Thailand
Summary
Law: Personal Data Protection Act 2019 (PDPA)
Regulator: Personal Data Protection Committee (PDPC)
Summary: The Personal Data Protection Act 2019 (PDPA) is the first consolidated legislation providing general data protection within Thailand and entered into effect on June 1, 2022. The PDPA is based on the GDPR and contains many similar provisions, although they differ in areas such as anonymization. More specifically, the PDPA introduces obligations for data controllers and data processors including lawful grounds of data collection, use, and disclosure, restrictions on data transfers to foreign countries, and requirements for breach notification, as well as rights for data subjects.
In addition, four secondary laws accompany the PDPA which cover the requirements to maintain appropriate security measures for the personal data controller (only available in Thai here) (the Appropriate Security Measures Law), the criteria and methods for organising, making, and keeping records of processing activities (only available in Thai here) (the Criteria for ROPA), the exemption from the requirement of organizing, making, and keeping records of processing activities for small and medium-sized enterprises (only available in Thai here) (the Exemption from ROPA), and the criteria for issuing administrative fines and orders of the expert committee (only available in Thai here) (the Administrative Fines Law). The Appropriate Security Measures Law, the Exemption from ROPA, and the Administrative Fines Law became effective as of June 21, 2022, whereas the Criteria for ROPA became effective on December 17, 2022. On January 14, 2023, the Royal Decree determining organizations that are exempt from data controller's obligations under the PDPA (only available in Thai here) will also enter into force.
The Personal Data Protection Committee (PDPC) is tasked with advisory and enforcement powers under the PDPA. The PDPC has released various guidelines and notifications, covering topics such as consent, personal data breach notifications, and data protection officer appointment.