wordpress blog stats
Connect with us

Hi, what are you looking for?

Thailand’s Personal Data Protection Act is in effect now

Thailand’s Government has finally published The Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) in the Government Gazette, and thus has become effective from 27th May 2019. The Act was approved and endorsed by the National Legislative Assembly on 28th February 2019 (“PDPA”), thereafter had been submitted for royal endorsement and subsequent publication in the Government Gazette.

The PDPA’s will provide Thailand with its very first consolidated law to govern data protection in the country. Thailand’s Government has largely drawn concepts from the EU General Data Protection Regulation (GDPR), with certain modifications suitable to the national perspective. Thus Lexology reports that “compliance with the GDPR does not necessarily mean compliance with the PDPA”.

Key takeaways from the PDPA

What is ‘personal data’?

The PDPA defines it broadly as “information relating to a person which is identifiable, directly or indirectly”. The Act clarifies that information relating to private businesses and deceased persons are excluded from the Act.

Advertisement. Scroll to continue reading.

“Sensitive personal data”: the Act has provided a specific category of “sensitive personal data” which includes “personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical belief, criminal record, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, and prohibits the collection of sensitive personal data without express consent from the data subject, except in certain prescribed circumstance (e.g., medical emergency or a required by law)”, as per Hunton Privacy Blog.

What is ‘data controller’?

It is defined as a “natural or juristic person” having the power to make the decision on collection, usage or disclosure of personal data.

What is ‘data processor’?

It is a “natural or legal person” which collects, uses or discloses personal data in accordance with the instruction of the data controller.

What will amount to ‘consent’?

Advertisement. Scroll to continue reading.

The Act provides that a data subject’s consent will be the primary requirement for any collection and processing of data. The Act requires that such consent should be clear and obtained in a way that does not mislead data subjects. The consent must be express and made in writing or via digital means. The exemption from requirement of consent has been provided, notably in cases for vital interests, personal interests, legal obligation or if parties are bound by contractual obligations. A data owner may at any time revoke the consent, unless he is bound by any law or contract on revoking consent.

National Data Protection Committee

A Personal Data Protection Committee will be established under the Act to enforce compliance. The committee will produce guidelines related to data protection practices that data administrators can follow in order to implement a data protection framework.

Rights of data subjects

The Act provides that the data owners or subjects are entitled to request access to his or her own personal data that is held by the data controller. Data subjects can also submit requests to delete, destroy or anonymise his/her own personal data. It excludes the cases where, among others, the request is not consistent with provisions of other applicable laws or court orders.

Responsibilities of data administrators (controllers and processors)

Advertisement. Scroll to continue reading.

The Act imposes several obligations on data administrators which includes the collection of data within lawful means or purposes. Administrators are required to inform data owners of the details related to collection of owners’ personal data and obtain consent for such collection.

The Act also specifies that administrators are required to implement appropriate security measures to prevent loss or alteration of data due to any unauthorized activity.

Extraterritorial application

The Act regulates collection, use or disclosure of personal data of a data subject in Thailand conducted by data administrators based overseas. As a result, businesses outside of Thailand are subjected to the applicability of the PDPA. The data administrators will be required to assign a local representative in Thailand and must comply with conditions set forth in the Act.

Cross-border transfer of data

The Act specifies that personal data can be transferred to other countries that have rigorous data protection law. Also it can be transferred in cases where:

Advertisement. Scroll to continue reading.
  1. the transfer is made in accordance to any applicable law;
  2. consent has been obtained from the data subject;
  3. the transfer is due to the compliance with the contract entered into between the data subject and data controller;
  4. the transfer is in the interests of a data subject who is incapable of giving consent; or
  5. as per the prescribed ministerial regulation.

Liability and Penalties

The Act provides both civil and criminal liabilities in cases of violation of the prescribed obligations. The PDPA provides penalties in cases of non-compliance. As Baker Mckenzie reports, “the non-compliance is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of actual damages”.


Companies and organizations, that are engaged in collecting, using, disclosing, and/or transferring personal data, have to implement data protection measures that are fully compliant with key provisions of the PDPA within one year of it in effect.

Written By

Blogger at MediaNama. Personal blogs at www.lawforit.wordpress.com.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ