Data privacy laws in Thailand

    By Veeranuch Thammavaranucupt and Thaya Uthayophas, Weerawong Chinnavat & Partners
    Copy link

    A good understanding of data privacy frameworks is crucial in Asia. while the laws in the region share similar elements, gaps remain as privacy compliance culture is relatively new and jurisdictions vary in their approaches. Here, experts spell out how the Philippines, Thailand and Indonesia have built their legal frameworks governing personal data





    Thailand’s Personal Data Protection Act, 2019, (PDPA) was promulgated to protect natural persons from the unauthorised or unlawful collection, use or disclosure of their personal data. The PDPA came into force on 27 May 2019, but the spread of covid-19 led the Thai government to postpone the enforcement to 31 May 2021. However, minimum security standards already apply: Data controllers must inform their staff and relevant parties of the importance of personal data protection, and certain safeguards must be implemented.

    Veeranuch Thammavaranucupt, Senior Partner, Weerawong Chinnavat & Partners, Bangkok
    Veeranuch Thammavaranucupt
    Senior Partner at Weerawong Chinnavat & Partners in Bangkok
    Tel: + 66 2 264 8000

    Data authority

    The PDPA established the Personal Data Protection Committee (PDPC), with an expert committee and a sub-committee under the PDPC. Pursuant to section 16 of the act, the committee’s duties include:

    (1) Determining measures or procedures for the protection of personal data;

    (2) Issuing notifications or regulations;

    (3) Announcing criteria for protection procedures and the protection of data that are transferred out of the country; and

    (4) Preparing the masterplan to support and protect personal data.

    The PDPA also established the Office of the PDPC, a state agency that acts as the centre for academic services for the protection of personal data, together with a supervisory board. Many requirements of the PDPA will be covered by sub-regulations, which remain to be announced and implemented by the PDPC. In February 2021, the regulator conducted a public hearing on the draft sub-regulations with plans to launch the following sub-regulations by June 2021:

    . Criteria and methods for obtaining consent;

    . Notifications regarding the processing of personal data;

    . Proper data protection methods for the processing of sensitive personal data;

    . Criteria and protections for the transfer of data overseas;

    . Personal data activity records, methods for data subject requests, and reports on any personal data breach;

    . Safety measures for data processing;

    . Data protection officers; and

    . Procedures regarding complaints and administrative enforcement.

    Scope of regulation in Thailand

    The PDPA regulates the collection, use and disclosure of personal data (collectively, the act of processing data) by a data controller, or a data processor, in Thailand. However, the PDPA does not apply to:

    . Data collected by a person who collects such data for the personal benefit or household activity of such person only;

    . Operations of public authorities;

    . Data that are collected only for the activities of mass media, fine arts, or literature;

    . Data under the duties and power of the parliament or parliamentary committees;

    . Trials and adjudications of courts, and work operations of officers in legal proceedings; and

    . Data collected by a credit bureau company and its members.

    Personal data

    Pursuant to section 6 of the PDPA, personal data means any information related to an identifiable person, directly or indirectly, but excluding deceased persons.

    There are two types of personal data: general personal data (section 24), and sensitive data (section 26). General personal data is any personal data that is not sensitive data. Sensitive data includes personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the PDPC.

    Unless there is a lawful basis to do so, the processing of general personal data and sensitive data requires the consent of the data subject, which must be given explicitly as per section 19.

    Thaya Uthayophas, Associate, Weerawong Chinnavat & Partners, Bangkok
    Thaya Uthayophas
    Associate at Weerawong Chinnavat & Partners in Bangkok
    Tel: + 66 2 264 8000

    Lawful basis for processing

    Pursuant to sections 24, lawful basis to process general personal data without the need of the consent of the data subject includes: research, vital interests, contract, public task or office authority, legitimate interest of the data controller (balanced with the rights of the data subject), and legal obligation.

    Pursuant to sections 26, lawful basis to process sensitive personal data without the need of the explicit consent of the data subject includes: vital interests, non-profit, public data, legal claims, and legal obligation to various public interest.

    Data controller and processor

    The PDPA provides a distinction between those who make decisions on the processing of personal data and those who provide personal data processing services. Pursuant to section 6 of the PDPA:

    (1) A data controller is a natural or juristic person with the authority to make decisions on the collection, use or disclosure of personal data; and

    (2) A data processor is a natural or juristic person who operates in relation to the collection, use or disclosure of the personal data pursuant to orders given by, or on behalf of, a data controller.

    Section 37 sets out the duties of the data controller, which include arranging security measures and verification procedures, as well as providing notification of any violations to the Office of the PDPC. It also provides that the data controller must provide and maintain appropriate measures to prevent the unauthorised or unlawful loss, access, use, alteration, correction or disclosure of personal data.

    Section 40 sets out the duties of a data processor, which include arranging security measures, notifying the data controller of any violations in connection with personal data, and preparing and maintaining logs. Most companies that collect personal data will be regarded as controllers or processors and will have to comply with the PDPA.

    If a data controller or a data processor is outside of Thailand, the PDPA applies to the collection, use or disclosure of personal data of subjects who are in Thailand, where the activities of the data controller or data processor are: (1) the offering of goods or services to data subjects who are in Thailand, regardless of whether the payment is made by the data subject; and (2) the monitoring of the data subject’s behaviour taking place in Thailand.

    Under section 21, the collection, use or disclosure of personal data must not be conducted in a manner different from the purpose previously notified to the data subject, unless the data subject has been informed of the new purpose, and consent has been obtained prior to the time of collection, use or disclosure.

    Pursuant to section 23, the data controller must inform the data subject, prior to or at the time of the collection of personal data, of the following:

    . Purpose of the collection;

    . Period of storage of personal data;

    . Identity of the data controller (contact details);

    . Reasons for the data subjects to disclose their personal data;

    . Identification of the recipients to whom the personal data may be disclosed;

    . Information that needs to be collected;

    . Rights of data subjects; and

    . Impact of not providing information.

    Section 39 states that the data controller must maintain the following records:

    . Collected personal data;

    . Purpose of the collection;

    . Details of the data controller;

    . Retention period of the personal data;

    . Rights and methods to access the personal data;

    . Use or disclosure of personal data exempted from the consent requirement;

    . Rejection of requests or objections; and

    . Explanations of the appropriate security measures to prevent breaches.

    Pursuant to section 30 of the PDPA, the data subject is entitled to request access to, and obtain a copy of the personal data related to him or her, which is under the responsibility of the data controller.

    Breaches of personal data

    Section 37(4) requires the data controller to notify the Office of the PDPC of any personal data breach within 72 hours of having become aware of it. The penalties set out for non-compliance include criminal and civil penalties.

    Criminal penalties include imprisonment for up to one year and/or fines up to THB1 million (US$ 32,500). If the violation is caused by the instruction or omission of a person who is responsible for a company, he/she could also be subject to the same penalties. Civil liabilities include punitive damages of up to twice the amount of any actual damages. Civil damages may also be claimed under a class action lawsuit.

    Additionally, the expert committee of the PDPC is authorised to order administrative fines of up to THB5 million (US$163,417) against any violator.

    Weerawong Chinnavat & Partners logo


    22nd Floor, Mercury Tower

    540 Ploenchit RoadLumpini Pathumwan
    Bangkok 10330,Thailand

    Tel: +662 264 8000

    Fax: +662 657 2222


    Copy link