Comparative Guides

Welcome to Mondaq Comparative Guides - your comparative global Q&A guide.

Our Comparative Guides provide an overview of some of the key points of law and practice and allow you to compare regulatory environments and laws across multiple jurisdictions.

Start by selecting your Topic of interest below. Then choose your Regions and finally refine the exact Subjects you are seeking clarity on to view detailed analysis provided by our carefully selected internationally recognised experts.

4. Results: Answers
Data Privacy
1.
Legal and enforcement framework
1.1
Which legislative and regulatory provisions govern data privacy in your jurisdiction?
Thailand

Answer ... Data privacy in Thailand is governed by the Personal Data Protection Act BE 2562 (2019).

For more information about this answer please contact: John Formichella from Formichella & Sritawat
1.2
Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Thailand

Answer ... There are no special regimes that apply in specific sectors. The PDPA applies to the collection, use and disclosure of personal data by any organisation in Thailand.

Regarding specific data types, the PDPA sets out special conditions on sensitive personal data, which includes personal data relating to race; ethnic origin; political views; doctrinal, religious or philosophical beliefs; sexual behaviour; criminal record; health record; and biometric information. The processing of sensitive data is allowed only where:

  • the explicit consent of the data subject has been obtained;
  • the processing is performed for legitimate purposes (eg, to prevent harm to an individual’s health or for social security purposes);
  • the processing is required to exercise a legal claim or defence; or
  • the data has already been disclosed to the public with the data subject’s explicit consent.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
1.3
Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
Thailand

Answer ... No bilateral or multilateral instruments relating to data privacy have effect in Thailand.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
1.4
Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
Thailand

Answer ... The bodies responsible for enforcing the data privacy legislation in Thailand are the Ministry of Digital Economy and Society and the Personal Data Protection Committee. These government authorities mainly:

  • draft and enact specific regulations and/or notifications under the PDPA;
  • provide official interpretations; and
  • render orders in relation to the PDPA.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
1.5
What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
Thailand

Answer ... Although regulations and notifications under the PDPA have not yet been issued and the PDPA is not yet fully in force in certain sectors (ie, the industrial and commercial industries), most companies have been preparing to comply with its requirements – for example, by drafting a privacy policy, appointing a data protection officer, preparing a request form for data subjects and so on. At present, the PDPA includes no provisions on industry standards or best practices; we would therefore advise that all legal provisions relating to the PDPA be strictly followed.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
2.
Scope of application
2.1
Which entities are captured by the data privacy regime in your jurisdiction?
Thailand

Answer ... The Personal Data Protection Act (PDPA) applies to the collection, use and disclosure of personal data by organisations (ie, data controllers and/or data processors) that are located in Thailand, regardless of whether such collection, use or disclosure of personal data takes place in Thailand.

Regarding extraterritorial scope, the PDPA also applies to data controllers and data processors that are located outside Thailand where:

  • the data that is collected, used or disclosed relates to data subjects who are located in Thailand;
  • their activities relate to the offer of goods or services to data subjects in Thailand, regardless of whether payment is required; or
  • the data subjects’ behaviour is monitored in Thailand.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
2.2
What exemptions from the data privacy regime, if any, are available in your jurisdiction?
Thailand

Answer ... The PDPA does not apply to public authorities that maintain state security, such as the financial security of the state or public safety, including in relation to the prevention of money laundering, forensic science or cybersecurity.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
2.3
Does the data privacy regime have extra-territorial application?
Thailand

Answer ... Yes, please see question 2.1.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
3.
Definitions
3.1
How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
Thailand

Answer ... (a) Data processing

There is no specific definition of ‘data processing’ set out in the Personal Data Protection Act (PDPA). However, it can be assumed that ‘data processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction.

(b) Data processor

The PDPA defines a ‘data processor’ as a natural or legal person that undertakes the collection, use or disclosure of personal data pursuant to orders given by or on behalf of a data controller, whereby such person is not the data controller.

(c) Data controller

The PDPA defines a ‘data controller’ as a natural or legal person who has the power and duties to make decisions regarding the collection, use or disclosure of personal data.

(d) Data subject

There is no specific definition of a ‘data subject’ set out in the PDPA. However, it can be assumed that a ‘data subject’ is any individual who owns personal information and can be identified, directly or indirectly:

  • via such personal information, such as a name, an ID number or location data; or
  • via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.

In other words, a ‘data subject’ is an end user whose personal data can be collected.

(e) Personal data

The PDPA defines ‘personal data’ as information that:

  • directly or indirectly relates to an individual;
  • stipulates specific requirements relating to certain types of data; and
  • applies to the collection, use or disclosure of personal data.

(f) Sensitive personal data

There is no specific definition of ‘sensitive data’ set out in the PDPA. However, it can be assumed that ‘sensitive data’ is any data relating to race; ethnic origin; political view; doctrinal, religious or philosophical beliefs; sexual behaviour; criminal record; health record; and biometric information.

(g) Consent

There is no specific definition of ‘consent’ set out in the PDPA. However, it can be assumed that ‘consent’ means permission from a data subject allowing a data controller to collect his or her personal data. In addition, under the PDPA, a data controller must obtain the explicit consent of the data subject, either in writing or in electronic form, in order to collect his or her personal data.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
3.2
What other key terms are relevant in the data privacy context in your jurisdiction?
Thailand

Answer ... There are no other key terms which are relevant in the data privacy context in Thailand at this time.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
4.
Registration
4.1
Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
Thailand

Answer ... Under the Personal Data Protection Act (PDPA) as currently in force, the registration of data controllers and processors is not required in Thailand. An individual or entity will automatically become a data controller when it collects the personal data of a data subject. In addition, the PDPA states that data controllers must not collect, use or disclose personal data unless one of the following applies:

  • The data subject has provided his or her prior consent;
  • The processing is necessary for the performance of a contract;
  • The processing is necessary for compliance with a law to which the data controller is subject;
  • The processing is necessary to address a danger to the data subject’s life;
  • The processing is necessary for the performance of a task carried out in the public interest by the data controller to achieve a purpose relating to public interest research and statistics; or
  • The processing is necessary in the legitimate interests of the data controller, where such interests do not override those of the data subject.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
4.2
What is the process for registration?
Thailand

Answer ... Please see question 4.1.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
4.3
Is registered information publicly accessible?
Thailand

Answer ... Please see question 4.1.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
5.
Data processing
5.1
What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
Thailand

Answer ... The Personal Data Protection Act (PDPA) states that data controllers must not collect, use or disclose personal data unless one of the following applies:

  • The data subject has provided his or her prior consent;
  • The processing is necessary for the performance of a contract;
  • The processing is necessary to comply with a law to which the data controller is subject;
  • The processing is necessary to address a danger to the data subject’s life;
  • The processing is necessary to perform a task carried out in the public interest by the data controller to achieve a purpose relating to public interest research and statistics; or
  • The processing is necessary in the legitimate interests of the data controller, where such interests do not override those of the data subject.

The PDPA recognises consent as a legal basis for the collection, use or disclosure of personal data, and includes specific information on how consent can be obtained and withdrawn.

In addition, the PDPA states that the collection of sensitive data is prohibited unless an exemption applies, such as where the data subject has provided explicit consent.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
5.2
What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Thailand

Answer ... Currently, specific regulations, announcements and notices in relation to the processing of personal data have not yet been enacted under the PDPA; therefore, the key principles that apply to processing data are the general provisions under the PDPA. A data controller and/or data processor must follow the provisions under the PDPA (eg, in relation to the collection, use and disclose of personal data; the appointment of a data protection officer; data breach notifications).

For more information about this answer please contact: John Formichella from Formichella & Sritawat
5.3
What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Thailand

Answer ... As mentioned in question 1.5, the PDPA is not yet fully in force and the regulator has not yet issued any regulations or notices on its practical enforcement. It is thus not possible to advise on other requirements, restrictions and best practices in relation to the processing of personal data until such regulations and notices have been issued.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
6.
Data transfers
6.1
What requirements and restrictions apply to the transfer of data to third parties?
Thailand

Answer ... Regarding data transfers inside Thailand, the Personal Data Protection Act (PDPA) states that a data controller must not collect, use or disclose data, including by transferring data to third parties, unless:

  • the data subject has provided his or her prior consent; or
  • there is a legal basis to allow the data controller to do so (eg, public interest, legitimate interest, addressing a danger to the data subject’s life).

Cross-border data transfers are permitted only to destination countries or international organisations that afford an adequate level of protection as prescribed by the Personal Data Protection Committee (PDPC), unless such transfer fulfils one of the following legal criteria:

  • The consent of the data subject has been obtained;
  • The transfer is necessary to perform an obligation under a contract or is at the request of the data subject;
  • The transfer is performed for a significant public interest;
  • The transfer is performed pursuant to the law; or
  • The transfer is intended to prevent or address a danger to the life, body or health of the data subject or another person, and the data subject is incapable of giving his or her consent.

As yet, the existence of an adequate level of protection has not been established or prescribed by the PDPC. Once the existence of an adequate level of protection and a personal data protection policy have been established, a data controller or data processor will be permitted to transfer personal data abroad only where there are appropriate safeguards in place, with effective legal remedies that ensure the data subject’s rights.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
6.2
What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Thailand

Answer ... As mentioned in question 6.1, a cross-border transfer is permitted only to destination countries or international organisations that afford an adequate level of protection as prescribed by the PDPC, unless the transfer fulfils certain legal criteria.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
6.3
What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
Thailand

Answer ... Please see question 5.3.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
7.
Rights of data subjects
7.1
What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Thailand

Answer ... Under the Personal Data Protection Act (PDPA), the following rights are afforded to each data subject:

  • Right to erasure: A data subject has the right to request that his or her personal information be deleted, unless exceptions apply;
  • Right to be informed: A data subject has the right to be informed of specific information relating to the collection and processing of personal data;
  • Right to object: A data subject has the right to object to the processing of his or her personal data, and to withdraw his or her consent to the processing at any time;
  • Right to access: A data subject has the right to access his or her personal data that has been collected and processed by the data controller; and
  • Right to data portability: A data subject has the right to receive his or her personal data in a structured, commonly used and machine-readable format, and to transmit such data to third parties.

In addition, in order to collect a data subject’s personal data, the data controller must provide the data subject with information relating to the processing of his or her personal data, such as details of:

  • the personal data to be collected;
  • the purposes of collection; and
  • the fundamental rights of the data subject.

However, there are cases in which a data controller must disclose information relating to the processing of the data subject’s personal data without obtaining his or her consent, such as where the collection is to prevent or address damage to a patient’s life, body or health.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
7.2
How can data subjects seek to exercise their rights in your jurisdiction?
Thailand

Answer ... Aside from the right to be informed, which must be observed prior to obtaining a data subject’s consent, a data subject can exercise his or her rights by submitting a request to the data controller or data processor. Further guidance on the submission of this request will be published by the Personal Data Protection Committee.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
7.3
What remedies are available to data subjects in case of breach of their rights?
Thailand

Answer ... Data subjects have the right to claim for compensation due to the data controller’s failure (either intentional or negligent) to comply with the PDPA. Under the PDPA, data subjects can lodge a complaint relating to personal data protection to the expert committee(s) to be organised as required under the PDPA.

However, under the PDPA, a data controller is not subject to an obligation to provide compensation where it can be proven that:

  • damages were caused by force majeure or by an action of the data subject himself or herself; or
  • the actions of the data controller were performed based on legitimate grounds.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
8.
Compliance
8.1
Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
Thailand

Answer ... Yes, the appointment of a data protection officer (DPO) is mandatory in Thailand. Under the Personal Data Protection Act (PDPA), data controllers and data processors, including their representatives, must appoint a DPO. A DPO must be appointed in the following general circumstances:

  • The processing is carried out by a public authority or body;
  • The activities of the data controller or data processor relate to the collection, use or disclosure of data and require regular monitoring of personal data or the data system on a large scale; or
  • The core activities of the data controller or data processor relate to the collection, use or disclosure of certain categories of data (eg, sensitive data, trade union information, personally identifiable information or any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee (PDPC)).

Where a data controller and a data processor are members of the same business, a single DPO can be appointed, provided that the DPO is easily accessible by both the data controller and the data processor. The appointment of a single DPO is also permitted for public authorities or bodies (which are data controllers or data processors) that have a large organisational structure or several establishments.

Where a data controller and/or data processor fails to appoint a DPO, it will be liable to an administrative fine of up to THB 1 million.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
8.2
What qualifications or other criteria must the data protection officer meet?
Thailand

Answer ... The appointment of a DPO must be considered based on the candidate’s expert knowledge and expertise in personal data protection, which will be further specified by the PDPC.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
8.3
What are the key responsibilities of the data protection officer?
Thailand

Answer ... The key responsibilities of a DPO are to:

  • inform and advise the data controller or data processor and its employees on its obligations under the PDPA;
  • monitor the performance and processing operations of the data controller or data processor, including its employees and service providers; and
  • act as a contact point for the data controller or data processor.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
8.4
Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Thailand

Answer ... Yes, in Thailand, the role of DPO can be outsourced; however, the PDPA does not set out specific provisions in this regard. As mentioned in question 8.2, the PDPC will further specify related requirements, restrictions and best practices.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
8.5
What record-keeping and documentation requirements apply in the data privacy context?
Thailand

Answer ... Data controllers and data processors must maintain a record of their personal data processing activities (both in writing and in electronic form). The PDPA prescribes the specific information that a data controller must record with regard to the verification of data subjects and the competent authority, which includes:

  • the details of the data controller;
  • the purposes of the processing;
  • the details of the collected personal data;
  • the rights to access and means of accessing the personal data, including the conditions of access and the persons who are authorised to access such data;
  • the retention period of the personal data; and
  • a general description of applicable security measures.

If the data controller is a foreign entity, it must designate a local representative in Thailand. The local representative of the data controller must perform activities on behalf of the data controller, including recording its processing activities in the same manner as the data controller.

However, the requirements relating to data processing records will not apply to a small organisation, unless the processing:

  • is likely to present a risk to the rights and freedoms of a data subject;
  • is not occasional; or
  • includes special categories of sensitive data.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
8.6
What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
Thailand

Answer ... The PDPA does not provide a list of processing information that a data processor must record. However, according to the PDPA, a notification on data processing records will be published by the relevant authority in the future.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
9.
Data security and data breaches
9.1
What obligations apply to data controllers and processors to preserve the security of personal data?
Thailand

Answer ... The Personal Data Protection Act (PDPA) states that a data controller and data processor must provide appropriate security measures in order to prevent the unauthorised loss, access, change of use, revision or disclosure of personal data. Currently, the PDPA does not provide a list of appropriate technical and organisational measures. However, the PDPA will provide a list of security measures for personal data protection in a supplemental regulation of the Personal Data Protection Committee (PDPC).

For more information about this answer please contact: John Formichella from Formichella & Sritawat
9.2
Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Thailand

Answer ... Yes, in the case of a personal data breach, the data controller must notify the regulator (ie, the PDPC) of the breach, except where the breach is unlikely to result in a risk to the data subject’s rights and freedoms. In addition, the data controller must notify the personal data breach to the PDPC without undue delay and, where feasible, within 72 hours of becoming aware of it.

The PDPA does not currently set out requirements for the notification of personal data breaches to the PDPC. However, such requirements will be prescribed in the future in a supplemental regulation of the PDPC.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
9.3
Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Thailand

Answer ... Yes, if a personal data breach is likely to present a high risk to a data subject’s rights and freedoms, the data controller must notify the breach to the data subject. Currently, the PDPA sets out no exemptions from this requirement. However, specific exemptions will be prescribed in a future supplemental regulation of the PDPC.

In addition, the PDPA sets out no requirements to notify a data subject of a personal data breach. However, requirements will be prescribed in a future supplemental regulation of the PDPC.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
9.4
What other requirements, restrictions and best practices should be considered in the event of a data breach?
Thailand

Answer ... Other requirements, restrictions and best practices will be further specified in a future supplemental regulation of the PDPC.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
10.
Employment issues
10.1
What requirements and restrictions apply to the personal data of employees in your jurisdiction?
Thailand

Answer ... The Labour Protection Act and the Social Security Act oblige employers to collect and retain a record of employees’ personal information (eg, name, age, salary, identification card number). The Personal Data Protection Act (PDPA) also requires employers, as data controllers, to provide employees, as data subjects, with information relating to the processing of their personal data prior to or during the collection of such data, such as:

  • the retention period;
  • their rights as data subjects;
  • the employer’s contact information;
  • the possible consequences of failure to provide their personal data; and
  • any third parties to which their personal data will be disclosed.

To reiterate, however, as yet there are no specific guidelines on these obligations.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
10.2
Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Thailand

Answer ... There are no specific laws and regulations that allow for the surveillance of employees in Thailand.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
10.3
What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
Thailand

Answer ... The PDPA is not yet fully in force; it will take full effect on 1 June 2021. In the meantime, employers, as data controllers, should make preparations to ensure compliance with the PDPA (eg, appointing a data protection officer; installing data retention technology).

For more information about this answer please contact: John Formichella from Formichella & Sritawat
11.
Online issues
11.1
What requirements and restrictions apply to the use of cookies in your jurisdiction?
Thailand

Answer ... There are no specific requirements or restrictions that apply to the use of cookies in Thailand. However, the provider of any website will be regarded as a data controller according to the Personal Data Protection Act (PDPA) and must thus comply with the provisions prescribed in the PDPA.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
11.2
What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Thailand

Answer ... There are no specific requirements and restrictions that apply to cloud computing services in Thailand. However, a cloud computing service provider will be regarded as a data controller according to the PDPA, and must thus comply with the provisions prescribed in the PDPA.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
11.3
What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
Thailand

Answer ... The PDPA is not yet fully in force and supplemental regulations have not yet been issued by the Personal Data Protection Committee. As such, there are no other requirements, restrictions or best practices to consider at present.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
12.
Disputes
12.1
In which forums are data privacy disputes typically heard in your jurisdiction?
Thailand

Answer ... No data privacy disputes have been brought as yet under the Personal Data Protection Act (PDPA), as the act is not yet fully in force. Normally, the courts will consider disputes involving violations of data privacy according to the Civil and Commercial Code. We assume that once the PDPA has taken full effect, the Thai courts will adopt the PDPA principles accordingly.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
12.2
What issues do such disputes typically involve? How are they typically resolved?
Thailand

Answer ... As mentioned in question 12.1, the Civil and Commercial Code will apply to disputes that involve personal privacy, including data privacy violations. However, under the code, the data subject must have suffered damage as a result of the violation; otherwise, he or she may be unable to bring a case in court, as the dispute in practice is a tort-based dispute. If there are provable damages, the court may order the violator to pay damages to the data subject according to the code.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
12.3
Have there been any recent cases of note?
Thailand

Answer ... Although the PDPA is not yet fully in force, some cases relating to the violation of personal privacy have nonetheless been heard. For example, in Supreme Court Decision 4893/2558, the court found that the two defendants had violated the plaintiff’s personal privacy and ordered them to pay damages to the plaintiff for this violation.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
13.
Trends and predictions
13.1
How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Thailand

Answer ... The Personal Data Protection Act (PDPA) is not yet fully in force and supplemental regulations have not yet been issued by the Personal Data Protection Committee (PDPC). Once the PDPC has issued such regulations, data controllers should have clear rules and procedures to comply with the PDPA.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
14.
Tips and traps
14.1
What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
Thailand

Answer ... Please note that the Personal Data Protection Act (PDPA) was due to be fully enforced on 27 May 2020, however, based on the Royal Decree on Organizations and Businesses of which Personal Data Controllers are Exempt from Complying with the Personal Data Protection Act (Royal Decree), the enforcement date has been postponed to 1 June 2021. The Royal Decree lists various types of business which are qualified for the extension of the enforcement including businesses in communication, telecommunication, digital, science, technology, banking, education, industrial and commercial industries, among others.

As the PDPA is not yet fully in force, companies should be making preparations to comply with their duties as data controllers under the act. First, a company should determine whether the PDPA applies to its organisation and activities. If so, it should map data flows within its organisation (ie, what data it collects and how this data is used), and prepare a privacy notice to inform data subjects of the personal data collected. This should be done before the PDPA takes full effect on 1 June 2021.

Regarding the future collection, disclosure and use of personal data, companies should identify the legal basis for such collection, use or disclosure in order to determine whether consent from data subjects is required. A data controller will need to present a privacy notice to, and request consent (if required) from, the data subject from which personal data will be obtained.

For more information about this answer please contact: John Formichella from Formichella & Sritawat
Contributors
Topic
Data Privacy