Support Centre

Thailand

Summary

Law: Personal Data Protection Act 2019 (PDPA)

Regulator: Personal Data Protection Committee (PDPC)

Summary: The Personal Data Protection Act 2019 (PDPA) is the first consolidated legislation providing general data protection within Thailand and entered into effect on June 1, 2022. The PDPA is based on the GDPR and contains many similar provisions, although they differ in areas such as anonymization. More specifically, the PDPA introduces obligations for data controllers and data processors including lawful grounds of data collection, use, and disclosure, restrictions on data transfers to foreign countries, and requirements for breach notification, as well as rights for data subjects.

In addition, four secondary laws accompany the PDPA which cover the requirements to maintain appropriate security measures for the personal data controller (only available in Thai here) (the Appropriate Security Measures Law), the criteria and methods for organising, making, and keeping records of processing activities (only available in Thai here) (the Criteria for ROPA), the exemption from the requirement of organizing, making, and keeping records of processing activities for small and medium-sized enterprises (only available in Thai here) (the Exemption from ROPA), and the criteria for issuing administrative fines and orders of the expert committee (only available in Thai here) (the Administrative Fines Law). The Appropriate Security Measures Law, the Exemption from ROPA, and the Administrative Fines Law became effective as of June 21, 2022, whereas the Criteria for ROPA became effective on December 17, 2022. On January 14, 2023, the Royal Decree determining organizations that are exempt from data controller's obligations under the PDPA (only available in Thai here) will also enter into force.

The Personal Data Protection Committee (PDPC) is tasked with advisory and enforcement powers under the PDPA. The PDPC has released various guidelines and notifications, covering topics such as consent, personal data breach notifications, and data protection officer appointment.

Insights

Thailand has made significant strides in establishing a robust framework for data privacy and data protection. The Personal Data Protection Act 2019 (PDPA) came into full effect as of June 1, 2022, following two enforcement suspensions. The PDPA is Thailand's first comprehensive law covering private sector entities. Before the PDPA, data protection regulations were limited to specific sectors in Thailand, such as government agencies handling personal data and telecommunications, as well as the National Credit Bureau. However, the PDPA now mandates continued compliance with both their existing applicable regulations and the PDPA for these sectors.

Since the PDPA came into full effect, various sub-legislations have been gradually issued by Thailand's regulatory body under the PDPA, namely the Personal Data Protection Committee (PDPC). This marks a critical development in the country's legal landscape. However, although the PDPA aims to protect individuals' personal data and, at the same time, balance the needs of businesses, certain areas remain unaddressed by sub-legislations and the lack of official guidelines, making it challenging for businesses to fully comply with the PDPA.

Furthermore, as globalization reshapes the business landscape, multinational organizations must navigate a complex web of legal and regulatory frameworks, especially as data protection and privacy continue to evolve in Thailand. Standards under the PDPA that govern vendor relationships are one of the key considerations businesses should carefully review, given the increasing reliance on third-party vendors for data processing. In this Insight article, Chanakarn Boonyasith, Pitchabsorn Whangruammit, and Pattaranun Hanwongpaiboon, from Nishimura & Asahi, provide an overview of vendor privacy contracts in Thailand, highlight key legal requirements, and outline important considerations for multinational organizations operating in Thailand.

In this Insight article, Kritiyanee Buranatrevedhya and Phatrajarin Tanjaturon, from Baker & McKenzie Limited Attorneys at Law, introduce Thailand's National Science and Technology Development Agency (NSTDA) Ethical Guidelines for artificial intelligence (the Guideline), announced March 2022, a framework designed to promote responsible and ethical artificial intelligence (AI) practices.

The Personal Data Protection Act B.E. 2563 (A.D. 2019) of Thailand (PDPA), effective from June 1, 2022, is the key legislation of Thailand that provides comprehensive protection for personal data. Local and foreign entities that collect, use, or disclose personal data of data subjects in Thailand are subject to the PDPA. Cross-border data transfers are subject to stringent requirements under the provisions of the PDPA and the applicable rules issued under the PDPA. Multinational corporations (MNCs) are required to have in place adequate data protection measures for the purpose of their cross-border data transfer activities.

Kowit Somwaiya and Usa Ua-areetham, from LawPlus Ltd., provide an overview of the key considerations for MNCs to consider when implementing cross-border data transfer mechanisms. The overview is focused on the key requirements for the Binding Corporate Rules (BCRs) and the Data Transfer Agreement (DTA) as set out in relevant notifications issued by the Personal Data Protection Committee (PDPC) under the PDPA, such as the implementing rules on the criteria for protecting personal data sent or transferred abroad according to Section 28 of the PDPA (PDPC rules).

The rapid ascent of artificial intelligence (AI) has paved the way for a new era of innovation and is reshaping our daily lives. The emergence of generative AI, a content-generating tool, is a recent example of how quickly these developments can take place. However, they increasingly challenge the applicability of current laws, demanding tailored regulations. Kritiyanee Buranatrevedhya and Burin Saekow, from Baker & McKenzie LLP, discuss the proposed updates to manage these changes.  

In line with the intent of the law under the Electronic Transactions Act B.E. 2544 (2001) (ETA) to maintain financial and commercial security and strengthen the reliability and credibility of data message systems, the Royal Decree on Regulating the Digital Platforms which are Subject to Prior Notification B.E. 2565 (2022) (the Digital Platform Royal Decree) was enacted under the ETA. It was recently published in the Government Gazette on December 23, 2022. After a 240-day grace period, the Digital Platform Royal Decree will become fully effective on August 20, 2023.

Kritiyanee Buranatrevedhya and Thananya Chaikamonsuk, from Baker & McKenzie Limited Attorneys at Law, dissect the Digital Platform Royal Decree, with a particular focus on obligations of digital platform service operators.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. As part four of the Insight series on the operationalisation of the PDPA, Nopparat Lalitkomon and Thammapas Chanpanich, from Tilleke & Gibbins, give an overview over lawful bases for processing, sensitive personal data, and data-processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. As part three of the Insight series on the operationalisation of the PDPA, Dhiraphol Suwanprateep and Thananya Chaikamonsuk, from Baker & McKenzie Limited Attorneys at Law, explore the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. As part two of the Insight series on the operationalisation of the PDPA, Dhiraphol Suwanprateep and Thananya Chaikamonsuk, from Baker & McKenzie Limited Attorneys at Law, discuss the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

As part one of the Insight series on the operationalisation of the PDPA, Kowit Somwaiya and Usa Ua-areetham, from LawPlus Ltd., provide an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.