English
Français 
Español 
On 27th May 2019, Thailand’s Personal Data Protection Act, B.E. 2562 (2019) (‘PDPA’) was published in the Royal Government Gazette. Initially set to become effective on May 27, 2020, the law came into force on June 1, 2022. Here are a few key terms and takeaways:
Personal Data
means any data pertaining to a person, which enables the identification of that person, whether directly or indirectly, but not including data which specifies only the name, title, workplace, or business address and data of the person in question specifically.
Data Controller
means any person or entity that holds the power to make decisions regarding collection, usage and disclosure of the Personal Data.
Data Processor
means any person or entity that conducts any collection, usage and disclosure of Personal Data on behalf of, or under the instruction of the Data Controller.
Collection, Use and Disclosure of Data
Consent must be obtained from the Data Owner before acquiring collection, usage and disclose of Personal Data. The consent must be separate and clearly visible by the Data Owner and must at least contain the purposes of data collection, types of Personal Data to be collected and time period for which it will be kept, types of relevant third parties to whom the Personal Data will be disclosed, information regarding the Data Controller and their contact information, as well as the rights of Personal Data Owner under the PDPA. There are some exceptions when the Personal Data can be collected without consent (e.g. vital interest, public interest, legal obligations, and legitimate interest).
Data Owners’ Rights
Data Owners may request their data to be revised, updated and/or erased and may also request a digital copy of such data.
Extraterritoriality
The PDPA has the extraterritoriality effect of the law which means that the law is also applicable to Data Controllers outside Thailand and there is a requirement for the Data Controller outside Thailand to appoint a representative within the jurisdiction.
Penalties
Non-compliance with the PDPA by the Data Controller and/or Data Processor may result in administrative fines of up to THB 1 million.
Timeframe
The Act became effective on June 1, 2022 but there is a grace period of 180 days, starting June 21, 2022, for Data Controller and/or Data Processor to comply with the Collection, Use and Disclosure of Data requirements.
ORBIS Thailand recently launched a PDPA compliance service as well as a Cybercrime Litigation service, which coordinates with Technology Crime Suppression Division to help prevent cybercrime attacks against your privacy and property.
Should you be interested in our services, please feel free to contact us at contact@orbis-alliance.com.