Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") will come into full force on 27 May 2020. In view of the impending target date, this article provides a concise overview of the new law.

Scope of Enforcement – The PDPA applies to the collection, use or disclosure of personal data by a data controller or data processor located in Thailand, regardless of whether or not such acts occur in Thailand. If a data controller or data processor is located outside of Thailand, the PDPA applies if the data subject whose data is collected, used or disclosed is located in Thailand, provided that the data controller's or data processor's activities are:

(i) the offering of goods or services to a data subject who is located in Thailand (irrespective of whether or not the payment for such goods/services is made by the data subject); or

(ii) the monitoring of the data subject's performance, where such performance takes place in Thailand.

Personal data is not subject to PDPA if collected for:

  • personal benefit or household activity;
  • operations of public authorities having duties to maintain state security;
  • activities of mass media, fine arts or literature which are in line with professional ethics or public interest;
  • consideration by House of Representatives, Senate, Parliament or their appointed committees under their duties and power;
  • courts' trial and adjudication and officers' work operations in legal proceedings, legal execution and deposit of property;
  • credit bureau companies' and its members' operations under relevant law; and
  • of deceased persons.

Definition of Personal Data – Section 6 of the PDPA defines "personal data" as information pertaining to a natural person which enables the identification of such natural person whether directly or indirectly. There are two types: (i) "Non-Sensitive Personal Data" (e.g., name, surname, home address, email address, bank account number, etc.); and (ii) "Sensitive Personal Data" (e.g., race, political opinions, religion, sexuality, criminal records, disability, etc.).

Definition of Data Controller – Section 6 defines "data controller" as a person or juristic person having the power to make decisions regarding collection, use or disclosure of personal data.

Definition of Data Processor – Section 6 defines "data processor" as a person or juristic person operating in relation to collection, use or disclosure of personal data further to orders given by or on behalf of a data controller.

Basic Elements of Collection, Use and Disclosure – (i) Consent of data subjects must be obtained in writing or electronic form by data controllers prior to or at the time of collection, use, processing or disclosure of personal data (unless otherwise permitted by law); (ii) collected personal data must be used in accordance with intended purpose that was informed to data subjects; (iii) collection is limited to extent necessary for the lawful purpose; (iv) personal data must be collected directly from data subjects (unless otherwise permitted by law); and (v) transfer of personal data to a foreign country, destination country or international organization is only permitted if recipients have adequate data protection standards.

Details Required to be Informed to Data Subject – (i) Data to be collected (e.g., name, surname, email address, etc.); (ii) purpose of collection, use or disclosure (e.g., for human resources management); (iii) reasons why personal data shall be collected; (iv) possible effect of not providing personal data; (v) estimated data retention period; (vi) persons or entities to whom the collected personal data may be disclosed; (vii) contact information of data controller or its representative / data protection officer (who must be an employee of the data controller); and (viii) rights of the data subject.

Exemption of Consent Requirement – Section 24 (General Personal Data) and Section 26 (Sensitive Personal Data) collectively set out ten exemptions where no consent is required from a data subject for collection, use or disclosure of personal data, such as for performance of a task carried out for the public interest.

Personal Data Previously Collected – Section 95 allows data controllers to continue collecting and using personal data collected prior to the effective date of the PDPA for the original intended purpose.

Rights of a Data Subject – A key element of the PDPA are the rights protecting data subjects, such as Section 19 which grants data subjects the right to withdraw consent at any time, Section 32 the right to object to collection, use or disclosure of personal data and Section 73 the right to file a complaint in case of violation, among others.

Obligations of a Data Controller – Chapter III of the PDPA sets out specific obligations of a data controller, such as the obligation to ensure that personal data remains accurate, up-to-date, complete and not misleading and to provide appropriate security measures to prevent unauthorized access to personal data, among others.

Obligations of Data Processor – In case the data processor is not a data controller, obligations of data processors apply such as to collect, use or disclose personal data only pursuant to instructions given by a data controller and to provide appropriate security measures, among others.

Data Protection Officer – Under Section 41, a data controller and data processor shall appoint a data protection officer in circumstances, such as their core activity is the collection, use or disclosure of sensitive personal data.

Obligations of Data Protection Officer – To give advice to data controller or data processor including employees and service providers on compliance with the PDPA and to monitor their performance, among others.

Penalties – Violation of or failure to comply with the PDPA may incur penalties including civil liability, criminal liability and administrative liability.

The PDPA is very new to Thailand and further regulations and guidelines will be issued to supplement the implementation and enforcement of the PDPA. As the PDPA will come into full force soon, appropriate measures should be taken to prepare for and ensure compliance with the new law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.