On May 27, 2019, the Thai government published the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”) in its official gazette, meaning the law now takes effect and companies have a 1-year period to bring their practices into compliance by May 27, 2020.
Notably, the PDPA adopts a broad definition of “personal data” (essentially, any information which directly or indirectly identifies an individual) and an extraterritorial scope that extends its obligations to organizations outside of Thailand who either (i) offer products and services to individuals in Thailand, or (ii) monitor the behavior of individuals in Thailand. The PDPA also adopts the concepts of “controller” and “processor” consistent with various other privacy regimes.
The PDPA requires, among other things, organizations to:
- have a legal basis to collect and use personal information (in some cases requiring consent);
- respect heightened requirements for sensitive personal data;
- implement appropriate security measures and notify data breaches; and,
- facilitate the exercise of rights of individuals relating to their personal data.
Organizations which meet certain criteria may also be required to appoint a data protection officer (“DPO”) and/or a local representative in Thailand.
The PDPA establishes the Personal Data Protection Committee (“PDPC”), which will enforce the law and publish guidance to help organizations ensure compliant practices. Violations of the PDPA may result in administrative fines, civil damages (including punitive damages), and the possibility for criminal prosecution.
Additional legislation will be published in the near future to further specify certain requirements of the PDPA, as well as to align national legislation appropriately.