The Personal Data Protection Act B.E. 2562 (2019) of Thailand

The Personal Data Protection Act B.E. 2562 (2019) of Thailand represents a landmark legal framework aimed at safeguarding personal data. Officially announced on 24 May 2019, and effective starting 27 May 2020, this law sets out comprehensive principles and guidelines for the collection, usage, and dissemination of personal data. It serves to address concerns over data misuse and establish robust mechanisms for data protection, aligning Thailand with international privacy standards.

The PDPA acknowledges the constitutional rights of individuals, as stipulated in Sections 26, 32, 33, and 37 of the Constitution of the Kingdom of Thailand. It introduces statutory provisions that protect personal data by imposing obligations on data controllers and processors, ensuring that personal information is handled responsibly and transparently.

Overview of the Act

1. Title and applicability (Sections 1–5):
   • The PDPA applies to all individuals or entities that collect, use, or disclose personal data of individuals within Thailand, regardless of the data handler’s physical location. Specific exemptions exist for personal or household use, national security, or public interest activities by government agencies.
2. Definitions and key entities (Sections 6–7):
   • Key definitions include “personal data” (any information that can directly or indirectly identify a person) and “data controllers/processors” (entities determining or processing data activities).
   • The act establishes the Personal Data Protection Committee to oversee the implementation and compliance of data protection laws.
3. Data subject rights (Sections 19–33):
   • Individuals are granted several rights, such as the right to access, correct, delete, or object to the processing of their data. Consent must be explicit, informed, and freely given for data collection, with clear provisions for withdrawal.
4. Obligations of data controllers and processors (Sections 22–39):
   • The act mandates that data be collected for specific, lawful purposes and only to the extent necessary. Controllers must ensure transparency and accountability in data processing, including implementing security measures to prevent unauthorised access or breaches.
5. Prohibitions and special data categories (Section 26):
   • Sensitive personal data, such as racial, political, or health information, requires additional safeguards and cannot be processed without explicit consent or under specific legal exemptions.
6. Cross-border data transfers (Sections 28–29):
   • Transfers of personal data to foreign entities are subject to conditions ensuring equivalent levels of protection in the destination country.
7. Penalties and enforcement (Sections 90–97):
   • The PDPA prescribes civil, criminal, and administrative penalties for non-compliance, including fines and imprisonment for severe violations.