The Personal Data Protection Act BE 2562 (PDPA), published in the Government Gazette on May 27, 2019, was originally scheduled to become fully effective on 27 May 2020. The COVID-19 pandemic was cited as a major obstacle for all affected sectors and, as a result, the Government deferred the full enforcement of the PDPA to May 27, 2021. On May 5, 2021 the Thai Cabinet, also citing the pandemic, has further postponed the enforcement of the PDPA to one year, i.e. June 1st 2022. Since the new legislation will bring significant changes to the current data protection regulatory environment and challenges for organizations doing business in Thailand, this further extension alleviates the impact of the law on stakeholders by giving them additional time to best prepare for June 1st 2022. In this article we highlight key aspects of the law and action points.
DC: Data Controller
DPO: Data Protection Officer
PDPA: Personal Data Protection Act
PDPC: Personal Data Protection Committee
Grandfather provision (Section 95 of the PDPA)
The PPDA allows the DC to continue to keep and use personal data which was collected before the PDPA becomes effective provided the collection or use is within the scope of the original purpose.
The DC must however prepare and publicize a method for the DS to easily withdraw his or her consent through an opt-out procedure.
- Whether your company has “opt out” procedure for past personal data collected. This should be in place before June 1st 2022.
Cross border transfer of personal data (Sections 16.5, 28, 29 of the PDPA)
The recipient country (e.g. Germany) of personal data collected in Thailand must have an “adequate personal data protection standards” and the migration of data must comply with the rules of the protection prescribed by the PDPC. As of today these rules have not yet been enacted. However, there is one exemption when there is a personal data protection policy with overseas to the DC’s affiliates (i.e. corporate rules), such policy shall simply be reviewed and certified by the PDPC.
- Whether your company has a global personal data protection policy covering the migration of personal data to your HQ office or other offices. If not, consider developing a policy to cover Thailand.
Appointment of a DPO (Section 26 of the PDPA)
A DPO shall be appointed if the activities of the DC or DP require regular monitoring due to the large scale and/or sensitivity of personal data. The scale shall be determined by the PDPC. The DPO’s activities shall be filed to the PDPC. The DPO should be able to communicate in Thai.
- Verify the size and nature of personal data in Thailand and whether this may require appointing a DPO. The law is still silent on the threshold of personal data in order to appoint a DPO. We shall await the PDPC to issue a notification on the threshold.
Key actions & time frame
Key actions to ensure compliance with the PDPA are summarized below: