Following the enactment of Thailand's Personal Data Protection Act (PDPA) in May 2019, Tilleke & Gibbins' dedicated data protection team in Bangkok has been committed to monitoring, participating in, and providing updates on the development of the new law and supporting legislation.

Following the first public hearing on subordinate regulations, held by the Office of the Personal Data Protection Committee (PDPC) in February 2021, the firm's data protection team produced a video series called "Compliance Catalysts – PDPA Subordinate Regulations," in order to provide easily accessible, bite-sized information on the key elements of the PDPA, the practical impact of the proposed regulations, and the requirements for business operators.

The series is available in both English and Thai, and you can watch every episode below.

Ep. 1: Criteria and Procedures for Requesting Consent from Data Subjects

During this episode, Athistha (Nop) Chitranukroh and Nopparat Lalitkomon provide an overview of consent requirements under the PDPA, discuss binding and non-binding consent forms, and look at the PDPC's "negative list," which exhibits unacceptable or invalid methods for requesting consent (e.g., broad or catch all consent requests).

The English video is provided below. The Thai version can be accessed at this link.

Ep. 2: The Notification of the Purposes and Details of Personal Data Processing

In this episode, Nopparat Lalitkomon is joined by Auradee Wongsaroj to discuss notification requirements for data controllers. The video is divided into three sections:

Detailed information that data subjects need to be notified of prior to processing their data;

Change of purposes for data collection after a subject has already been notified; and

Notification requirement exemptions.

The English video is provided below. The Thai version can be accessed at this link.

Ep. 3: Appropriate Protective Measures for Personal Data Processing – Section 26

During this episode, Gvavalin Mahakunkitchareon and Nopparat Lalitkomon dive into the draft general regulations applicable to sensitive personal data (e.g., data related to biometrics, health, race, religion, etc.), as well as specific measures required for conducting criminal background checks or processing other data related to criminal records.

The English video is provided below. The Thai version can be accessed at this link.

Ep. 4: Criteria and Policies on Personal Data Sent or Transferred Overseas

In this episode, Athistha (Nop) Chitranukroh and Nopparat Lalitkomon provide an overview of the requirements for cross-border data transfers under the PDPA, including discussions on the definition of "sending" and "transferring" personal data under the law, the extraterritorial impact of the PDPA, and binding corporate rules (BCRs).

The English video is provided below. The Thai version can be accessed at this link.

