After numerous attempts over nearly two decades, Thailand’s Personal Data Protection Act was finally approved and endorsed by the National Legislative Assembly (NLA) on Feb 28. Drafted in an attempt to mimic the EU’s General Data Protection Regulation (GDPR), the act will be submitted for royal endorsement and subsequent publication in the Royal Gazette.
SCOPE OF OBLIGATIONS
Enforced to both Public and Private Sector
Shall be Principle law for Personal Protection
Except for some activities
means any private information, which is able to identify any person directly or indirectly.
– Refers to data about an individual who can be identify or identifiable from that data but not including data of the deceased
– Covers electronic & non-electronic data
– Not define Data Subject or Data Owner
means any person or juristic person who has an authority to consider for collecting, using and disclosure of personal data.
– (Having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data)
means any person or juristic person who operate any collect, uses and discloses of personal data process in related to the order of Personal Data Controller.
– (Under the instruction of or in the name of Data Controller)
shall be requested from the data subject for the collection, use, or disclosure of personal data
Collection of personal data may be made to the extent necessary under the lawful objective of personal data controller
shall be submitted to the Expert committee
Entry into force
Coming into force 1 year after its publication except Committee and Office shall affect next day publication
Data obtained before the date of coming into force
Data controller can use personal data in accordance with the objectives already notified to the data subject prior to the enforcement of this Act, and must be defined method for cancel consent.
The PDPA does not cover
Any individual acting in a personal use or for his family activities
Limiting Collection, Use, Disclosure
– shall not collect personal data without the consent of the data subject
– provides exceptions for some cases where personal data can be collected without the consent of data subject
– shall inform the data subject of the period of retention of personal data
– shall not collect sensitive personal data or any other data as prescribed by the committee
Transfer / Crossborder Limitation
prescribes the rules on sending or transfer of personal data abroad
Data subject right
To rectify: can request their data be updated or made complete.
To forgot: right to withdraw his or her consent or delete or destroy the data when Data controller fails to comply with the rules under this Act.
To data portability: can request a copy of their data in digital format.