The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has been enforced since 2019 but the enforcement of key provisions, including those imposing duties on data controllers and data processors as well as punishments upon violators, are postponed and supposed to be fully implemented from 1 June 2021 (“Full Enforcement Date”) going forward.

Whilst there are doubts among the business operators that the Full Enforcement Date may be postponed again as Thai government is now in the process of forming the Personal Data Protection Committee (“PDPC”), the tentative Full Enforcement Date is confirmed to remain unchanged according to relevant officials. There are therefore possibilities that the PDPC may be formed and related sub-regulations and guidelines may be issued immediately prior to the Full Enforcement Date.

As we are all data controllers (and may also be data processors) under applicable data privacy laws, including the PDPA, it may be essential to look into ourselves now if we are subject to the PDPA and whether we are ready yet for this PDPA full implementation.

At least your front yards should be prepared by being able to answer if you understand, and have done something yet in compliance with, the PDPA requirements, for example:

  • Have you put in place your personal data security measures accordance with the minimum standard prescribed under related notification?
  • Have you notified your staff, employees, and/or any relevant persons of the measures to raise awareness of the importance of personal data protection and to encourage strict compliance?
  • Do you understand your duties and requirements under the PDPA?
  • Have you prepared your data inventory, knowing how the data flows and risks at each data gateway, including appointing appropriate personal/staff (including the Data Protection Officer, if required) to be in charge and responsible for the PDPA compliance and update?
  • Have you prepared key documents under the PDPA, such as privacy policy, privacy notice (under Section 95 and in general), consent form, data processing agreement, data transfer agreement and documents relating to the data subject’s rights and record, to be used immediately upon the Full Enforcement Date?

For those familiar with the personal data protection laws in other countries, in particular the EU General Data Protection Regulation (GDPR), it may be beneficial to recheck if you are also subject to the PDPA and whether all documents under such international laws are fully compliant with the PDPA.