What is PDPA?
The Personal Data Protection Act B.E. 2562 (PDPA) is Thailand's data privacy law that establishes rules for the collection, use, and disclosure of personal data. It came into full effect on June 1, 2022, and includes civil, criminal, and administrative penalties for non-compliance.
This law directly applies to every organization using AI license plate recognition systems, as license plate data and photographs are information that can potentially be used to identify individuals.
Is License Plate Data Personal Data?
The short answer is "it can be," depending on the context of use.
Under the PDPA, "personal data" means information that can identify a natural person, whether directly or indirectly. A license plate number alone may not directly identify a person, but when combined with other data such as entry/exit times, driver photos, or database records linked to the vehicle owner, it can identify an individual.
Therefore, in practice, it is safest to treat all data from AI LPR systems as personal data and comply with the PDPA accordingly.
Applicable Legal Bases
AI LPR systems can rely on several legal bases for data collection, depending on the situation:
- Legitimate Interest: Maintaining premises security is considered a legitimate interest. Applicable to housing estates, condominiums, and office buildings.
- Contract: When residents or members agree to the juristic person's regulations that specify security systems.
- Legal Obligation: When government agencies are required to record data under other laws.
5 Practical Guidelines for PDPA-Compliant LPR Usage
Guideline 1: Post Clear Warning Signs
Install clearly visible signs before the camera point, informing that images and license plates are being recorded. State the purpose (security) and provide contact information for the responsible person. Signs should be large enough to read from inside a vehicle -- A3 size or larger is recommended.
Guideline 2: Prepare a Privacy Notice
Create a privacy notice detailing: what data is collected, the purpose of collection, how long it will be stored, who can access it, and how data subjects can exercise their rights. This should be published on the juristic person's website or posted at the management office.
Guideline 3: Set Data Retention Periods
Do not store data longer than necessary. Common practice is to retain images and logs for no more than 30-90 days, then auto-delete. Exceptions apply when data is needed as evidence in legal cases, which can be retained under the Legitimate Interest or Legal Obligation basis.
Guideline 4: Restrict Data Access
Clearly define who can access the data. Not everyone should have access. Only security personnel and the property manager should be able to view the system. Use individual username/password login credentials and maintain an audit log of who accessed what data and when.
Guideline 5: Support Data Subject Rights
Vehicle owners (data subjects) have the right to request access to their own data, request copies, or request deletion (where no other legal basis supports retention). You must have channels and processes to handle these requests, such as a request form, and respond within 30 days as required by law.
Sample Warning Sign Text
Data Recording Notice
This area uses an automated system to record images and vehicle license plate numbers for the purpose of community security. Data will be stored for no more than 30 days and access is restricted to authorized personnel only.
Data Controller: [Community Name] Juristic Person
Contact: [Phone Number] or [Email]
Penalties for Non-Compliance
Non-compliance with the PDPA carries penalties at 3 levels:
- Civil penalties: Compensation for actual damages, with the court able to award punitive damages up to 2 times the actual damages
- Criminal penalties: Imprisonment up to 1 year, fines up to 1 million THB, or both (in severe cases)
- Administrative penalties: Fines up to 5 million THB by the Expert Committee
Frequently Asked Questions
Do you need consent from every vehicle?
Not necessarily, if you rely on the Legitimate Interest basis for security purposes. However, you must have clear warning signs and a Privacy Notice. Using consent as the legal basis would be impractical since you cannot obtain it from every vehicle that passes through.
Who is the Data Controller for a housing estate?
The housing estate juristic person or condominium juristic person is the Data Controller. The company that installs and maintains the AI LPR system is the Data Processor. Both parties should execute a Data Processing Agreement (DPA) between them.
Can data be stored in the cloud?
Yes, but you must ensure the cloud provider has adequate security measures. If the cloud server is located overseas, you must ensure the destination country has adequate data protection standards or appropriate safeguards as required by the PDPA.
Conclusion
Using AI license plate recognition does not conflict with the PDPA when done correctly. The key requirements are: post warning signs, maintain a Privacy Notice, set data retention periods, restrict access, and support data subject rights. These 5 guidelines allow you to use AI LPR systems with confidence and full legal compliance, while also demonstrating accountability to residents and users.
Disclaimer: This article provides general educational information and does not constitute legal advice. Please consult a legal professional for your specific situation.