Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Thailand - Data Protection Overview
Back

Thailand - Data Protection Overview

October 2023

1. Governing Texts

The Personal Data Protection Act 2019 ('PDPA') is the very first consolidated law governing data protection in Thailand.

1.1. Key acts, regulations, directives, bills

Primary Legislation

The Constitution of the Kingdom Of Thailand ('the Constitution') supports the human dignity, rights, freedoms, and equality of all Thais, who are protected under the customary practices of the Government of Thailand. Therefore, as the right to privacy is recognised under the Constitution, a person would have the right to protection against undue exploitation of personal data relating to his or her individuality, as recognised by the Constitution. Also, in theory, if there is any use of personal data in a way that violates or affects a person's right to personal data under the Constitution, such person may be entitled to claim damages in tort under the Thai Civil and Commercial Code.

Secondary Legislation

Secondary legislation under the PDPA passed, namely:

  • PDPC Notification on security measures for the data controller (only available in Thai here);
  • PDPC Notification on rules and methods for preparation and maintenance of records of personal data processing activities for the data processor (only available in Thai here) ('the Records Notification');
  • PDPC Notification on the exemption from maintenance of record obligations of the data controller which is a small organization (only available in Thai here) ('the Exemption Notification');
  • PDPC Notification on criteria for considering the issuance of administrative punishment order of the expert committee (only available in Thai here);
  • PDPC Notification regarding rules on qualifications of competent officials under the PDPA (only available in Thai here);
  • PDPC Notification regarding the form of the identification card of the competent officials under the PDPA (only available in Thai here);  
  • PDPC Notification regarding the qualifications and prohibitions, term of office, vacation from office, and other operations of the expert committee (only available in Thai here);  
  • PDPC Notification regarding rules and methods for recruiting a chairperson and the honorary director in a commission supervising the Office of the PDPC (only available in Thai here);
  • Rules of the PDPC regarding the filing, refusal of acceptance, dismissal, consideration, and timeframe for the consideration of the complaints (only available in Thai here);
  • PDPC Notification on rules and methods of personal data breach notification (only available in Thai here); and
  • PDPC Notification regarding the data controller or the data processor who is a public authority that is required to appoint a data protection office (DPO) (only available in Thai here) ('the DPO notification').

1.2. Guidelines

The PDPC published the following guidelines:

  • Guideline for obtaining consent from data subjects according to the PDPA (only available in Thai here);
  • Guideline for notifying purposes and details for collecting personal data from the data subjects according to the PDPA (only available in Thai here); and
  • Guideline regarding risk assessment and notification of personal data breach (only available in Thai here).

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural (and living) person, with certain exceptions (e.g. exception of household activity).

The PDPA covers the collection, use, disclosure, and/or transfer of personal data, with certain exceptions (e.g. exception of household activity).

2.2. Territorial scope

The PDPA has both territorial and extra-territorial application. As for the territorial scope of the PDPA, the PDPA applies to the collection, use, and/or disclosure of personal data by a personal data controller or a personal data processor that is in Thailand, regardless of whether such collection, use, or disclosure takes place in Thailand or not. Furthermore, the PDPA has extra-territorial applicability over entities outside Thailand that collect, use, and/or disclose personal data of data subjects who are in Thailand in two situations:

  • where the activities of collection, use, and disclosure are related to the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject; or
  • where the activities of collection, use, and disclosure are related to the monitoring of the data subject's behaviour, where the behaviour takes place in Thailand.

2.3. Material scope

The PDPA applies to the collection, use, and disclosure (including cross-border transfer) of personal data. Personal data can be categorised into general personal data and sensitive personal data, for which different requirements and exemptions apply.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Personal Data Protection Committee ('PDPC') is responsible for drafting and issuing future sub-regulations under the PDPA.

Formerly, the Ministry of Digital Economy and Society ('MDES') acted on behalf of the PDPC.

3.2. Main powers, duties and responsibilities

The PDPC has the following power and duties, including, but not limited to:

  • determine measures or approaches for operations in relation to personal data protection to ensure PDPA compliance;
  • promote and support the protection of personal data;
  • issue notifications or orders pursuant to the PDPA; and
  • announce and establish rules/guidelines for personal data controllers and personal data processors to follow and comply with.

4. Key Definitions

Data controller: A person or legal person having the power and duties to make decisions regarding the collection, use, or disclosure of the personal data (Section 6 of the PDPA).

Data processor: A person or legal person who operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a personal data controller, whereby such person or legal person is not a personal data controller (Section 6 of the PDPA).

Personal data: Any information relating to a natural person, which enables the identification of such person, whether directly or indirectly, but not including information of deceased persons (Section 6 of the PDPA).

Sensitive data: Any personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner as to be prescribed by the PDPC (Section 26 of the PDPA). 

Health data: Not applicable.

Biometric data: The personal data arising from the use of technics or technology related to the physical or behavioral dominance of person, which can be used to identify such person apart from other persons, such as facial recognition data, iris recognition data, or fingerprint recognition data (Section 26(5)(e) of the PDPA).

Pseudonymisation: Not applicable.

5. Legal Bases

The main legal bases for general personal and sensitive personal data are found under Part 2 of the PDPA.

Legal bases for general personal data are:

  • consent (Section 19 of the PDPA);
  • the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for purposes relating to research or statistics (Section 24(1) of the PDPA);
  • the prevention or suppression of a danger to the data subject's life, body, or health (Section 24(2) of the PDPA);
  • when necessary for the contract with the data subject, or in order to take steps at the request of the data subject prior to entering into a contract (Section 24(3) of the PDPA);
  • in the public's interest (Section 24(4) of the PDPA);
  • legitimate interests of the data controller, another person, or entity, except where such interests are overridden by the fundamental rights of the data subject of his or her personal data (Section 24(5) of the PDPA); and
  • other legal obligations (Section 24(6) of the PDPA).

5.1. Consent

Please refer to section on legal bases above.

5.2. Contract with the data subject

Please refer to section on legal bases above.

5.3. Legal obligations

Please refer to section on legal bases above.

5.4. Interests of the data subject

Please refer to section on legal bases above.

5.5. Public interest

Please refer to section on legal bases above.

5.6. Legitimate interests of the data controller

Please refer to section on legal bases above.

5.7. Legal bases in other instances

Please refer to section on legal bases above.

6. Principles

The PDPA requires compliance with the principle of data minimization, i.e. the collection of personal data must be limited to the extent that is necessary in relation to the lawful purpose of the data controller. In addition, the data controller shall ensure that the personal data remains accurate, up-to-date, complete, and not misleading.

7. Controller and Processor Obligations

7.1. Data processing notification

The data controller must inform the data subject, prior to or at the time of the collection of the personal data, of the required details (e.g. the purpose of the collection, the data retention period, and the rights of the data subject), except in cases where the data subject already knows of such details.

Nonetheless, there is currently no registration requirement.

7.2. Data transfers

There is currently no localisation requirement forbidding the transfer of personal data overseas. Thus, personal data could be transferred outside Thailand, provided that the cross-border transfer requirements under the PDPA are met.

For further information please see our Thailand - Data transfers Guidance Note.

7.3. Data processing records

The data controller and the data processor must prepare and maintain records of personal data processing activities for the data subject and the Office of the PDPC ('the PDPC Office'), which can be either in a written or electronic form. The rules and methods of the records of processing activities will be set forth in further sub-regulation.

In particular, the PDPC recently published the Records Notification and the Exemption Notification.

The Exemption Notification establishes the main criteria to become exempt from the requirement of keeping data processing. In particular, the main criteria are (Section 2 of the Exemption Notification):

  • if the business is a small or medium sized business under the definition of small to medium sized business under the Law on promotion of small to medium sized businesses ('the Law on SMEs');
  • if the business is community enterprise community enterprise network under the Law on enterprise promotion;
  • if the business is a social enterprise or a group of social enterprises under the Law on the promotion of social enterprises for society;
  • if the business is a cooperative gathering or groups of farmers under the Law on cooperatives;
  • if the business is a foundation, association, religious organisation or non-profit organisation; and
  • if the business is a household business or other businesses of the same nature personal data controller which defined as a small business under the Law on SMEs, and does not provide traffic data maintenance services under the Computer Crimes Act 2007.

7.4. Data protection impact assessment

There is no direct provision of the PDPA that requires the data controller to carry out a Data Protection Impact Assessment ('DPIA'). However, the data controller must acknowledge the level of risk and severity of the personal data collected, used, and disclosed which may adversely affect the rights and freedoms of the natural persons. In this regard, Section 37 of the PDPA prescribes a mandatory requirement to review appropriate security measures when it is necessary, or when new technology is adopted (Section 37(1) of the PDPA).

7.5. Data protection officer appointment

The appointment of a data protection officer ('DPO') is a mandatory condition under the PDPA (and the future sub-regulations).

The DPO is required if conditions under the PDPA (and the future sub-regulations) are met. For example, the appointment of a DPO is required if the core activity of the personal data controller or personal data processor is the collection, use, or disclosure of sensitive personal data.

More specifically, the data controller and the data processor shall designate a DPO in the following circumstances (Section 41 of the PDPA):

  • the data controller or the data processor is a public authority as prescribed and announced by the PDPC;
  • the activities of the data controller or the data processor in the collection, use or disclosure of the personal data require a regular monitoring of the personal data or the system, by the reason of having a large number of personal data as prescribed and announced by the PDPC;
  • the core activity of the data controller or the data processor is the collection, use or disclosure of the personal data.

The data controller and the data processor have an obligation to provide the information of the DPO, including their contact address and contact channels to the data subject and the PDPC. In this regard, the data subject should be able to contact the DPO with respect to the collection, use or disclosure of personal data, and the exercise of rights of the data subject under the PDPA (Section 41 of the PDPA).

The prescribed list of public authorities required to appoint a DPO is outlined by the PDPC in the DPO notification (see the section on 'Governing Texts' above.

Role

The DPO shall have the following duties (Section 42 of the PDPA):

  • give advice to the data controller or the data processor, including the employees or service providers of the data controller or the data processor with respect to compliance with the PDPA;
  • investigate the performance of the data controller or the data processor, including the employees or service providers of the data controller or the data processor with respect to the collection, use, or disclosure of the personal data for compliance with the PDPA;
  • coordinate and cooperate with the PDPC in circumstances where there are problems with respect to the collection, use or disclosure of the personal data undertaken by the data controller or the data processor, including the employees or service providers of the data controller or of the data processor with respect to the compliance with the PDPA; and
  • keep confidentiality of the personal data known or acquired in the course of their performance of duty under the PDPA.

Specific requirements

The DPO may be a staff of the data controller or the data processor, or a service provider under the contract with the data controller or the data processor (Section 41 of the PDPA).

Additionally, the DPO may be able to perform other duties or tasks but the data controller or the data processor must warrant to the PDPR that such duties or tasks are not against or contrary to the performance of the duties under the PDPA (Section 42 of the PDPA).

Where the data controllers or data processors are in the same affiliated business or same group of undertakings, to jointly operate the business or group of undertakings as prescribed by the PDPC, such data controllers or data processors may jointly designate a DPO. In this regard, the DPO must be easy to contact by each establishment of the relevant data controllers or data processors (Section 41 of the PDPA).

Moreover, the DPO must:

  • be supported by the data controller or the data processor in performing the tasks by providing adequate tools or equipment, as well as facilitating access to personal data in order to perform their duties (Section 42 of the PDPA); and
  • not be dismissed or terminated by the reason of performance of their duties under the PDPA and where there is any problem when performing such duties, the DPO must be able to directly report to the chief executive of the data controller or data processor (Section 42 of the PDPA).

7.6. Data breach notification

A personal data breach is defined as any breach of security measures resulting in unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data whether caused by intent, wilfulness, negligence, or an unauthorized or unlawful act, a computer crime, a cyber threat, an error or accident, or any other cause.

The data controller is required to notify the PDPC of the personal data breach without delay and, where feasible, within 72 hours after having become aware of it.

In case the personal data breach is likely to result in a high risk to the rights and freedoms of the persons, the data controller is required to notify data subject of the breach incident and the remedial measures without undue delay. The exemptions will be prescribed further in the sub-regulation.

The data processor is required to notify the data controller of the personal data breach that occurred.

7.7. Data retention

When collecting personal data, the personal data controller needs to inform the data subject prior to or at the time of the collection of personal data of the period that the personal data will be retained. If it is not possible to specify such retention period, the expected data retention period according to which the data retention standard needs to be specified.

7.8. Children's data

If the data subject is a minor (under 20 years of age), the data controller may need to:

  • obtain parental consent for minors between zero to ten years;
  • obtain only minor's consent for minors who are older than ten but younger than 20 years of age for an act for which minors are competent to give consent; or
  • obtain both parental consent and minor consent for minors who are older than ten but younger than 20 years for an act for which minors are not competent to give consent.

7.9. Special categories of personal data

The data controller is required to obtain explicit consent before collecting sensitive personal data, unless an exemption applies. The data controller may collect personal data related to criminal records only when the collection is under the control of an authorised official authority or as otherwise prescribed in the further sub-regulation by the PDPC.

Legal bases for sensitive personal data are:

  • explicit consent (Section 26 paragraph 1 of the PDPA);
  • the prevention or suppression of a danger to the data subject's life, body, or health when the data subject is incapable of consenting (Section 26(1) of the PDPA);
  • when foundations, associations, or non-profit bodies carry out legitimate activities for their members or associated individuals and do not disclose the sensitive personal data outside of their organisation (Section 26(2) of the PDPA);
  • when sensitive personal data has been made public with the data subject's explicit consent (Section 26(3) of the PDPA); and
  • when necessary for the establishment, compliance, exercise, or defence of legal claims (Section 26(4) of the PDPA);
    • when necessary to comply with a law for the purpose of (Section 26(5) of the PDPA):
    • preventive medicine or occupational media, the assessment of working capacity of the employee, medical diagnosis, health or social care, medical treatment, the management of health or social care systems and services (Section 26(5)(a) of the PDPA);
    • public interest in public health (Section 26(5)(b) of the PDPA);
    • employment protection, social security, national health security, social health welfare, the road accident victims protection, or social protection (Section 26(5)(c) of the PDPA);
    • scientific, historical, or statistic research purposes, or other public interests(Section 26(5)(d) of the PDPA); and
    • substantial public interest (Section 26(5)(e) of the PDPA).

7.10. Controller and processor contracts

The personal data controller should put in place an agreement to control the activities carried out by the personal data processor on behalf of the personal data controller, and such an agreement should set out the obligations of the personal data processor in accordance with the requirements under the PDPA.

In case the personal data controller and the personal data processor fail to comply with its obligations under the PDPA, liabilities would include civil liability with punitive damages, criminal, and administrative penalties.

8. Data Subject Rights

8.1. Right to be informed

The personal data controller must inform the data subject, prior to or at the time of the collection of the personal data, of the required details (e.g. the purpose of the collection, the data retention period, and the rights of the data subject), except in cases where the data subject already knows of such details.

8.2. Right to access

The data subject has the right to access or request a copy of their personal data that the data controller collects, uses, and discloses.

8.3. Right to rectification

The data subject has the right to have incomplete, inaccurate, misleading, or not up-to-date personal data that the data controller collects, uses, and discloses rectified.

8.4. Right to erasure

The data subject has the right to request the data controller to delete or de-identify their personal data that the data controller collects, uses, and discloses, except where the data controller is not obligated to do so if the data controller needs to retain such data in order to comply with a legal obligation or to establish, exercise, or defend legal claims.

8.5. Right to object/opt-out

The data subject has the right to object to certain collection, use, and disclosure of their personal data such as objecting to direct marketing.

8.6. Right to data portability

The data subject has the right to obtain personal data that the data controller holds about them, in case that the data controller arranges personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. The data subject is also entitled to:

  • request the data controller to send or transfer the personal data in such formats to other data controllers if it can be done by the automatic means; and
  • request to directly obtain personal data in such formats that the data controller sends or transfers to other data controllers, unless it is impossible to do so because of the technical circumstances.

8.7. Right not to be subject to automated decision-making

The data subject does not have right not to be subject to automated individual decision-making, including profiling under the PDPA.

8.8. Other rights

Right to restriction

The data subject has the right to restrict the use of his or her personal data in certain circumstances (e.g., when it is no longer necessary to retain such personal data, but the data subject requests the retention for the establishment, compliance, or exercise of legal claims, or the defence of legal claims).

Right to withdraw consent

The data subject has the right to withdraw his or her consent at any time for the purposes that he or she has consented to the collecting, using, and disclosing of his or her personal data.

Right to lodge complaint

The data subject has the right to lodge a complaint to the competent authority where he or she believes that the collection, use, and disclosure of his or her personal data is unlawful or non-compliant with the PDPA.

9. Penalties

Failure to comply with the PDPA could result in civil liabilities with punitive damages, administrative fines of up to THB 5 million (approx. $135,040), and criminal penalties which include imprisonment for up to one year, or a fine of up to THB 1 million (approx. $27,000), or both. Examples of which are provided below:

  • Any data controller who fails to comply with Sections 41(1) or 42 of the PDPA, shall be punished with an administrative fine not exceeding THB 1 million (approx. $27,000).

9.1 Enforcement decisions

Not applicable.

Feedback