On 1 June 2022, the Thai Personal Data Protection Act (PDPA) was finally enforced.
In general rules of Thailand’s PDPA entities outside the country that offer goods or services to individuals in Thailand. Personal data under the PDPA includes any information that identifies an individual, directly or indirectly, but excludes details about deceased persons. Violations of the PDPA can result in significant administrative penalties, while the law itself addresses public complaints and provides oversight to ensure that individuals' privacy rights are protected.
Before the enforcement of Thailand's Personal Data Protection Act in 2022, the country had relatively limited legal frameworks specifically addressing data privacy. While there were some regulations in place, such as the Computer Crime Act and the Electronic Transactions Act, these primarily focused on cybersecurity and electronic transactions rather than comprehensive data protection. Consequently, there needed to be more specific personal data protection standards governing the collection, use, and storage of personal data, leading to potential vulnerabilities in protecting individuals' privacy rights.
The introduction of the PDPA Thailand marked a significant milestone in the country's legal landscape, by establishing its first comprehensive personal data protection law. Effective from June 1, 2022, the Personal Data Protection Act in Thailand aligns closely with global security standards, particularly the European Union's General Data Protection Regulation (GDPR). It imposes strict security obligations on businesses processing personal data, ensuring that individuals' rights to privacy and data protection are recognised and upheld in every organisation's core activities. In case of non-compliance and actual damages, companies risk being subjected to civil liabilities or remedial measures.
Who is protected under Thai PDPA? The PDPA applies to both local entities and organisations in foreign countries that handle personal data of individuals within Thailand, regardless of the location of the data processing. This means that companies that take part in cross-border transfers of information have data protection obligations to every natural person in Thailand.
The Thailand PDPA defines personal data broadly, including any information related to identifiable individuals, and establishes adequate data protection standards for handling sensitive personal data, such as health information. The law also provides individuals with rights such as data access, rectification, and the right to withdrawal of consent, thereby enhancing the overall accountability of organisations managing personal data. Companies are required under lawful bases to be transparent about their corporate data protection measures and privacy policies in all aspects, such as in their direct marketing efforts.
The full contents of the Personal Data Protection Act in Thailand can be accessed quickly online, with PDF copies available for viewing on different websites.
Four months into enforcement, we sat down with Dr Prapanpong Khumon, Associate Dean of Academic Affairs at the Faculty of Law, University of the Thai Chamber of Commerce, about updates on the additional PDPA guidelines released by the Thai public authorities and developments on the data protection landscape.
To catch up on the background and development of the Thai PDPA, check out our earlier two-part Q&A and Thai PDPA video series.
It has been four months since the Thai PDPA has been fully in force. What updates have there been to the law during this time?
The public has become more aware of the law and data protection in general since the law has been enforced – which is a good sign. The Office of the Personal Data Protection Committee (PDPC) has also been fully established not just to regulate, but also to promote compliance with the PDPA and help organisations to utilise data.
Next year, the Personal Data Protection Masterplan will be implemented to help organisations better comply with the PDPA, with programmes including capacity building, research and development grants, and training opportunities. While the Masterplan will be fully implemented next year, the PDPC so far has launched a series of supplementary rules to provide clarity for organisations.
After establishing the general rules of Thailand's PDPA, have any new supplementary or special rules been published?
Since the PDPA in Thailand's enforcement, the supplementary rules that have been published as of October 2022 are:
1. Regulation on exemption for small data controllers to keep and maintain records of activities
2. Regulation on the requirements to keep and maintain records of processing activities for data processors
3. Regulation on security measures for data controllers
4. Regulation on administrative liability measures
5. Regulation on complaint process regarding violation and non-compliance
6. Regulation on appointment and duty of Expert Committee to handle complaints
7. Guidelines on privacy notices
8. Guidelines on explicit consent requirements
There are also some supplementary and/or special rules that are in the pipeline, to be published by the end of 2022. This includes regulation on types of organisations that are required to appoint Data Protection Officers (DPOs), qualifications of DPOs , and regulations on cross-border data transfers.
Have there been any other developments – personal data breaches, investigations and even administrative warnings or fines levied – so far since enforcing the Personal Data Protection Act in Thailand?
Within the Office of PDPC, an Expert Committee was appointed in August 2022 to handle and investigate claims, and the Committee has received a number of claims since June 2022, which indicate that the public has been aware of their rights.
The majority of the claims are not serious breaches. The ones that are considered by the Committee to be serious personal data breaches will be handled within a three-month timeframe before the Committee issues a warning or an administrative fine, depending on the severity of the breach.
So far, no administrative fines have been imposed.
Is there currently a strong demand for DPO training and certification courses in Thailand?
There are many training providers that are currently offering DPO training courses, and the demand is rising. It is expected that there will be more demand once the PDPC publishes the highly anticipated rules on DPO qualifications, as well as the types of organisations that are required to appoint DPOs.
The University of the Thai Chamber of Commerce (UTCC) and Straits Interactive are partnering to offer a course to help professionalise the DPO role. How will the course cater to the needs of participants and organisations?
The partnership between UTCC and Straits Interactive will benefit organisations that are looking for a DPO training course that focuses on operational perspectives, and that is what makes this course unique from most of the other courses.
While most courses provide understanding of the PDPA and how to comply with the law, this course enables participants to apply solutions in each step of a business process. This is an important angle when we talk about DPO as a profession, because the role of a DPO requires not only legal skills, but also operational skills.
Looking into the future of data governance , there are more courses to be expected from this partnership that will embody data management and data governance, which are skill sets required in today's environment and also in the future.
Check out our Data Protection Officer - Hands-on Workshop for Thailand, held in partnership with the UTCC.
Besides training courses, how else could current and aspiring data protection professionals gain the necessary knowledge to plan their career training and progression?
Thailand is at a very early stage of implementation of data protection. However, on the positive side, data protection professionals in Thailand have the liberty to learn from mature markets such as Singapore, the Philippines, and Malaysia.
A community such as the Data Protection Excellence (DPEX) Network can provide useful resources because there are inputs from experts from all over ASEAN. Also, there are publications, research reports, webinars, forums and videos that are available to enhance the knowledge and skills of data protection professionals.
While Thailand is still focused on PDPA compliance, there are a lot of resources at DPEX Network that publish trends, statistics and cases from all over the world. All of these will keep data protection professionals up to date with current and future trends, which will be useful for their career in the long run.
Is there anything else you would like to share about the Thai PDPA or the developing data protection landscape in Thailand and the rest of ASEAN?
The Thai PDPA already embraces the universal principles of data protection. That is an advantage for international standardisation and adherence to global standards, but what remains to be seen is how it is going to be enforced.
There has been a focussed discussion at ASEAN on capacity building, which I think is very important when we take into consideration the cost of compliance of small and medium enterprises.
It is a promising sign that the Personal Data Protection Masterplan in Thailand, which will be implemented next year, resonates with ASEAN and focuses on promotion and support on capacity building, research and technologies that would help small and medium enterprises protect personal data.
Therefore, looking from a policy perspective, this is a good sign.
Liked this story? Sign up for a FREE membership at the Data Protection Excellence (DPEX) Network and get regular data protection and data governance news, industry updates, and resources.
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.