The Personal Data Protection Act BE 2562 (PDPA), published in the Government Gazette on May 27, 2019, was originally scheduled to become fully effective on 27 May 2020. The COVID-19 pandemic was cited as a major obstacle for all affected sectors and, as a result, the Government deferred the full enforcement of the PDPA to May 27, 2021. On May 5, 2021 the Thai Cabinet, also citing the pandemic, has further postponed the enforcement of the PDPA to one year, i.e. June 1st 2022. Since the new legislation will bring significant changes to the current data protection regulatory environment and challenges for organizations doing business in Thailand, this further extension alleviates the impact of the law on stakeholders by giving them additional time to best prepare for June 1st 2022. In this article we highlight key aspects of the law and action points.
DC: Data Controller
DPO: Data Protection Officer
PDPA: Personal Data Protection Act
PDPC: Personal Data Protection Committee
Grandfather provision (Section 95 of the PDPA)
The PPDA allows the DC to continue to keep and use personal data which was collected before the PDPA becomes effective provided the collection or use is within the scope of the original purpose.
The DC must however prepare and publicize a method for the DS to easily withdraw his or her consent through an opt-out procedure.
Cross border transfer of personal data (Sections 16.5, 28, 29 of the PDPA)
The recipient country (e.g. Germany) of personal data collected in Thailand must have an “adequate personal data protection standards” and the migration of data must comply with the rules of the protection prescribed by the PDPC. As of today these rules have not yet been enacted. However, there is one exemption when there is a personal data protection policy with overseas to the DC’s affiliates (i.e. corporate rules), such policy shall simply be reviewed and certified by the PDPC.
Appointment of a DPO (Section 26 of the PDPA)
A DPO shall be appointed if the activities of the DC or DP require regular monitoring due to the large scale and/or sensitivity of personal data. The scale shall be determined by the PDPC. The DPO’s activities shall be filed to the PDPC. The DPO should be able to communicate in Thai.
Key actions & time frame
Key actions to ensure compliance with the PDPA are summarized below: