How to manage PDPA in Odoo?
PDPA compared to GDPR
When talking about PDPA we have to mention GDPR. Even more so, most people will not be familiar with the term PDPA, but will be familiar with the term GDPR. In short, PDPA is the Thai version of what GDPR is to the European Union. An act on a national level to protect the personal data and privacy of its citizens. In this article we will delve deeper into the meaning of this act, its content, what it means for businesses, compliance and how Odoo is set up to handle PDPA.
What is GDPR?
GDPR or General Data Protection Regulation, is a European Union law that controls how organizations within and outside the EU handle the personal data of EU residents.
It went into effect on May 25, 2018, and aims to give individuals more control over their personal data. GDPR applies even if an organization is not based in the EU, as long as they collect or process the personal data of EU citizens or offer goods/services to them. GDPR is used as an example and reference worldwide for the implementation of similar laws in other countries. GDPR is strongly enforced with the strong possibility of high fines if the company is not compliant.
What is PDPA?
PDPA or the Personal Data Protection Act in Thailand. It's the country's first law to govern data protection, aiming to prevent the misuse of personal data. The PDPA became fully enforceable in June 2022. It applies to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents, regardless of where they are located.
What is Personal Data?
- Any information which identifies an alive person, directly or indirectly
- Examples: name, address, email address, phone number, passport/ID card number
- Sensitive personal data – e.g. racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records, health data, genetics/ biological data, etc
- Possibly: combination of internet device’s technical data, e.g. IP address, browser details, language and time zone settings, location data, cookie ID
PDPA is strongly enforced and violations to the PDPA can result in fines of up to 5,000,000 Baht or imprisonment of up to one year.
What is compliance?
Compliance related to PDPA means adhering to the rules and regulations of the act in question. A company has to carefully make sure they are aware of the full scope of the laws and regulations of the Personal Data Protection Act in Thailand and then apply those rules and regulations to their business operations.
Examples of this are:
Transparency:
- Companies clearly explain how they collect, use, and share personal data, including through easy-to-understand privacy policies and consent forms.
Consent:
- Individuals have the right to give informed, explicit consent for the processing of their data, and companies must ensure that consent can be easily withdrawn.
Data Minimization:
- Companies only collect and process data that is necessary for the stated purpose and limit retention to the period required.
Security:
- Companies implement appropriate technical and organizational measures to ensure data security, confidentiality, and integrity.
Data Subject Rights:
- Companies provide individuals with rights to access their data, request correction or erasure, and restrict processing.
Data Breach Notification:
- Companies have procedures in place to notify individuals and relevant authorities about data breaches within 72 hours.
Data Protection Impact Assessments (DPIAs):
- Companies conduct DPIAs to assess the risks of data processing, particularly when handling sensitive data or large-scale processing.
Data Protection Officer (DPO):
- Companies with specific requirements, such as processing large amounts of personal data, may need to appoint a DPO.
Data Controller:
- Person authorized to make decisions on the collection, use, and disclosure of Personal Data
Training:
- Companies provide regular training to employees on PDPA principles and their responsibilities.
Data Mapping:
- Companies conduct data mapping to identify and manage the data they collect and process.
Consent Management:
- Companies utilize consent management tools to obtain and manage consent in accordance with PDPA requirements.
Privacy Policies:
- Companies have clear, concise, and accessible privacy policies that outline data processing practices.
Cookie Policies:
- Companies provide cookie policies that describe the types of cookies used, their purposes, and how to manage cookie preferences.
Contractual Agreements:
- Companies establish contractual agreements with third-party vendors that handle personal data on their behalf.
Incident Response Plans:
- Companies develop and maintain incident response plans to address data breaches or security incidents.
Regular Audits:
- Companies conduct regular audits to ensure ongoing compliance with PDPA requirements.
How Odoo Helps Your Organization Stay Compliant with PDPA:
While Odoo cannot single-handedly guarantee full PDPA compliance (as it applies to your entire organization's data practices, not just within Odoo), it centralizes data, minimizes redundancy, and offers robust access rights and security controls, making it a powerful tool for compliance.
Here's how Odoo can assist:
1. Enabling Data Subject Rights:
- Right to Access and Data Portability: Odoo's customer portal allows users to access and update their personal information (addresses, invoices, orders, subscriptions, etc.) in a self-service manner. For full data export, Odoo allows you to export records and related documents in PDPA-compliant formats like CSV or Excel, accessible from contact forms or list views.
- Right to be Forgotten: Odoo helps manage data erasure requests. If a request is legitimate and no legal obligation requires keeping the data, you can attempt to delete the contact. If direct deletion is blocked due to linked business documents, Odoo supports anonymization by renaming contacts or re-assigning documents to a generic "Anonymous" contact.
- Restriction of Processing and Consent Withdrawal: Odoo allows users to self-manage mailing list subscriptions through unsubscribe links. You can also manually mark contacts as "opt-out" to exclude them from mass mailings while still allowing direct messages.
- Right to Rectification and Data Accuracy: Odoo's email integration handles bounced emails, allowing you to identify and clean up inaccurate contact information. Users can also correct their personal data (name, email, address) through the Odoo portal.
2. Managing Consent (Art. 7 PDPA):
- When collecting personal data through Odoo's forms (e.g., contact form, mailing-list subscription, event registrations), you must establish a clear purpose and legal basis for processing.
- For purposes where data processing is necessary for a contract (e.g., event participants), explicit consent may not be strictly required, but transparency is key. You can use Odoo's website builder to add clear mentions to your forms and link to your Privacy Policy.
- For other purposes (e.g., marketing), Odoo allows you to add checkboxes to forms using Odoo Studio to obtain explicit consent for each specific purpose. These consent fields can then be used to segment marketing campaigns.
3. Implementing Privacy by Design & Security Measures (Art. 25 & 32 PDPA):
- Access Control: Odoo's group-based access control allows you to restrict access to personal data based on user roles and needs (e.g., HR personnel only accessing employee sensitive data). You can fine-tune access using "Record Rules" to restrict read/write operations based on specific criteria.
- Password Security: Odoo stores user passwords with industry-standard secure hashing. It also supports external authentication systems (OAuth 2.0, LDAP) to avoid storing passwords directly.
- Employee Data Protection: Sensitive employee data (e.g., private information, contracts) is typically restricted to HR personnel via dedicated user groups.
- Security of Processing: For Odoo Online or Odoo.sh users, Odoo implements security and privacy best practices at all levels, including secure backups, data encryption (in transit and at rest), and regular updates. For on-premise Odoo deployments, you are responsible for implementing security best practices, with Odoo providing recommendations in its documentation.
- Audit Trails: Odoo maintains detailed logs of user activity, which can be crucial for demonstrating compliance and identifying suspicious activity.
In summary, Odoo provides a robust framework and numerous built-in features that significantly contribute to your organization's ability to comply with PDPA by facilitating data subject rights, managing consent, and ensuring strong data security and privacy measures. Remember to consult legal counsel for precise guidance on your specific compliance obligations.
Personal Data Protection Act, B.E. 2562 (2019) Entered into effect on May 28, 2019. Click
