Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

While Thailand has no comprehensive data protection law, various other legislation imposes requirements on parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies. Although each law treats personal data protection differently, such sectors are generally regulated in a manner aligning with the international curve.

Are any changes to existing data protection legislation proposed or expected in the near future?

The draft Personal Data Protection Bill has been pending for some years in the form of numerous drafts. It remains pending, but may be enacted at any time.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

Specific statutes and regulations apply to the collection, storage and use of personal data by parties in the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies. These include:

  • the Financial Institutions Business Act BE 2551 (as amended) as it applies to financial institutions;
  • the Credit Information Business Act BE 2545 (as amended) as it applies to credit bureaus;
  • the Telecommunications Business Act BE 2544 (as amended) as it applies to telecommunications businesses; and
  • the Official Information Act BE 2540 as it applies to the public sector.

Some laws also apply to certain professionals – including assistants and trainees – such as:

  • medical practitioners;
  • pharmacists;
  • midwives;
  • nursing attendants;
  • priests;
  • advocates;
  • lawyers and auditors; and
  • government officials.

Information on children and their parents or guardians is subject to special protection under the Child Protection Act BE 2546.

People who suffer damages due to the unauthorised disclosure of their personal data by any party may claim against the responsible party in tort (under the Civil and Commercial Code). Criminal charges may also be possible (under the Penal Code), depending on the circumstances (eg, criminal defamation).

Scope and jurisdiction
Who falls within the scope of the legislation?

While no law imposes privacy obligations on private sector companies operating outside the specially regulated sectors, parties operating within such sectors and government agencies are governed by specific laws and regulatory notifications. For example, pursuant to the Securities and Exchange Act, licensees must address – as part of the application process – how they will protect personal data. The licensee bears this obligation as once approved it effectively becomes a licence condition. Another example is the National Healthcare Act, which provides that all persons are subject to the restricted disclosure obligations.

What kind of data falls within the scope of the legislation?

No law specifies the types of data held by private sector companies operating outside the specially regulated sectors that is protected. Some regulatory notifications specify particular types of protected data held by parties operating within the specially regulated sectors and government agencies. For example, the Telecommunications Business Act protects the personal information of telecommunications subscribers (as specified therein) and the Credit Information Business Act protects credit information (as specified therein).

Are data owners required to register with the relevant authority before processing data?

There is no central data protection authority with which data owners must register before processing data.

Is information regarding registered data owners publicly available?
 

No such public register is maintained.

Is there a requirement to appoint a data protection officer?

Some regulations may recommend that parties operating within the specially regulated sectors and government agencies allocate data protection responsibilities to a particular person or persons. Similarly, this could be imposed as part of individual licence conditions. However, this is not currently required under general law.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

While there is no specific privacy regulator for private sector companies operating outside the specially regulated sectors, some sectors and government agencies have regulators that govern privacy matters. For example, the Securities and Exchange Commission deals with non-compliance with licence conditions that concern privacy. Another example is the Credit Information Protection Committee, which deals with non-compliance with privacy obligations under the Credit Information Business Act.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies are governed by specific regulations. For example, the Credit Information Business Act specifically covers the collection and processing of credit information. Similarly, pursuant to regulations issued under the Telecommunications Business Act, the use and disclosure of personal information is restricted to those purposes set out in the regulatory notification.

There are no specific regulations governing the collection, storage and processing of personal data by private sector companies operating outside the specially regulated sectors.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

No specific regulations govern the retention of personal data by private sector companies operating outside the specially regulated sectors. Some laws and regulatory notifications regarding the retention of personal data apply to parties operating within the specially regulated sectors and government agencies. For example, the Computer Crimes Act imposes requirements on ‘service providers’ (as defined therein) in relation to retaining the personal data of service users. The Telecommunications Business Act imposes similar obligations on telecommunications licensees.

Do individuals have a right to access personal information about them that is held by an organisation?

Data subjects have no specific right to access their personal data that is held by private sector companies operating outside the specially regulated sectors. Some laws and regulatory notifications set out data subjects’ rights to access and correct their personal data that is held by parties operating within the specially regulated sectors and government agencies. Examples include the Credit Information Business Act and regulations issued under the Telecommunications Business Act – each of which contain provisions for an access and correction mechanism.

Do individuals have a right to request deletion of their data?

Data subjects have no specific right to request that private sector companies operating outside the specially regulated sectors delete their personal data. Some laws and regulatory notifications could provide such a right for companies operating within the specially regulated sectors and government agencies, but this would typically be phrased as a right to request correction of the personal data. As noted above, examples include the Credit Information Business Act and regulations issued under the Telecommunications Business Act – each of which contain provisions for an access and correction mechanism.

Consent obligations
Is consent required before processing personal data?

There is no explicit requirement for private sector companies operating outside the specially regulated sectors to obtain consent before processing personal data. Some laws and regulatory notifications require parties operating within the specially regulated sectors and government agencies to obtain consent. Even when not explicitly required, it is advisable to obtain consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

There are no prescribed circumstances in which private sector companies operating outside the specially regulated sectors can process personal data without consent. Some laws and regulations set out such circumstances for parties operating within the specially regulated sectors and government agencies. For example, specified processing is permitted by telecommunications licensees (under the Telecommunications Business Act) and credit bureaus (under the Credit Information Business Act).

What information must be provided to individuals when personal data is collected?

No law prescribes what information private sector companies operating outside the specially regulated sectors must provide to individuals when collecting their personal data. Some laws and regulatory notifications set out such requirements for parties operating within the specially regulated sectors and government agencies (eg, the Telecommunications Business Act).

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Sector-specific laws and regulatory notifications govern the security of personal data held by parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies. For example, regulations issued under the Computer Crimes Act impose requirements on service providers (as defined therein) in relation to retaining service users’ personal data, setting out the specific types of personal data that must be retained and how it should be stored. Another example is regulations issued under the Royal Decree on Electronic Payments. As part of the licensing process, an applicant for an electronic payment licence must explain how it will protect service users’ information, including how such information will be stored. Once approved, this effectively becomes a licence condition.

There are no specific regulations governing the protection of personal data held by private sector companies operating outside the specially regulated sectors. 

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

No law requires private sector companies operating outside the specially regulated sectors to notify individuals in respect of data security breaches. Nevertheless, it would be advisable to do so if a breach occurs and losses or damages to the data subject can be mitigated by making such notification. Such a requirement may apply to parties operating within the specially regulated sectors and government agencies, depending on the sector and the applicable provisions. For example, as part of the licence application process under the Securities and Exchange Act, applicants must address how they will protect clients’ information, which could include notifying affected clients when a breach occurs. Once the licence application has been approved, it effectively becomes a licence condition. Similar obligations exist for electronic payment licensees under the Royal Decree on Electronic Payments.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no central data protection regulator that must be notified in the event of a breach. However, parties operating within the specially regulated sectors and government agencies may have to (or it may be appropriate to) notify a regulatory body in that sector – such as the Bank of Thailand (in the case of a financial institution) or the Securities and Exchange Commission (in the case of a securities company).

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

No general law prohibits the sending of spam or requires the recipients’ consent before doing so. However, a number of other laws should be considered, including the Computer Crimes Act and the Telecommunications Business Act. For example, the messages must not interfere with the normal operation of the recipient’s computer equipment (which could include a phone) or constitute illegal eavesdropping. Further, the content must be legal (eg, it should not be obscene or constitute criminal defamation or lèse-majesté). The messages also should not be restricted or prohibited under other laws – for example, an illegal offer of securities or insurance will incur additional penalties.

Cookies
Are there rules governing the use of cookies?

While no general law prohibits cookies or requires parties to obtain consent before their use, the use of cookies must not breach the Computer Crimes Act or the Telecommunications Business Act. For example, they must not interfere with the normal operation of the recipient’s computer equipment or constitute illegal eavesdropping.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Some rules may govern the security of personal data held by parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies. For example, the Credit Information Business Act restricts the transfer of information abroad and regulations issued under the Telecommunications Business Act specify that further regulatory notification may be issued to restrict the transfer of information abroad.

No law prohibits or restricts private sector companies operating outside the specially regulated sectors from transferring personal data to another country. In addition, there is no government authority from which approval for such transfers should be sought. 

Are there restrictions on the geographic transfer of data?

See above.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

No law sets out requirements for the transfer of personal data to a third party for processing by private sector companies operating outside the specially regulated sectors. Such requirements may exist for parties operating within the specially regulated sectors and government agencies, depending on the sector and the applicable provisions. For example, financial institutions must observe the Bank of Thailand regulations on outsourcing, which address – among other things – data protection matters.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

Individuals who suffer damage due to the unauthorised disclosure of their personal data may claim against the responsible party in tort. Criminal charges may also be possible, depending on the circumstances (eg, criminal defamation). The Child Protection Act sets out penalties (ie, fines and prison sentences) in relation to the exploitation of information concerning children and their parents or guardians. Laws and regulations applicable to parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies set out other specific penalties for breaches, which may include fines, imprisonment and administrative action (eg, loss of licence).

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

See above.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

The Computer Crimes Act is the primary law addressing cybercrime. The Telecommunications Business Act also contains relevant provisions.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Laws and regulations may impose additional requirements on parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies. Examples include general requirements for financial institutions and securities companies to implement appropriate security measures. Additional obligations apply to parties that handle classified information (eg, government contractors).

Which cyber activities are criminalised in your jurisdiction?

The Telecommunications Business Act prohibits the illegal interception, utilisation or disclosure of messages, information and any other data by means of telecommunications. The Computer Crimes Act also prohibits several activities, including:

  • the illegal accessing of a computer system that is not intended for use by the person accessing it and for which specific access prevention measures are in place;
  • the illegal disclosure of information about computer system prevention measures in a manner that is likely to cause damage to the system owner;
  • the illegal accessing of computer data that is not intended for use by the person accessing it and for which there is a specific access prevention measure;
  • the illegal interception of information or eavesdropping;
  • the illegal suspension, delay, hindering or disruption of a computer system to the extent that it fails to operate normally; and
  • the sales or distribution of computer programs designed to do any of the above.

The Computer Crimes Act specifies numerous additional offences.

Certain cyberactivities may also breach laws and regulations specific to the specially regulated sectors.

Which authorities are responsible for enforcing cybersecurity rules?

The Ministry of Information and Communication Technology and the Royal Thai Police enforce the Computer Crimes Act. The National Broadcasting and Telecommunications Commission and the Royal Thai Police enforce the Telecommunications Business Act. For parties operating within the specially regulated sectors and government agencies, specific regulators may take enforcement action. In any case, where the state pursues criminal charges, prosecution would be by a public prosecutor.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Typical industrial all-risk policies exclude cybersecurity risks. While it is theoretically possible to procure insurance specific to cybersecurity breaches, this is relatively uncommon.

Are companies required to keep records of cybercrime threats, attacks and breaches?

No general law contains such explicit requirement.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

No general law contains such explicit requirement.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No general law contains such explicit requirement.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

Cybercrime is punishable by fines and imprisonment. Where the offence is committed by a juristic person, its responsible directors or managers may also incur the same penalties.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Individuals who suffer damages due to the failure to meet appropriate cybersecurity standards may claim against the responsible party in tort. In addition, laws and regulations applicable to the specially regulated sectors and government agencies set out other specific penalties for breaches, which may include fines, imprisonment and administrative action (eg, loss of licence).