An update on The Personal Data Protection Act in Thailand 1

After numerous attempts over nearly two decades, Thailand’s Personal Data Protection Act was finally approved and endorsed by the National Legislative Assembly (NLA) on Feb 28. Drafted in an attempt to mimic the EU’s General Data Protection Regulation (GDPR), the act will be submitted for royal endorsement and subsequent publication in the Royal Gazette.

Scope of Obligations

Enforced to both Public and Private Sector
Shall be Principle law for Personal Protection
Except some activities
Extra territorial

Definitions

• Personal Data
means any private information, which is able to identify any person directly or indirectly.
– Refers to data about an individual who can be identify or identifiable from that data but not including data of the deceased
– Covers electronic & non-electronic data
– Not define Data Subject or Data Owner

• Data Controller
means any person or juristic person who has an authority to consider for collecting, using and disclosure of personal data.
– (Having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data)

• Data Processor
means any person or juristic person who operate any collect, uses and discloses of personal data process in related to the order of Personal Data Controller.
– (Under the instruction of or in the name of Data Controller)

Consent

shall be requested from data subject for the collection, use, or disclosure of personal data

Purpose Limitation

Collection of personal data may be made to the extent necessary under the lawful objective of personal data controller

Complaints

shall be submitted to the Expert committee

Entry into force

Coming into force 1 year after its publication except Committee and Office shall affect next day publication

Data obtained before the date of coming into force

Data controller can use personal data in accordance with the objectives already notified to the data subject prior to the enforcement of this Act, and must be defined method for cancel consent.

The PDPA does not cover

Any individual acting in a personal use or for his family activities

Limiting Collection, Use, Disclosure

– shall not collect personal data without the consent of the data subject
– provides exceptions for some cases where personal data can be collected without the consent of data subject
– shall inform the data subject of the period of retention of personal data
– shall not collect sensitive personal data or any other data as prescribed by the committee

Transfer/Crossborder Limitation

prescribes the rules on sending or transfer of personal data abroad

Data subject right

to rectify: can request their data be updated or made complete.
to forgot: right to withdraw his or her consent or delete or destroy the data when Data controller fails to comply with the rules under this Act.
to data portability: can request a copy of their data in digital format.

An update on The Personal Data Protection Act in Thailand 2