures include configuring security based on service and privacy protection requirements, such as operating system configuration, network configuration, security protection, and database encryption policies, and proper access control policies and password policies.

• Response to data owners' rights: You must protect the rights of data owners and respond to their requests. When a personal data breach occurs, you should take appropriate actions in compliance with laws and regulations, such as notifying regulatory authorities, notifying data owners, and taking mitigation measures.

If you are the data controller and Huawei Cloud assists in processing personal data in your content data, you may fall into the jurisdiction of Thailand’s PDPA. If you are under the jurisdiction of Thailand’s PDPA, you are to assume the privacy protection responsibilities required by it. According to the data controller obligations stipulated in the Act, Huawei Cloud lists your responsibilities as a data controller and the service support that Huawei Cloud can provide for you.

In addition, Huawei Cloud provides cloud products or services that can help you comply with Thailand’s PDPA and related regulations. The products and services include network products, database products, security products, and management and deployment tools. They provide functions such as data protection, data deletion, network isolation, and permission management to help you protect content data privacy. For more details about specific products or services as well as corresponding Thailand PDPA obligations, see Huawei Cloud Compliance with Thailand PDPA.