Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Thailand - Data Protection Overview
Back

Thailand - Data Protection Overview

November 2021

INTRODUCTION

1. GOVERNING TEXTS

The Personal Data Protection Act 2019 ('PDPA') was published, on 27 May 2019, in the Royal Thai Government Gazette. The PDPA is the very first consolidated law governing data protection in Thailand.

Please note that the Cabinet of Parliament ('the Parliament') approved the Royal Decree on the Organisations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2563 (2020) (only available in Thai here). The Royal Decree initially postponed the effective date of the enforcement of the PDPA in Chapters 2, 3, 5, 6, 7 and Section 95, on exempted organisations, until 31 May 2021.

Following a second deliberation, the Parliament has approved a further one year postponement of the effective data of the enforcement of the PDPA, under the Royal Decree on the Organisations and Businesses of which Personal Data Controllers are exempted from the Applicability of the Personal Data Protection Act B.E. 2562 (2019) B.E. 2564 (2021) (only available in Thai here) ('the Royal Decree'), making the effective date of the PDPA, the 1 June 2022.

1.1. Key acts, regulations, directives, bills

According to the Royal Decree, the Notification of Ministry of Digital Economy and Society re: Standards of Personal Data Security B.E. 2563 (2020) (only available in Thai here) ('the MDES Notification') was issued to prescribe the requirements with respect to security measures imposed on the data controllers, who are temporarily exempted from the applicability of the PDPA until 31 May 2021. The MDES Notification provides rules and requirements concerning the security of personal data, including the maintenance of confidentiality, integrity, and availability of personal data, and the prevention of the unlawful loss, access to, use, alteration, correction, or disclosure of personal data.

The Constitution of the Kingdom Of Thailand ('the Constitution') supports the human dignity, rights, freedoms, and equality of all Thais, who are protected under the customary practices of the Government of Thailand. Therefore, as the right to privacy is recognised under the Constitution, a person would have the right to protection against undue exploitation of personal data relating to his or her individuality, as recognised by the Constitution. Also, in theory, if there is any use of personal data in a way that violates or affects a person's right to personal data under the Constitution, such person may be entitled to claim damages in tort under the Thai Civil and Commercial Code.

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. SCOPE OF APPLICATION

2.1. Personal scope

The PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural (and alive) person, with certain exceptions (e.g. exception of household activity).

The PDPA covers the collection, use, disclosure, and/or transfer of personal data, with certain exceptions (e.g. exception of household activity).

2.2. Territorial scope

The PDPA has both territorial and extra-territorial application. As for the territorial scope of the PDPA, the PDPA applies to the collection, use, and/or disclosure of personal data by a personal data controller or a personal data processor that is in Thailand, regardless of whether such collection, use, or disclosure takes place in Thailand or not. Furthermore, the PDPA has extra-territorial applicability over entities outside Thailand that collect, use, and/or disclose personal data of data subjects who are in Thailand in two situations:

  • where the activities of collection, use, and disclosure are related to the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject; or
  • where the activities of collection, use, and disclosure are related to the monitoring of the data subject's behaviour, where the behaviour takes place in Thailand.

2.3. Material scope

The PDPA applies to the collection, use, and disclosure (including cross-border transfer) of personal data. Personal data can be categorised into general personal data and sensitive personal data, for which different requirements and exemptions apply.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

The Personal Data Protection Committee ('PDPC') is set to be established under the PDPA.

There is no official date of establishment of the PDPC, but it has been proposed and should happen once there is a need for the PDPC to draft and issue the future sub-regulations under the PDPA, by 31 May 2021.

Currently, the Ministry of Digital Economy and Society ('MDES') is acting on behalf of the PDPC until it is set up.

3.2. Main powers, duties and responsibilities

The PDPC will have the following power and duties, among others, including, but not limited to:

  • determine measures or approaches for operations in relation to personal data protection to ensure PDPA compliance;
  • promote and support the protection of personal data;
  • issue notifications or orders pursuant to the PDPA; and
  • announce and establish rules/guidelines for personal data controllers and personal data processors to follow and comply with.

4. KEY DEFINITIONS

Data controller: A person or legal person having the power and duties to make decisions regarding the collection, use, or disclosure of the personal data.

Data processor: A person or legal person who operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a personal data controller, whereby such person or legal person is not a personal data controller.

Personal data: Any information relating to a natural person, which enables the identification of such person, whether directly or indirectly, but not including information of deceased persons.

Sensitive data: Any personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner as to be prescribed by the PDPC. 

Health data: Not applicable.

Biometric data: The personal data arising from the use of technics or technology related to the physical or behavioural dominance of person, which can be used to identify such person apart from other persons, such as the facial recognition data, iris recognition data, or fingerprint recognition data.

Pseudonymisation: Not applicable.

5. LEGAL BASES

The main legal bases for general personal and sensitive personal data are found under Part 2 of the PDPA.

Legal bases for general personal data are:

  • consent (Section 19 of the PDPA);
  • the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for purposes relating to research or statistics (Section 24(1) of the PDPA);
  • the prevention or suppression of a danger to the data subject's life, body, or health (Section 24(2) of the PDPA);
  • when necessary for the contract with the data subject, or in order to take steps at the request of the data subject prior to entering into a contract (Section 24(3) of the PDPA);
  • in the public's interest (Section 24(4) of the PDPA);
  • legitimate interests of the data controller, another person, or entity, except where such interests are overridden by the fundamental rights of the data subject of his or her personal data (Section 24(5) of the PDPA); and
  • other legal obligations (Section 24(6) of the PDPA).

5.1. Consent

Please refer to section 5 above.

5.2. Contract with the data subject

Please refer to section 5 above.

5.3. Legal obligations

Please refer to section 5 above.

5.4. Interests of the data subject

Please refer to section 5 above. 

5.5. Public interest

Please refer to section 5 above.

5.6. Legitimate interests of the data controller

Please refer to section 5 above.

5.7. Legal bases in other instances

Please refer to section 5 above.

6. PRINCIPLES

The PDPA requires compliance with the principle of the data minimisation, i.e. the collection of personal data must be limited to the extent that is necessary in relation to the lawful purpose of the data controller. In addition, the data controller shall ensure that the personal data remains accurate, up-to-date, complete, and not misleading.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1. Data processing notification

The data controller must inform the data subject, prior to or at the time of the collection of the personal data, of the required details (e.g. the purpose of the collection, the data retention period, and the rights of the data subject), except in cases where the data subject already knows of such details.

Nonetheless, there is currently no registration requirement.

7.2. Data transfers

There is currently no localisation requirement.

For further information please see our Thailand - Data transfers Guidance Note. 

7.3. Data processing records

The data controller and the data processor must prepare and maintain records of personal data processing activities for the data subject and the Office of the PDPC ('the PDPC Office'), which can be either in a written or electronic form. The rules and methods of the records of processing activities will be set forth in further sub-regulation.

7.4. Data protection impact assessment

There is no direct provision of the PDPA that requires the data controller to carry out a Data Protection Impact Assessment ('DPIA'). However, the data controller must acknowledge the level of risk and severity of the personal data collect, use, and disclosure which may adversely affect to the rights and freedoms of the natural persons.

7.5. Data protection officer appointment

The appointment of a data protection officer ('DPO') is a mandatory condition under the PDPA (and the future sub-regulations).

The DPO is required if conditions under the PDPA (and the future sub-regulations) are met. For example, the appointment of a DPO is required if the core activity of the personal data controller or personal data processor is the collection, use, or disclosure of sensitive personal data.

7.6. Data breach notification

The data controller is required to notify the PDPC of the personal data breach without delay and, where feasible, within 72 hours after having become aware of it.

In case the personal data breach is likely to result in a high risk to the rights and freedoms of the persons, the data controller is required to notify data subject of the breach incident and the remedial measures without undue delay. The exemptions will be prescribed further in the sub-regulation.

The data processor is required to notify the data controller of the personal data breach that occurred.

7.7. Data retention

When collecting personal data, the personal data controller needs to inform the data subject prior to or at the time of the collection of personal data of the period that the personal data will be retained. If it is not possible to specify such retention period, the expected data retention period according to which the data retention standard needs to be specified.

7.8. Children's data

If the data subject is a minor (under 20 years of age), the data controller may need to:

  • obtain parental consent for minors between zero - ten years;
  • obtain only minor's consent for minors who are older than ten but younger than 20 years of age for an act for which minors are competent to give consent; or
  • obtain both parental consent and minor consent for minors who are older than ten but younger than 20 years for an act for which minors are not competent to give consent.

7.9. Special categories of personal data

The data controller is required to obtain explicit consent before collecting sensitive personal data, unless an exemption applies. The data controller may collect personal data related to criminal records only when the collection is under the control of an authorised official authority or as otherwise prescribed in the further sub-regulation by the PDPC.

Legal bases for sensitive personal data are:

  • explicit consent (Section 26 paragraph 1 of the PDPA);
  • the prevention or suppression of a danger to the data subject's life, body, or health when the data subject is incapable of consenting (Section 26(1) of the PDPA);
  • when foundations, associations, or non-profit bodies carry out legitimate activities for their members or associated individuals and do not disclose the sensitive personal data outside of their organisation (Section 26(2) of the PDPA);
  • when sensitive personal data has been made public with the data subject's explicit consent (Section 26(3) of the PDPA);
  • when necessary for the establishment, compliance, exercise, or defence of legal claims (Section 26(4) of the PDPA);
    • when necessary to comply with a law for the purpose of (Section 26(5) of the PDPA):
    • preventive medicine or occupational media, the assessment of working capacity of the employee, medical diagnosis, health or social care, medical treatment, the management of health or social care systems and services (Section 26(5)(a) of the PDPA);
    • public interest in public health (Section 26(5)(b) of the PDPA);
    • employment protection, social security, national health security, social health welfare, the road accident victims protection, or social protection (Section 26(5)(c) of the PDPA);
    • scientific, historical, or statistic research purposes, or other public interests(Section 26(5)(d) of the PDPA); and
    • substantial public interest (Section 26(5)(e) of the PDPA).

7.10. Controller and processor contracts

The personal data controller should put in place an agreement to control the activities carried out by the personal data processor on behalf of the personal data controller, and such an agreement should set out the obligations of the personal data processor in accordance with the requirements under the PDPA.

In case the personal data controller and the personal data processor fail to comply with its obligations under the PDPA, liabilities would include civil liability with punitive damages, criminal, and administrative penalties.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

The personal data controller must inform the data subject, prior to or at the time of the collection of the personal data, of the required details (e.g. the purpose of the collection, the data retention period, and the rights of the data subject), except in cases where the data subject already knows of such details.

8.2. Right to access

The data subject has the right to access or request a copy of his or her personal data that the data controller collects, uses, and discloses.

8.3. Right to rectification

The data subject has the right to have incomplete, inaccurate, misleading, or not up-to-date his or her personal data that the data controller collects, uses, and discloses rectified.

8.4. Right to erasure

The data subject has the right to request the data controller to delete or de-identify his or her personal data that the data controller collects, uses, and discloses, except where the data controller is not obligated to do so if the data controller needs to retain such data in order to comply with a legal obligation or to establish, exercise, or defend legal claims.

8.5. Right to object/opt-out

The data subject has the right to object to certain collection, use, and disclosure of his or her personal data such as objecting to direct marketing.

8.6. Right to data portability

The data subject has the right to obtain personal data that the data controller holds about him or her, in case that the data controller arranges personal data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. The data subject is also entitled to:

  • request the data controller to send or transfer the personal data in such formats to other data controllers if it can be done by the automatic means; and
  • request to directly obtain personal data in such formats that the data controller sends or transfers to other data controllers, unless it is impossible to do so because of the technical circumstances.

8.7. Right not to be subject to automated decision-making

The data subject does not have right not to be subject to automated individual decision-making, including profiling under the PDPA.

8.8. Other rights

Right to restriction

The data subject has the right to restrict the use of his or her personal data in certain circumstances (e.g., when it is no longer necessary to retain such personal data, but the data subject requests the retention for the establishment, compliance, or exercise of legal claims, or the defence of legal claims).

Right to withdraw consent

The data subject has the right to withdraw his or her consent at any time for the purposes that he or she has consented to the collecting, using, and disclosing of his or her personal data.

Right to lodge complaint

The data subject has the right to lodge a complaint to the competent authority where he or she believes that the collection, use, and disclosure of his or her personal data is unlawful or non-compliant with the PDPA.

9. PENALTIES

Failure to comply with the PDPA could result in civil liabilities with punitive damages, administrative fines of up to THB 5 million (approx. €133,800), and criminal penalties which include imprisonment for up to one year, or a fine of up to THB 1 million (approx. €26,600), or both.

9.1 Enforcement decisions

Not applicable.