Support Centre

Thailand

Summary

Law: Personal Data Protection Act 2019 ('PDPA')

Regulator: Personal Data Protection Committee ('PDPC')

Summary: The PDPA is the first consolidated legislation providing general data protection within Thailand and entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and contains many similar provisions, although they differ in areas such as anonymisation. More specifically, the PDPA introduces obligations for data controllers and data processors including lawful grounds of data collection, use, and disclosure, restrictions on data transfers to foreign countries, and requirements for breach notification, as well as rights for data subjects. The Ministry of Digital Economy and Society ('MDES') and PDPC have released draft secondary laws and guidelines to clarify the provision of the PDPA in areas such as data security, data transfers to foreign countries, as well as requirements for data protection officer appointment and the conducting of Data Protection Impact Assessments. The PDPA was among a set of digital related bills, including the Cybersecurity Act 2019, which were developed in 2019 to address contemporary technological developments.

Insights

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. As part four of the Insight series on the operationalisation of the PDPA, Nopparat Lalitkomon and Thammapas Chanpanich, from Tilleke & Gibbins, give an overview over lawful bases for processing, sensitive personal data, and data-processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. As part three of the Insight series on the operationalisation of the PDPA, Dhiraphol Suwanprateep and Thananya Chaikamonsuk, from Baker & McKenzie Limited Attorneys at Law, explore the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. As part two of the Insight series on the operationalisation of the PDPA, Dhiraphol Suwanprateep and Thananya Chaikamonsuk, from Baker & McKenzie Limited Attorneys at Law, discuss the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

As part one of the Insight series on the operationalisation of the PDPA, Kowit Somwaiya and Usa Ua-areetham, from LawPlus Ltd., provide an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and aims to ensure the protection of personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.

Similar to part one and part two of this three-part series on the PDPA, this article intends to highlight key provisions in the PDPA, focusing on the rights of individuals and liability under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and aims to ensure the protection of personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.

Similar to part one and part three of this three-part series on the PDPA, this article intends to highlight key provisions of the PDPA, focusing on the obligations of data controllers and data processors, including data protection officer appointment ('DPO'), breach notification, and data transfers to foreign countries. In addition, the Secondary Draft Laws to the PDPA provide further information on data controller obligations.

The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and aims to ensure the protection of personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.

Similar to part two and part three of this three-part series on the PDPA, this article intends to highlight key provisions of the PDPA, focusing on its scope of application, important definitions, and the grounds on which the collection, use, and disclosure of personal information may be based.

Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era. OneTrust DataGuidance provides an overview of the status of current privacy/data protection bills in Australia, Brunei Darussalam, India, Malaysia, Mongolia, Myanmar, Pakistan, Sri Lanka, Thailand, and Vietnam.

Recently, the Thai Bankers' Association has implemented its Guidelines on Personal Data Protection for Thai Banks ('the Guidelines') to support the operations of the banking sector in accordance with the Personal Data Protection Act 2019 ('PDPA'). The PDPA is the first consolidated law governing data protection in general in Thailand and was published in the Royal Thai Government Gazette on 27 May 2019, with the full enforcement expected to take place on 1 June 2022. Dhiraphol Suwanprateep, Partner at Baker & McKenzie Limited Attorneys at Law, discusses the major contents of the Guidelines and its obligations on data processors and controllers.