After numerous attempts over almost two decades, the Thailand Personal Data Protection Act was finally approved and endorsed by the National Legislative Assembly on 28 February 2019 ("PDPA"). The PDPA will be submitted for royal endorsement and subsequent publication in the Government Gazette.
This PDPA will change the landscape of personal data protection in Thailand. While the Thai Constitution upholds the right to privacy, Thailand did not have any consolidated law governing data protection in general before. There are only specific laws in certain business sectors, such as telecommunications, healthcare, banking, and credit bureau. The PDPA will become the very first consolidated law generally governing data protection in Thailand.
There are several key points under the PDPA that businesses should be aware of, namely extraterritorial applicability, data subject notification requirements, consent requirements, consent of minors, restrictions and exemptions for the collection, use, disclosure, and cross-border transfer of personal data, explicit consent requirements for sensitive data and exemptions related thereto, data subjects' rights, security measures, data breach and its notification, records of processing activities, representatives of controllers or processors who are not established in Thailand, data protection officers (DPO), exemptions from cross-border transfer requirements for transfers within the same business group, prescribed criminal and administrative penalties, and actual and punitive damages for civil liability.
Although the PDPA has drawn various concepts from the EU General Data Protection Regulation (GDPR), the PDPA also reflects concepts developed from Thai perspectives. Compliance with the GDPR does not necessarily mean compliance with the PDPA. Therefore, careful examination is crucial in order for companies to fully comply with the PDPA and GDPR.
While the final version of the PDPA has not yet been published in the Government Gazette (as of the date of this client alert), it is expected to be officially announced soon. After publication on the Government Gazette, business entities will have a transition period to prepare for compliance with the PDPA. As the PDPA will apply to most entities both onshore and offshore (with limited exemptions), we urge all entities to start reviewing their personal data related activities (e.g. customer data, supplier data, employee data, billing and payment documents), conducting data classification, data mapping, preparing personal data related documents, and other necessary steps for full compliance with the PDPA once it comes into effect.