On August 17, 2023, the Ministry of Digital Economy and Society published a Royal Decree determining organizations that are exempt from data controller's obligations under the Personal Data Protection Act 2019 (PDPA). In particular, the Royal Decree enters into force 150 days after its official publication in the Official Gazette, on January 14, 2024.

The Royal Decree provides that when data controllers receive a request for personal data from the National Anti-Corruption Commission or assigned government agencies, the controller shall receive exemptions from complying with the provisions of Chapters 2 and 3 of the PDPA. Likewise, when data controllers receive a request for personal data from the Revenue Department, the Customs Department or Excise Department, or other governmental units operating under taxation laws, the controllers are also exempt from the provisions of Chapters 2 and 3 of the PDPA. Data controllers who receive a request from local government organizations recognized by the Personal Data Protection Committee responsible for collecting tax are also not subject to the provisions under Chapters 2 and 3 of the PDPA. Such exemptions for data controllers from the provisions under Chapters 2 and 3 of the PDPA also apply to requests from the Secretary of the Cabinet executing the royal prerogative of the monarch and to requests from state agencies acting according to the law on public interests.

In addition, the Royal Decree outlines principles for compliance with the PDPA. Specifically, the Royal Decree provides that requests for personal data under the Royal Decree must be in the public interest according to the purpose and extent to which the law authorizes any state agency to carry out such action, without creating undue burdens on the data controller responsible for disclosing personal data. Further, data controllers may disclose personal data without the data subject's consent if legally authorized state agencies request it and specify the statutory provisions granting authority to request the data. Finally, data subjects or data controllers of requested personal data must have the right to submit a complaint to the PDPA's Expert Committee for interpretation or adjudication.

You can read the Royal Decree, only available in Thai, here.

Update: January 15, 2024

Decree on exemption of data controllers duties enters into force

On January 14, 2024, the Royal Decree came into force. In particular, the Royal Decree stipulates that data controllers are not bound to adhere to Chapters 2 and 3 of the PDPA when responding to personal data requests from specific government entities, including:

• the National Anti-Corruption Commission;
• the Revenue Department;
• the Customs Department;
• the Excise Department;
• recognized local government organizations responsible for tax collection;
• the Secretary of the Cabinet carrying out royal prerogatives; and
• the state agencies acting under laws of public interest.

You can read the enforced Royal Decree, only available in Thai, here.