Partner John P. Formichella, Senior Associate Naytiwut Jamallsawat and Associate Artima Brikshasri have co-authored a guide on "Comparing Privacy Laws: GDPR v. Thai Personal Data Protection Act" in partnership with OneTrust DataGuidance, the world's most in-depth and up-to-date privacy and security research platform.

The guide highlights the similarities and differences between the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the Personal Data Protection Act, B.E. 2562 (2019) ("PDPA"), Thailand's first consolidated data protection law. Both laws aim to protect individuals' personal data and impose obligations on businesses when collecting, using and disclosing personal data.

The PDPA is largely based on the GDPR, and as a result, there are many similarities between these two pieces of legislation. For example, both legislations have similar provisions on the legal basis of processing, as both list consent, performance of a contract, legal obligations, legitimate interests or vital interests as a legal basis. The PDPA also mirrors the GDPR's extraterritorial applicability and both texts empower data subjects with rights such as the right to erasure.

There are some key differences between the PDPA and GDPR, however, as the PDPA does not apply to certain public authorities. And although the PDPA states that a data subject has the right to anonymize their personal data, unlike the GDPR, it does not define anonymized or pseudonymized data.

If you would like to read the full guide, please visit the OneTrust DataGuidance website (no subscription required).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.