1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Data privacy in Thailand is governed by the Personal Data Protection Act BE 2562 (2019).

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

There are no special regimes that apply in specific sectors. The PDPA applies to the collection, use and disclosure of personal data by any organisation in Thailand.

Regarding specific data types, the PDPA sets out special conditions on sensitive personal data, which includes personal data relating to race; ethnic origin; political views; doctrinal, religious or philosophical beliefs; sexual behaviour; criminal record; health record; and biometric information. The processing of sensitive data is allowed only where:

  • the explicit consent of the data subject has been obtained;
  • the processing is performed for legitimate purposes (eg, to prevent harm to an individual's health or for social security purposes);
  • the processing is required to exercise a legal claim or defence; or
  • the data has already been disclosed to the public with the data subject's explicit consent.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

No bilateral or multilateral instruments relating to data privacy have effect in Thailand.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The bodies responsible for enforcing the data privacy legislation in Thailand are the Ministry of Digital Economy and Society and the Personal Data Protection Committee. These government authorities mainly:

  • draft and enact specific regulations and/or notifications under the PDPA;
  • provide official interpretations; and
  • render orders in relation to the PDPA.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Although regulations and notifications under the PDPA have not yet been issued and the PDPA is not yet fully in force in certain sectors (ie, the industrial and commercial industries), most companies have been preparing to comply with its requirements – for example, by drafting a privacy policy, appointing a data protection officer, preparing a request form for data subjects and so on. At present, the PDPA includes no provisions on industry standards or best practices; we would therefore advise that all legal provisions relating to the PDPA be strictly followed.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The Personal Data Protection Act (PDPA) applies to the collection, use and disclosure of personal data by organisations (ie, data controllers and/or data processors) that are located in Thailand, regardless of whether such collection, use or disclosure of personal data takes place in Thailand.

Regarding extraterritorial scope, the PDPA also applies to data controllers and data processors that are located outside Thailand where:

  • the data that is collected, used or disclosed relates to data subjects who are located in Thailand;
  • their activities relate to the offer of goods or services to data subjects in Thailand, regardless of whether payment is required; or
  • the data subjects' behaviour is monitored in Thailand.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The PDPA does not apply to public authorities that maintain state security, such as the financial security of the state or public safety, including in relation to the prevention of money laundering, forensic science or cybersecurity.

2.3 Does the data privacy regime have extra-territorial application?

Yes, please see question 2.1.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

There is no specific definition of ‘data processing' set out in the Personal Data Protection Act (PDPA). However, it can be assumed that ‘data processing' means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction.

(b) Data processor

The PDPA defines a ‘data processor' as a natural or legal person that undertakes the collection, use or disclosure of personal data pursuant to orders given by or on behalf of a data controller, whereby such person is not the data controller.

(c) Data controller

The PDPA defines a ‘data controller' as a natural or legal person who has the power and duties to make decisions regarding the collection, use or disclosure of personal data.

(d) Data subject

There is no specific definition of a ‘data subject' set out in the PDPA. However, it can be assumed that a ‘data subject' is any individual who owns personal information and can be identified, directly or indirectly:

  • via such personal information, such as a name, an ID number or location data; or
  • via factors specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity.

In other words, a ‘data subject' is an end user whose personal data can be collected.

(e) Personal data

The PDPA defines ‘personal data' as information that:

  • directly or indirectly relates to an individual;
  • stipulates specific requirements relating to certain types of data; and
  • applies to the collection, use or disclosure of personal data.

(f) Sensitive personal data

There is no specific definition of ‘sensitive data' set out in the PDPA. However, it can be assumed that ‘sensitive data' is any data relating to race; ethnic origin; political view; doctrinal, religious or philosophical beliefs; sexual behaviour; criminal record; health record; and biometric information.

(g) Consent

There is no specific definition of ‘consent' set out in the PDPA. However, it can be assumed that ‘consent' means permission from a data subject allowing a data controller to collect his or her personal data. In addition, under the PDPA, a data controller must obtain the explicit consent of the data subject, either in writing or in electronic form, in order to collect his or her personal data.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

There are no other key terms which are relevant in the data privacy context in Thailand at this time.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

Under the Personal Data Protection Act (PDPA) as currently in force, the registration of data controllers and processors is not required in Thailand. An individual or entity will automatically become a data controller when it collects the personal data of a data subject. In addition, the PDPA states that data controllers must not collect, use or disclose personal data unless one of the following applies:

  • The data subject has provided his or her prior consent;
  • The processing is necessary for the performance of a contract;
  • The processing is necessary for compliance with a law to which the data controller is subject;
  • The processing is necessary to address a danger to the data subject's life;
  • The processing is necessary for the performance of a task carried out in the public interest by the data controller to achieve a purpose relating to public interest research and statistics; or
  • The processing is necessary in the legitimate interests of the data controller, where such interests do not override those of the data subject.

4.2 What is the process for registration?

Please see question 4.1.

4.3 Is registered information publicly accessible?

Please see question 4.1.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The Personal Data Protection Act (PDPA) states that data controllers must not collect, use or disclose personal data unless one of the following applies:

  • The data subject has provided his or her prior consent;
  • The processing is necessary for the performance of a contract;
  • The processing is necessary to comply with a law to which the data controller is subject;
  • The processing is necessary to address a danger to the data subject's life;
  • The processing is necessary to perform a task carried out in the public interest by the data controller to achieve a purpose relating to public interest research and statistics; or
  • The processing is necessary in the legitimate interests of the data controller, where such interests do not override those of the data subject.

The PDPA recognises consent as a legal basis for the collection, use or disclosure of personal data, and includes specific information on how consent can be obtained and withdrawn.

In addition, the PDPA states that the collection of sensitive data is prohibited unless an exemption applies, such as where the data subject has provided explicit consent.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

Currently, specific regulations, announcements and notices in relation to the processing of personal data have not yet been enacted under the PDPA; therefore, the key principles that apply to processing data are the general provisions under the PDPA. A data controller and/or data processor must follow the provisions under the PDPA (eg, in relation to the collection, use and disclose of personal data; the appointment of a data protection officer; data breach notifications).

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

As mentioned in question 1.5, the PDPA is not yet fully in force and the regulator has not yet issued any regulations or notices on its practical enforcement. It is thus not possible to advise on other requirements, restrictions and best practices in relation to the processing of personal data until such regulations and notices have been issued.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Regarding data transfers inside Thailand, the Personal Data Protection Act (PDPA) states that a data controller must not collect, use or disclose data, including by transferring data to third parties, unless:

  • the data subject has provided his or her prior consent; or
  • there is a legal basis to allow the data controller to do so (eg, public interest, legitimate interest, addressing a danger to the data subject's life).

Cross-border data transfers are permitted only to destination countries or international organisations that afford an adequate level of protection as prescribed by the Personal Data Protection Committee (PDPC), unless such transfer fulfils one of the following legal criteria:

  • The consent of the data subject has been obtained;
  • The transfer is necessary to perform an obligation under a contract or is at the request of the data subject;
  • The transfer is performed for a significant public interest;
  • The transfer is performed pursuant to the law; or
  • The transfer is intended to prevent or address a danger to the life, body or health of the data subject or another person, and the data subject is incapable of giving his or her consent.

As yet, the existence of an adequate level of protection has not been established or prescribed by the PDPC. Once the existence of an adequate level of protection and a personal data protection policy have been established, a data controller or data processor will be permitted to transfer personal data abroad only where there are appropriate safeguards in place, with effective legal remedies that ensure the data subject's rights.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

As mentioned in question 6.1, a cross-border transfer is permitted only to destination countries or international organisations that afford an adequate level of protection as prescribed by the PDPC, unless the transfer fulfils certain legal criteria.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Please see question 5.3.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Under the Personal Data Protection Act (PDPA), the following rights are afforded to each data subject:

  • Right to erasure: A data subject has the right to request that his or her personal information be deleted, unless exceptions apply;
  • Right to be informed: A data subject has the right to be informed of specific information relating to the collection and processing of personal data;
  • Right to object: A data subject has the right to object to the processing of his or her personal data, and to withdraw his or her consent to the processing at any time;
  • Right to access: A data subject has the right to access his or her personal data that has been collected and processed by the data controller; and
  • Right to data portability: A data subject has the right to receive his or her personal data in a structured, commonly used and machine-readable format, and to transmit such data to third parties.

In addition, in order to collect a data subject's personal data, the data controller must provide the data subject with information relating to the processing of his or her personal data, such as details of:

  • the personal data to be collected;
  • the purposes of collection; and
  • the fundamental rights of the data subject.

However, there are cases in which a data controller must disclose information relating to the processing of the data subject's personal data without obtaining his or her consent, such as where the collection is to prevent or address damage to a patient's life, body or health.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Aside from the right to be informed, which must be observed prior to obtaining a data subject's consent, a data subject can exercise his or her rights by submitting a request to the data controller or data processor. Further guidance on the submission of this request will be published by the Personal Data Protection Committee.

7.3 What remedies are available to data subjects in case of breach of their rights?

Data subjects have the right to claim for compensation due to the data controller's failure (either intentional or negligent) to comply with the PDPA. Under the PDPA, data subjects can lodge a complaint relating to personal data protection to the expert committee(s) to be organised as required under the PDPA.

However, under the PDPA, a data controller is not subject to an obligation to provide compensation where it can be proven that:

  • damages were caused by force majeure or by an action of the data subject himself or herself; or
  • the actions of the data controller were performed based on legitimate grounds.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

Yes, the appointment of a data protection officer (DPO) is mandatory in Thailand. Under the Personal Data Protection Act (PDPA), data controllers and data processors, including their representatives, must appoint a DPO. A DPO must be appointed in the following general circumstances:

  • The processing is carried out by a public authority or body;
  • The activities of the data controller or data processor relate to the collection, use or disclosure of data and require regular monitoring of personal data or the data system on a large scale; or
  • The core activities of the data controller or data processor relate to the collection, use or disclosure of certain categories of data (eg, sensitive data, trade union information, personally identifiable information or any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee (PDPC)).

Where a data controller and a data processor are members of the same business, a single DPO can be appointed, provided that the DPO is easily accessible by both the data controller and the data processor. The appointment of a single DPO is also permitted for public authorities or bodies (which are data controllers or data processors) that have a large organisational structure or several establishments.

Where a data controller and/or data processor fails to appoint a DPO, it will be liable to an administrative fine of up to THB 1 million.

8.2 What qualifications or other criteria must the data protection officer meet?

The appointment of a DPO must be considered based on the candidate's expert knowledge and expertise in personal data protection, which will be further specified by the PDPC.

8.3 What are the key responsibilities of the data protection officer?

The key responsibilities of a DPO are to:

  • inform and advise the data controller or data processor and its employees on its obligations under the PDPA;
  • monitor the performance and processing operations of the data controller or data processor, including its employees and service providers; and
  • act as a contact point for the data controller or data processor.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Yes, in Thailand, the role of DPO can be outsourced; however, the PDPA does not set out specific provisions in this regard. As mentioned in question 8.2, the PDPC will further specify related requirements, restrictions and best practices.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Data controllers and data processors must maintain a record of their personal data processing activities (both in writing and in electronic form). The PDPA prescribes the specific information that a data controller must record with regard to the verification of data subjects and the competent authority, which includes:

  • the details of the data controller;
  • the purposes of the processing;
  • the details of the collected personal data;
  • the rights to access and means of accessing the personal data, including the conditions of access and the persons who are authorised to access such data;
  • the retention period of the personal data; and
  • a general description of applicable security measures.

If the data controller is a foreign entity, it must designate a local representative in Thailand. The local representative of the data controller must perform activities on behalf of the data controller, including recording its processing activities in the same manner as the data controller.

However, the requirements relating to data processing records will not apply to a small organisation, unless the processing:

  • is likely to present a risk to the rights and freedoms of a data subject;
  • is not occasional; or
  • includes special categories of sensitive data.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

The PDPA does not provide a list of processing information that a data processor must record. However, according to the PDPA, a notification on data processing records will be published by the relevant authority in the future.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

The Personal Data Protection Act (PDPA) states that a data controller and data processor must provide appropriate security measures in order to prevent the unauthorised loss, access, change of use, revision or disclosure of personal data. Currently, the PDPA does not provide a list of appropriate technical and organisational measures. However, the PDPA will provide a list of security measures for personal data protection in a supplemental regulation of the Personal Data Protection Committee (PDPC).

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Yes, in the case of a personal data breach, the data controller must notify the regulator (ie, the PDPC) of the breach, except where the breach is unlikely to result in a risk to the data subject's rights and freedoms. In addition, the data controller must notify the personal data breach to the PDPC without undue delay and, where feasible, within 72 hours of becoming aware of it.

The PDPA does not currently set out requirements for the notification of personal data breaches to the PDPC. However, such requirements will be prescribed in the future in a supplemental regulation of the PDPC.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Yes, if a personal data breach is likely to present a high risk to a data subject's rights and freedoms, the data controller must notify the breach to the data subject. Currently, the PDPA sets out no exemptions from this requirement. However, specific exemptions will be prescribed in a future supplemental regulation of the PDPC.

In addition, the PDPA sets out no requirements to notify a data subject of a personal data breach. However, requirements will be prescribed in a future supplemental regulation of the PDPC.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Other requirements, restrictions and best practices will be further specified in a future supplemental regulation of the PDPC.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

The Labour Protection Act and the Social Security Act oblige employers to collect and retain a record of employees' personal information (eg, name, age, salary, identification card number). The Personal Data Protection Act (PDPA) also requires employers, as data controllers, to provide employees, as data subjects, with information relating to the processing of their personal data prior to or during the collection of such data, such as:

  • the retention period;
  • their rights as data subjects;
  • the employer's contact information;
  • the possible consequences of failure to provide their personal data; and
  • any third parties to which their personal data will be disclosed.

To reiterate, however, as yet there are no specific guidelines on these obligations.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

There are no specific laws and regulations that allow for the surveillance of employees in Thailand.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

The PDPA is not yet fully in force; it will take full effect on 1 June 2021. In the meantime, employers, as data controllers, should make preparations to ensure compliance with the PDPA (eg, appointing a data protection officer; installing data retention technology).

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

There are no specific requirements or restrictions that apply to the use of cookies in Thailand. However, the provider of any website will be regarded as a data controller according to the Personal Data Protection Act (PDPA) and must thus comply with the provisions prescribed in the PDPA.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

There are no specific requirements and restrictions that apply to cloud computing services in Thailand. However, a cloud computing service provider will be regarded as a data controller according to the PDPA, and must thus comply with the provisions prescribed in the PDPA.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

The PDPA is not yet fully in force and supplemental regulations have not yet been issued by the Personal Data Protection Committee. As such, there are no other requirements, restrictions or best practices to consider at present.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

No data privacy disputes have been brought as yet under the Personal Data Protection Act (PDPA), as the act is not yet fully in force. Normally, the courts will consider disputes involving violations of data privacy according to the Civil and Commercial Code. We assume that once the PDPA has taken full effect, the Thai courts will adopt the PDPA principles accordingly.

12.2 What issues do such disputes typically involve? How are they typically resolved?

As mentioned in question 12.1, the Civil and Commercial Code will apply to disputes that involve personal privacy, including data privacy violations. However, under the code, the data subject must have suffered damage as a result of the violation; otherwise, he or she may be unable to bring a case in court, as the dispute in practice is a tort-based dispute. If there are provable damages, the court may order the violator to pay damages to the data subject according to the code.

12.3 Have there been any recent cases of note?

Although the PDPA is not yet fully in force, some cases relating to the violation of personal privacy have nonetheless been heard. For example, in Supreme Court Decision 4893/2558, the court found that the two defendants had violated the plaintiff's personal privacy and ordered them to pay damages to the plaintiff for this violation.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The Personal Data Protection Act (PDPA) is not yet fully in force and supplemental regulations have not yet been issued by the Personal Data Protection Committee (PDPC). Once the PDPC has issued such regulations, data controllers should have clear rules and procedures to comply with the PDPA.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Please note that the Personal Data Protection Act (PDPA) was due to be fully enforced on 27 May 2020, however, based on the Royal Decree on Organizations and Businesses of which Personal Data Controllers are Exempt from Complying with the Personal Data Protection Act (Royal Decree), the enforcement date has been postponed to 1 June 2021. The Royal Decree lists various types of business which are qualified for the extension of the enforcement including businesses in communication, telecommunication, digital, science, technology, banking, education, industrial and commercial industries, among others.

As the PDPA is not yet fully in force, companies should be making preparations to comply with their duties as data controllers under the act. First, a company should determine whether the PDPA applies to its organisation and activities. If so, it should map data flows within its organisation (ie, what data it collects and how this data is used), and prepare a privacy notice to inform data subjects of the personal data collected. This should be done before the PDPA takes full effect on 1 June 2021.

Regarding the future collection, disclosure and use of personal data, companies should identify the legal basis for such collection, use or disclosure in order to determine whether consent from data subjects is required. A data controller will need to present a privacy notice to, and request consent (if required) from, the data subject from which personal data will be obtained.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.