DLA Piper Intelligence

Data Protection
Laws of the World


PDPA does not require any registration of data controllers or data processing activities, or to notify the relevant regulators. This may change when subordinate laws are enacted.

Last modified 27 Jan 2020

On 28 May 2019, the Personal Data Protection Act ("PDPA") became law in Thailand. There is a one-year grace period for organisations to become compliant with the PDPA and for the formation of the regulator and issuance of subordinate regulations. The PDPA allows one-year grace period before legal enforcement, giving time to business operators adjust their practice to comply with the PDPA and subordinate law that may be issued during the interval. The PDPA will become full force on 27 May 2020.

Under the PDPA, individual people have the right to control how their personal data is collected, stored, disseminated and protected protect their privacy and manage personal data collected by organisations and companies. Consent is one of the key features for data sharing, while people have the right to know which organisations have their data as well as how it is used and shared.

Most of the provision of the PDPA provides similar contents to the EU General Data Protection Regulation (often referred to as GDPR) regime, whilst Thailand has adapted several concepts to observe some unique national perspective.

Last modified 27 Jan 2020

The PDPA introduces two key roles in collecting, processing and transfer of personal data. The Personal Data Controller ("Data Controller") will have overall responsibility to determine and control the use of personal data. The Personal Data Processor ("Data Processor") will be responsible for using, disclosing or processing the data on behalf of, or in accordance with, the instructions of a Data Controller.

Personal Data is defined as "any data pertaining to a person that enables the identification of that person, whether directly or indirectly, but specifically excluding data of the deceased".

Person is defined as a "natural person". This means that the PDPA only protects the data of natural persons.

Data Controller is defined as "a person or juristic person who determines the purposes for which and the manner in which any personal data are, or are to be processed." Data Controllers have primary responsibility for ensuring that processing activities are compliant with the PDPA.

Data Processor is defined as “a person or an entity that collects, uses, or discloses personal data on behalf of, or in accordance with, the instructions of a Data Controller."

Last modified 27 Jan 2020

The Personal Data Committee ("Regulator") will be established to regulate compliance with the PDPA, under the supervision of the Minister of Digital Economy and Society. Data Controllers are therefore required to cooperate with the Regulator.

Last modified 27 Jan 2020

PDPA does not require any registration of data controllers or data processing activities, or to notify the relevant regulators. This may change when subordinate laws are enacted.

Last modified 27 Jan 2020
Data Protection Officers

The Data Controllers and the Data Processors shall appoint a data protection officer (DPO) inside their organizations when it appears, under one of the following circumstances, that:

  • the Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee;
  • the activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data as prescribed and announced by the Committee;
  • the core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Sensitive Personal Data.
Last modified 27 Jan 2020
Collection & Processing

Collection, use or disclosure of Personal Data requires consent of the Data Subject. This may be done in a form of data processing agreement or a privacy policy that requires a written consent. We set out below the necessary compliance requirements.

The PDPA requires consent to be specifically given, either in the form of writing or through electronic means. The request must be clearly separated from other messages. The message must be delivered in a format which is easily accessible and understandable, using language that is easy to understand. The message should not be misleading or cause data subjects to misunderstand the purpose of collecting the data.

Organisations are permitted to use personal data collected before the effective date of the PDPA for the purposes for which the data was collected. To do so, organisations through their Data Controllers must notify its data subjects of its intention to do so and permit data subjects to opt-out. This process is likely to be costly for large organisations that hold vast volumes of personal data, such as healthcare service providers, telecommunications services, financial institutions and government departments. 

The Regulator can "require the Data Controllers to request consent from the data subject in accordance with the form and statement prescribed by the Committee". However, in practice, requiring compliance through a prescribed form may prove challenging, given that Data Controllers may develop their own mechanisms for gaining and assessing consent.

If a Data Controller uses or discloses personal data beyond the original purpose for which the data subject had given consent, further specific consent is required for each separate purpose.

Data subjects have the right to refuse to consent, and the right to withdraw any consent they have given, at any time. Following any such refusal or withdrawal of consent, Data Controllers should be wary of proceeding with the proposed data processing activity.

Sensitive Personal Data is described in the PDPA as information on a person's race, ethnicity, political opinion, religious or philosophical beliefs, sexuality, health, genetic, criminal record, physical or psychological condition. The PDPA requires Sensitive Personal Data to be handled carefully. We expect the Regulator to provide further guidance on this in due course.

Organisations are not required to obtain consent from data subjects in the following scenarios:

  • It is necessary in order to enter into or perform a contract with the data subject;
  • The Data Controller has a legal obligation to perform such data processing; or
  • It is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest.

The Regulator is expected to provide guidance on the scope of the exemptions.

Last modified 27 Jan 2020

Personal data may not be transferred outside of Thailand, unless the recipient country has data protection standards commensurate or better than the PDPA, except in cases where:

  • The data subject has given consent and proper notification has been given by the Data Controller;
  • The transfer is necessary for the performance of a contract between the Data Controller and data subject; or
  • The transfer is necessary in order to protect the vital interests of the data subject. It will be interesting to see guidance to be published by the Regulator on what constitutes "vital interests" of the data subject.

This will have an impact on multinational organisations that routinely transfer data across borders. However, given that many organisations in Europe will already comply with similar (and likely more stringent) data protection laws, the impact of the PDPA may be limited regarding cross-border transfer of data.

Last modified 27 Jan 2020

Data Controllers are required to have appropriate security measures to protect the stored Personal Data against loss, use, alteration, edit or disclosure by means of unlawful access of an authorised person. Such security measures must be subject to periodic review. The relevant authority will issue a subordinate law that prescribe the minimum standard of the security measures. On the date of this advice, however, such standard has not yet been published.

Last modified 27 Jan 2020
Breach Notification

In the event of a data breach, Data Controllers must report the breach to the Regulator without undue delay, and in any event within 72 hours of becoming aware of it.

Last modified 27 Jan 2020

There is a one-year grace period before the PDPA is enforced. The Regulator will issue guidelines to assist Data Controllers' compliance plans.

In the meantime, to ensure compliance with the data protection law, public organizations and business operators should start to have data protection and privacy policies prepared and inform customers and the public accordingly.

In general, those who are subject to the PDPA should make known to customer or people whom data are kept on how they manage and protect the personal data and the channels for data owners to access and manage their information.

The Regulator has authority to pursue data breaches against organisations or Data Controllers in the criminal courts. 

The amount of a fine and imprisonment (if any) is dependent on the nature of the data breach. For example, a person found guilty of collecting and disclosing personal data for unlawful purposes may be liable to a fine not exceeding THB 1,000,000 or to imprisonment for a term not exceeding one year, or both.

The territorial scope of the PDPA is not limited only to organisations established or operating in Thailand.

The data protection obligations under the PDPA will generally apply to all organisations that collect, use or disclose personal data in Thailand. This is regardless of whether they are formed or recognised under Thai law, and whether they are resident or have an office or place of business in Thailand.

The extraterritorial scope of the PDPA represents a significant expansion of Thailand's data protection obligations to cover all processing activities relating to Thailand-based data subjects.

Last modified 27 Jan 2020
Electronic Marketing

General rule of PDPA applies to electronic marketing, given that PDPA does not specifically address electronic marketing. Consumers are generally protected under Thai relevant consumer protection laws.

Last modified 27 Jan 2020
Online Privacy

General rules of PDPA applies to online privacy.

Last modified 27 Jan 2020
Peter Shelford
Peter Shelford
Country Managing Partner, Thailand
T +662 686 8533
Chadaporn Ruangtoowagoon
Chadaporn Ruangtoowagoon
Senior Associate
T +662 686 8579
Robert Tang
Robert Tang
Senior Consultant
T +662 686 8551
Last modified 27 Jan 2020