Following our previous alerts, the Personal Data Protection Act, B.E. 2562 (2019) ("PDPA") has been published in the Government Gazette on 27 May 2019.

With very few exceptions, companies and organizations collecting, using, disclosing, and/or transferring personal data will have preparation time for a period of one year to become fully compliant with key provisions on personal data protection before the penalties kick in. The sub-regulations should be completely issued within the next two years. Please see timeline in the diagram below.:

Seven key things to know

A summary of these key points is as follows:

Personal Data. The PDPA governs any data of an alive person that could identify that person directly or indirectly. For example, any personal data of an individual handled by the company, including customer data, employee data, data of directors, shareholders, contractors, suppliers, seminar and market survey participants, and data involving customer complaints and inquiries would be subject to the PDPA.

Players. The Personal Data Protection Committee will be established to set out further sub-regulations and protect the rights of the data subjects. Any entities collecting, using, disclosing and/or transferring personal data will be required to comply with the PDPA as a data controller and/or a data processor (which have different roles and obligations).

Applicability. The PDPA has extraterritorial applicability. Thus, data controllers and data processors both in and outside of Thailand could be subject to the PDPA.

Legal basis. In order to collect, use, disclose and/or transfer personal data, the data controller has to rely on legal basis, which could be consent or other exemptions (e.g., vital interest, public interest, legal obligations, and legitimate interest).

Personnel. The data controller and the data processor could be required to appoint a data protection officer and a representative in Thailand, which subject to future sub-regulations.

Rights of data subjects. The data controller has to guarantee the rights of the data subjects.

Penalties. The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to 5,000,000 THB), criminal penalties (imprisonment up to 1 year and/or fines up to 1,000,000 THB), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class action lawsuit. The director of a company could also be subject to penalties under the PDPA.

What to do next?

We urge all entities to immediately assess their internal personal data governance and start taking action for compliance. The road to full compliance with the PDPA could involve the engagement from all departments in an entity and appropriate "tone at the top" through senior management endorsement of the privacy governance framework.

Within a transitional period of one year, there are a number of steps to be taken, e.g. (1) conduct data mapping, (2) determine legal basis and applicable obligations, (3) revisit privacy notice and create relevant legal documents, (4) implement data management process and operation system, and (5) maintain compliance with the PDPA. The right approach for your company should be customized to fit the size and the business operation of each entity.

GDPR-compliant companies should also revisit compliance with PDPA as there are differences in the aspects of compliance.

We will continue to update you with a series of updates and recommendations from now until the effective date of the PDPA in 27 May 2020.