Thailand’s Personal Data Protection Act passes into law

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA), approved by the government earlier this year, was published in the Government Gazette on May 27, 2019.

Provisions relating to the collection, use, and disclosure of personal data will come into force one year after publication. The law is written to be extraterritorial, meaning that it applies to data controllers regardless of their location. Therefore, all applicable business operators who collect or process the personal data of data subjects in Thailand must be fully compliant with the PDPA by May 27, 2020.

Restrictions on the Collection and Use of Data

Personal data, in the context of the PDPA, is an extremely broad term covering any data from which an individual can be identified—notably those belonging to customers, employees, and suppliers, etc., but potentially extending to any data held by a company in the course of their business.

The most significant restrictions on the collection and use of such data under the PDPA are:

  • a requirement for data controllers to obtain consent from data subjects (in writing or online) before they can process their personal data (subject to certain exceptions);
  • more stringent requirements for sensitive personal data;
  • a requirement to arrange sufficient security measures for storing personal data and sensitive personal data;
  • restrictions on the transfer of personal data to other countries; 
  • data breach notification requirements; and, 
  • a requirement for data controllers outside Thailand to appoint a representative within the jurisdiction, who will have certain rights and obligations.

Rights of Data Subjects

In addition, the PDPA grants data subjects various rights over data held by others that relates to them, including, amongst others, right of access, right to erasure, right to object, and the right to data portability. Data controllers must ensure that they honor and guarantee those rights as part of their operations.

Sanctions for Non-Compliance

Penalties for noncompliance are severe, with each offence potentially incurring administrative fines of up to THB 5 million, and criminal fines of up to THB 1 million. The court can also award punitive damages of up to twice the damage caused, and imprisonment for up to a year.

How to Prepare

Given the wide impact of these amendments, and the short grace period for compliance, prudent business operators should conduct a gap analysis in order to understand the classes of data that they currently possess; identify current levels of compliance; assess and mitigate the risks involved in each activity which falls under the PDPA; and review their internal policies, agreements, practices, and any other instruments related to personal data to resolve issues identified in the gap analysis before May 27, 2020.

Business operators should also take necessary actions to ensure that their employees and personnel are fully trained and ready to handle the PDPA in a practical and efficient manner. Business operators should also take the opportunity to review their systems—both online and offline—to ensure that any personal data under their possession is secure held.

If you have any questions, please contact Athistha (Nop) Chitranukroh at [email protected] or Gvavalin Mahakunkitchareon at [email protected].