Thailand: Thailand Establishes Personal Data Protection Commission

Thailand has completed the establishment of the Personal Data Protection Commission (PDPC), the regulator under the country's Personal Data Protection Act B.E. 2562 (PDPA), strongly indicating that the planned full enforcement of the PDPA on June 1, 2022, is likely to proceed as scheduled.

The establishment of the PDPC was finalized on January 18, 2022, when the Announcement of the Prime Minister's Office on the Appointment of Chairperson and Honorary Members of the PDPC was published in the Government Gazette.

As stipulated in the PDPA, the PDPC consists of:

• The chairperson, appointed based on knowledge, skills, and experience;
• The vice-chairperson, who is the permanent secretary of the Ministry of Digital Economy and Society;
• Five commission members, designated based on their positions in certain government agencies (as prescribed under the PDPA); and
• Nine honorary commission members appointed based on knowledge, skills, and experience in personal data protection, consumer protection, technology and telecommunication, social science, law, health, finance, or other relevant fields.

As the vice-chairperson and the five commission members are appointed to the PDPC based on their positions, the January 18 announcement appointing the chairperson and the nine honorary commission members completes the formation of the PDPC.

The full enforcement of the PDPA has been previously postponed, and many businesses had expressed concern that another extension would be forthcoming before the current enforcement date. However, the successful establishment of the PDPC is a fundamental prerequisite to enforcement and indicates that the effective date of the PDPA on June 1, 2022, is unlikely to be further postponed. In addition, the PDPA's draft subordinate regulations that were the subject of a series of public hearings last year are likely to be issued in the near future.

Companies and other organizations that are not yet compliant with the PDPA should now assess their current practices for handling and processing personal data in order to ensure that any compliance gaps can be closed or minimized before the full enforcement date.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.