Thailand Finally Enacted Its Personal Data Protection Act

On 27 May 2019, the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) was finally published in the Government Gazette after it was presented to the King for His Royal Signature.  Therefore, the PDPA has been in effect since 28 May 2019 except for provisions under Chapters 2, 3, 5, 6 and 7, and Sections 95 and 96, which are the operative provisions.  These operative provisions will come into force after a grace period of one year from the publication date, i.e. 27 May 2020. This PDPA is Thailand’s very first consolidated law governing data protection in general.

The key provisions of the PDPA are as follows:

• The term “personal data” means any information or data of a person which can directly or indirectly identify a natural person, excluding information of a deceased person.
• Subject to some exceptions, the collection, usage or disclosure of personal data without consent from the data subject is prohibited.
• A data subject must be fully informed of the purpose of collection and/or usage of such data when consent is obtained.
• Consent must be clear and explicit, and must be acquired before or during the collection of personal data
• Legitimate grounds for which personal data can be collected, processed and used without the explicit consent from the data subject include, but are not limited to, the performance of contractual obligations, vital interests and public interests.
• The extraterritorial effect of the law has been adopted and adapted from the General Data Protection Regulation (EU) 2016/679 (“GDPR”). The PDPA is applicable not only to personal data collected, used or disclosed by a data controller or a data processor residing in Thailand, but also to a data controller or a data processor residing outside Thailand but collecting, using or disclosing personal data of a data subject in Thailand: (1) for offering goods or services to individuals in Thailand; or (2) where the behaviour of data subjects within Thailand is monitored.

For business operators, since the grace period for compliance with the operative provisions is only one year, business operators should be well prepared and raise awareness among their employees and staff. There are some recommendations: business operators should conduct a review and analysis of data they are currently possessing in order to understand such data, and then segregate personal data; identify levels of compliance with the PDPA; review privacy policies, agreements and any other rules and practices; arrange training for their employees and staff; assess risks of possible violation of the PDPA involved in each activity; put some measures in place to effectively detect, report and investigate a violation of the PDPA, as well as designate an in-house data protection team. These preparations, in some ways, can assure that personal data in their possession will be properly collected, maintained and processed.

However, the actual implementation of the PDPA is yet to occur. However, it will be accompanied by subordinate legislation and a procedural framework later this year.

Further developments will be monitored and updated.