Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Thailand: PDPA enters into effect

The Personal Data Protection Act 2019 ('PDPA') entered into effect, on 1 June 2022, following two postponements, becoming Thailand's first consolidated data protection law. In particular, the PDPA establishes lawful grounds for data collection, use, and disclosure, including sensitive personal data, controller and processor obligations, as well as data subject rights.

Who does it effect?

More specifically, the PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural person, with certain exceptions, and has both territorial and extra-territorial application.

What rights are laid out?

The PDPA sets out the following rights for data subjects:

  • right to be informed;
  • right to access;
  • right to rectification;
  • right to erasure;
  • right to object/opt-out; and
  • right to data portability.

What are the obligations for data controllers and processors?

In this regard, the PDPA outlines a number of requirements, including the adoption of appropriate security measures, the maintaining of records of processing, the appointment of a data protection officer ('DPO'), as well as restrictions on transfers to third countries, including the introduction of adequate protection, and data breach notification.

In addition, the PDPA establishes requirements for controller and processor relationships, noting that such relationships must be governed by an agreement.

Penalties

The PDPA contains penalties for breaches of its provisions, including civil, criminal, and administrative liability with fines of up to THB 5 million (approx. €136,200).

You can read the PDPA here.

OneTrust DataGuidance has released a number of resources to assist with your PDPA compliance:

  • Comparing privacy laws: GDPR v. Thai Personal Data Protection Act, available here;
  • Thailand Data Protection Overview Guidance Notes, available here;
  • Thailand PDPA Insight series (part one, part two, and part three); and
  • What you need to know: Thailand PDPA (video) (available here).

For further information and resources on the PDPA, see our Thai PDPA Portal.