After publication in the Royal Thai Government Gazette on May 27, 2019, Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into effect on May 28, 2019. The PDPA is Thailand’s first comprehensive law governing data protection. The key operative provisions of the PDPA relating to the collection, use or disclosure of personal data will come into force on May 28, 2020. Some of the significant restrictions on the collection and use of personal data are the following:
- Data controllers must obtain consent from data subjects before they can process their data (subject to certain exceptions, such as where it is necessary in order to comply with a contract to which the data subject is a party)
- Additional protections apply to the collection of sensitive personal data
- Data subjects have the right of access, right to erasure, right to object, and the right to data portability to their personal data, among other rights
- The law has extraterritorial reach and applies to any data controller or data processor located outside of Thailand, where their processing activities relate to the offering of goods or services or the monitoring of behavior of data subjects in Thailand
- Transfer of the personal data of a Thailand data subject to another country may only take place where the other country has an adequate level of protection (subject to certain exceptions, such as where the data subject has consented to the transfer)
- Violation of the PDPA can result in civil and administrative penalties (e.g., fines of up to Baht 5,000,000 and punitive damages) and criminal penalties (e.g., imprisonment for up to one year)
No official English translation of the act is available at the current time. More updates will be made available when the text of the law is available for review.