Personal Data Protection Act B.E. 2562 (Thailand)
Thailand's PDPA is a GDPR-style data protection law effective June 2022, requiring lawful bases, valid consent, breach notification, and DPOs. It has extraterritorial reach and provides administrative, civil, and criminal penalties.
Thailand's Personal Data Protection Act B.E. 2562 (2019), known as the PDPA, is the country's first comprehensive data protection law. It was published in 2019 but its main operative provisions were postponed and finally took full effect on June 1, 2022. The law is closely modeled on the EU GDPR and establishes a Personal Data Protection Committee and an Office of the PDPC to supervise and enforce it.
The PDPA introduces a consent-centric framework with extraterritorial reach, similar to the GDPR. It applies to the processing of personal data by data controllers and data processors and grants individuals a set of enforceable rights.
Who It Applies To
The PDPA applies to data controllers and processors that collect, use, or disclose personal data in Thailand. It also applies to controllers and processors outside Thailand where the activities involve offering goods or services to data subjects in Thailand or monitoring their behavior that takes place in Thailand. It covers personal data of natural persons. Certain activities, such as personal or household use and some public functions, are exempt.
Key Requirements
Processing requires a lawful basis. Consent must be freely given, specific, informed, and presented clearly and separately from other matters; explicit consent is needed for sensitive data such as health, race, religion, and biometric data. Other bases include contract, legal obligation, vital interests, public task, and legitimate interests. Data subjects have rights to access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Controllers must provide privacy notices, maintain records of processing, implement appropriate security measures, and notify the Office of the PDPC of a data breach within 72 hours where feasible, and affected individuals where there is high risk. Many organizations must appoint a Data Protection Officer. Cross-border transfers require adequate protection or other safeguards.
Penalties for Non-Compliance
The PDPA provides for administrative fines of up to THB 5 million, civil liability including punitive damages of up to twice the actual damages, and criminal penalties including fines and imprisonment for certain violations involving sensitive data. Company directors can be held personally liable in some cases.
How to Comply
Identify a lawful basis for each processing activity and obtain valid consent where required, with explicit consent for sensitive data. Publish privacy notices and maintain records of processing. Build processes to handle data subject rights. Implement security measures and a 72-hour breach notification process. Appoint a Data Protection Officer where required. Review cross-border transfers and apply appropriate safeguards.