Update on Thailand’s Draft Personal Data Protection Act

​The draft Personal Data Protection Act (PDPA) was approved by Thailand’s Council of State in December 2018 and is now under consideration of the National Legislative Assembly (NLA). Upon final approval the draft will be presented to the King’s office to be signed into law. Subsequently it will be published in the Government Gazette and the PDPA is expected to enter into force within 2019.

The term “Personal Data” includes any data pertaining to a person that enables the direct or indirect identification of that person. It excludes data of the deceased. Personal Data does also not include business information such as contact details.

The PDPA has an extraterritorial effect which means that overseas data controllers and processors can be subject to the law if they offer goods or services to data subjects in Thailand, or monitor any behavior occurring within Thai territory. Comparable with the GDPR concept, such overseas data controllers and processers need to appoint a local representative and comply with the PDPA. Requests for consent, which generally needs to be given in writing or via electronic means, must be clear without deceiving or misleading the data subject in any way. Consent can be exempted under certain circumstances, e.g. for vital, legitimate or public interests as well as the performance of contractual obligations. 

The requirements and exemptions for the transfer of personal data to a third country which does not have an adequate level of protection appear unchanged in comparison to the previous draft.

Although such are generally strictly prohibited, there are some exemptions, including among others (i) transfer personal data pursuant to applicable laws, (ii) consent from data subject, being informed that the third country lacks a suitable level of data protection, (iii) necessity to comply with contracts to which data subject is a party, (iv) transfer under an agreement between data controller and another entity which is benefitial for the data subject, (v) to prevent damage to life, body or health of data subject or other persons if consent could not be timely obtained or (vi) substantial public interest purposes. Data controllers and processors must designate a data protection officer when the collection, use, or transfer of personal data requires regular monitoring due to the possession of personal data on a large scale.

Civil liability includes possible punitive damages up to twice the value of the actual damage while administrative fines range from THB 1 million to THB 5 million.