Thai PDPA
Comply with the PDPA
The Personal Data Protection Act 2019 ('PDPA') is the first consolidated legislation providing general data protection within Thailand and was originally expected to come into full effect on 27 May 2020. This date, however, was postponed until 27 May 2021 due to the COVID-19 ('Coronavirus) pandemic. The PDPA is based on the GDPR and contains many similar provisions, although they differ in areas such as anonymisation. While the PDPC is provided for by the PDPA, which further requires the PDPC to draft and issue sub-regulations on data protection by 27 May 2021, the PDPC has yet to be established.
OneTrust DataGuidance's PDPA Portal provides you with the ability to track developments regarding PDPA and understand its obligations.
PDPA v. GDPR
OneTrust DataGuidance, in collaboration with Blumenthal Richter & Sumet, have produced a PDPA v. GDPR Report, which you can download here, and which assists organisations in understanding and comparing key provisions of the PDPA comparative to the GDPR. You can also leverage this information through our PDPA v. GDPR Comparison in the tab above.
Thailand Privacy Landscape Overview
Watch our Thailand Overview video to understand the state of privacy in Thailand today.
The Bank of Thailand ('BOT') announced, on 11 February 2022, that PayPal (Thailand) Limited ('PayPal Thailand') announced that it will temporarily suspend its services to individual customers during the transition of its services on 7 March 2022.
The Ministry of Digital Economy and Society ('MDES') announced, on 12 February 2022, that it had convened, on 10 February 2022, and held the first meeting of the Personal Data Protection Committee ('PDPC').
The Bank of Thailand ('BOT') announced, on 1 February 2022, its public consultation on its policy of digital economy and sustainable growth with a balance between supporting innovation and appropriate risk management.
OneTrust DataGuidance confirmed, on 25 January 2022, with Dhiraphol Suwanprateep and Thananya Chaikamonsuk, Partner and Associate at Baker McKenzie Ltd, that the Personal Data Protection Committee ('PDPC') was established on 11 January 2022, under the Notification of the Office of the Prime Minister, which was published in the Government Gazette
The Bank of Thailand ('BoT') announced, on 25 January 2022, its plans, together with the Office of the Securities and Exchange Commission ('SEC') and the Ministry of Finance, to introduce guidelines for the regulation of digital assets for their use as payment for goods and services.
The Ministry of Digital Economy and Society ('MDES') published, on 6 September 2021, its draft secondary laws under the Personal Data Protection Act 2019 ('PDPA'), following public hearings.
The Electronic Transaction Development Agency ('ETDA') announced, on 30 September 2021, revisions to its original standard on digital identity verification in order to be consistent with the usage context.
The Bank of Thailand ('BoT') issued, on 31 August 2021, a preparation for compliance with the Personal Data Protection Act 2019 ('PDPA') within an official letter to banks and financial institutions.
Bangkok Airways Public Company Limited issued a statement, on 26 August 2021, notifying on its website of a cybersecurity attack which resulted in unauthorised and unlawful access to its information system.
The Ministry of Digital Economy and Society ('MDES') announced, on 18 August 2021, the launch of the National Cyber Security Agency ('NCSA') under the Office of the National Cyber Security Commission.
The Bank of Thailand ('BOT') published, on 27 July 2021, its guidelines on blockchain technologies for financial services.
The Thai Bankers' Association ('the TBA') published, on 29 April 2021, its Guidelines on Personal Data Protection for Thai Banks, highlighting what banks should be aware of when considering privacy and data protection issues, and what steps are needed to comply with the upcoming legislation.
The Ministry of Economy, Trade, and Industry in Japan announced, on 28 June 2021, that it along with the Ministry of Industry of Thailand had signed a memorandum of cooperation ('MoC') to strengthen the smart system of industrial security in Thailand.
The Inter Partner Assistance ('IPA'), international partners of AXA UK Plc, confirmed, on 17 May 2021, that their information technology networks and operations in Malaysia, Thailand, Hong Kong, and Philippines were impacted by a ransomware attack.
The Royal Gazette of Thailand published, on 8 May 2021, the Decree postponing the enforcement date of the Personal Data Protection Act 2019 ('PDPA').
The Ministry of Digital Economy and Society ('MDES') announced, on 5 May 2021, that the Cabinet of Thailand had approved a draft decree which would further postpone the enforcement of the Personal Data Protection Act 2019 ('PDPA') until 1 June 2022.
Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era.
Recently, the Thai Bankers' Association has implemented its Guidelines on Personal Data Protection for Thai Banks ('the Guidelines') to support the operations of the banking sector in accordance with the Personal Data Protection Act 2019 ('PDPA').
As the global focus on data protection continues to increase, so too do the number of countries introducing comprehensive data protection laws or updating existing legislation to bring it in line with European data protection laws and ensure personal data is protected in the digital era.
PDPA v GDPR
GDPR Benchmark
This Chart aims at assisting organisations in understanding and comparing key provisions of the GDPR with relevant data protection law from around the globe. This Chart provides a comparison of the following key provisions:
- Scope
- Definitions and legal basis
- Rights
- Enforcement
Each topic includes relevant articles and sections from the law compared, a summary of the comparison, and a detailed analysis of the similarities and differences. The degree of similarity for each section can be identified using the key.
Scope Benchmark
- title
- Personal scope
- Territorial scope
- Material scope
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Definitions and Legal Basis Benchmark
- title
- Personal data
- Pseudonymisation
- Controller and processor
- Children
- Research
- Legal Basis
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Rights Benchmark
- title
- Right to deletion
- Right to be informed
- Right to object
- Right to access
- Right not to be subject to discrimination
- Right to data portability
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Enforcement Benchmark
- title
- Monetary penalties
- Supervisory authority
- Civil remedies
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in