19 November 2021
To download the Data Privacy Q&A guide, please click here.
To see other released Data Privacy Q&A guides on separate jurisdictions, please click here.
Is there a data privacy law in the jurisdiction of Thailand? If yes, is it implemented? If no, what laws are relied on?
Yes, Thailand has the Personal Data Protection Act (PDPA). The PDPA is the very first consolidated law governing data protection. Before the PDPA, there is the Official Information Act, but it specifically governs data protection under possession or control of state agencies so it is not as encompassing. The PDPA was published in the Royal Gazette on 27 May 2019 and became effective on the next day. However, most of the provisions have not been implemented because the government has issued the Royal Decree to exempt most types of businesses, including most state and private entities, from the enforcement of the PDPA initially until 31 May 2021. This exemption has been extended for another year – making the PDPA set to be fully enforced on 1 June 2022.
However, there are Ministerial Notifications issued to encourage the exempted entities to keep in place the data protection measures and standards as set by the PDPA during these postponements.
What significant legal instruments relating to data protection are currently pending? If any, what are the timelines?
The PDPA contains many principles for personal data protection, but it leaves most specific practices to be further set out in subordinate regulations. The PDPA requires the Personal Data Protection Commission (“PDPC”) to issue and implement subordinate regulations, but the PDPC has not been appointed yet. Therefore, significant legal instruments not yet issued and implemented are the subordinate regulations.
There are three sets of these subordinate regulations which are now being discussed through public hearings. The public hearing for the first set was in February 2021, and the public hearing for the second set was in June 2021. The schedule of the public hearing for the third set has not been announced, but it is expected to be in around August 2021.
There is no clear timeline, but it is hoped that the subordinate regulations may be in place after the 2nd round of the PDPA postponement ends on 1 June 2022.
Who do Thai Data Protection Laws apply to?
The PDPA applies to any natural person or legal person acting as Data Controller and/or Data Processor in the Kingdom of Thailand that collects, uses, or discloses the personal data of a natural living person–whether or not the collection, use or disclosure is done in or outside the Kingdom of Thailand. In the event that Data Controller or Data Processor is not in Thailand, the PDPA shall apply to the collection, use, or disclosure of the personal data of the person in Thailand, where the activities of such Data Controller or Data Processor are related to offering goods or services to data subjects who are in Thailand, regardless of whether the data subject is required to make a payment, or to monitoring the behavior of data subjects in Thailand.
The PDPA shall not apply to, for example, operations of state agencies with duties to maintain state security or collection, use or disclosure of personal data for personal benefit or own household activity.
Who are the relevant regulatory and enforcement authorities in Thailand with regards to personal data protection?
The PDPA is under the supervision of the Ministry of Digital Economy and Society. The PDPA will establish the Personal Data Protection Commission (PDPC) and the Office of Personal Data Protection Commission.
Duties and power of the PDPC are both regulatory and enforcement, including to make the master plan on the operation for the promotion and protection of the personal data, to determine measures or guidelines of the operation in relation to personal data protection to comply with the PDPA, to issue notifications or rules for the execution of the PDPA, to announce and establish criteria for providing protection of personal data which is sent or transferred to a foreign country, to interpret and render rulings with respect to the issues arising from the enforcement of the PDPA, among other things.
Duties and power of the Office of PDPC are to perform academic and administrative tasks for the PDPC, including, to draft the master plan on the operation for the promotion and protection of personal data, to follow up on and evaluate compliance with the PDPA, among other things. As of 6 August 2021, the PDPC and the Office of PDPC have not yet been appointed.
How is personal data defined in Thailand?
Personal Data is defined as any information relating to a natural living person, which enables the identification of such person whether directly or indirectly.
According to the Ministry’s PDPA summary leaflet, examples of personal data include name, surname, ID card number, address, telephone number, e-mail address, financial details, race, religious or philosophical belief, sexual behaviour, criminal record, health records.
Is there a distinction between personal data and sensitive data under the laws?
Yes. Although sensitive personal data is not explicitly defined, the PDPA contains a separate provision with stringent requirements for the collection of certain personal data, which pertain to racial or ethnic origin, political opinions, cult, religious, philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade/labour union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner as will be specified further by the PDPC.
The collection of the aforesaid personal data requires explicit consent from the data subject, with a small number of exceptions.
What is the consent requirement in Thailand?
Express and freely given consent is required. Under the PDPA, the Data Controller shall not collect, use or disclose the personal data, unless the data subject has given consent prior to or at the time of such collection, use or disclosure. The PDPA does not provide a request for consent form, but empowers the PDPC to require the Data Controller to request for data subject’s consent using the form and statements as will be prescribed by the PDPC.
The request must be explicitly made, either in a written statement or via electronic means. When requesting the consent, the Data Controller must inform the data subject of the purpose of the collection, use, or disclosure of the personal data. The request must be presented in the manner that is clearly distinguishable from other matters, in an easily accessible and intelligible form and statements, in clear and plain language, and not deceptive or misleading to the data subject in respect to such purpose.
Data subject can withdraw his or her consent at any time. The withdrawal of consent must be as easy as giving of the consent, except where there is a restriction by law or contract that benefits the data subject.
What restrictions are there for cross-border transfer of personal data?
The Data Controller can transfer or transit the personal data to a foreign country or international organization, if the receiving country or organization has been considered to have adequate data protection standards, and shall meet the rules to be prescribed by the PDPC, except in the following circumstances:
a. where it is for compliance with the law;
b. where the consent of the data subject has been obtained, provided that the data subject has been informed of the inadequate personal data protection standards of the destination country or international organization;
c. where it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
d. where it is for compliance with a contract between the Data Controller, and other persons or juristic persons for the interests of the data subject;
e. where it is to prevent or suppress a danger to the life, body, or health of the data subject or other Persons, when the data subject is incapable of giving the consent at such time;
f. where it is necessary for carrying out the activities in relation to substantial public interest.
For Data Controllers or Data Processors in Thailand that transfers personal data to their affiliates outside Thailand, if they have personal data protection policies regarding the transfer and such policy has been reviewed and certified by the Office of PDPC, then such transfer is exempt from the above-mentioned rules.
The PDPC and the Office of PDPC have not been established yet. Therefore, the list of destination countries or organizations with adequate personal data protection standards, the PDPC’s transfer rules, the PDPC’s rules and methods for reviewing and certifying transfer policies between affiliates.
Peeraya Thammasujarit, Deputy CEO, Rouse
pthammasujarit@rouse.com