Law: Personal Data Protection Act 2019 ('PDPA')
Regulator: Personal Data Protection Committee ('PDPC')
Summary: The PDPA is the first consolidated legislation providing general data protection within Thailand and entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and contains many similar provisions, although they differ in areas such as anonymisation. More specifically, the PDPA introduces obligations for data controllers and data processors including lawful grounds of data collection, use, and disclosure, restrictions on data transfers to foreign countries, and requirements for breach notification, as well as rights for data subjects. The Ministry of Digital Economy and Society ('MDES') and PDPC have released draft secondary laws and guidelines to clarify the provision of the PDPA in areas such as data security, data transfers to foreign countries, as well as requirements for data protection officer appointment and the conducting of Data Protection Impact Assessments. The PDPA was among a set of digital related bills, including the Cybersecurity Act 2019, which were developed in 2019 to address contemporary technological developments.