Thailand: Government approves Royal Decree postponing PDPA
OneTrust DataGuidance confirmed, on 20 May 2020, with Dhiraphol Suwanprateep and Thananya Chaikamosuk, Partner and Associate respectively, at Baker McKenzie, that the Government of Thailand has approved the draft Royal Decree to postpone the Personal Data Protection Act B.E. 2562 (2019) ('PDPA') effective date until 31 May 2021, as a result of the COVID-19 ('Coronavirus') pandemic and its effects on the country. In addition, Suwanprateep and Chaikamosuk confirmed that ten members of the Personal Data Protection Committee have been approved by the Government.
UPDATE (21 May 2020)
Draft Royal Decree published in Royal Gazette
The Royal Decree to postpone the PDPA was published, on 21 May 2020, in the Royal Gazette of the Kingdom of Thailand.
You can access the draft , only available in Thai, here.
UPDATE (10 June 2020)
MDES issues statement on PDPA postponement
The Ministry of Digital Economy and Society ('MDES') issued, on 8 June 2020, a statement on the PDPA's postponement. In particular, the MDES noted that government agencies, private and public institutions were not ready for the enforcement of the legislation. Furthermore, the MDES clarified that it will focus on measures to ensure that such agencies or institutions will store personal information separately from other data, with security measures, and that access rights are established.
You can read the statement, only available in Thai, here.
UPDATE (29 July 2020)
MDES published notice within Royal Gazette
The MDES published, on 17 July 2020, in the Royal Gazette, a notice ('the Notice') for data controller requirements and security measures to be implemented during the postponement period of the PDPA. In particular, the Notice prescribes data controllers with a requirement to implement, among other things, security measures for control of access to data that is stored or for the equipment used for processing, policies for granting rights to access personal data, security measures for user management when accessing personal data, user responsibilities for the prevention of unauthorised access, and methods to enable retrospective monitoring of data that was accessed, amended, deleted, or transfered.