Mergers & acquisitions on the uptick
The volume of merger and acquisition (M&A) activities in Thailand increased significantly in 2023, and it is anticipated that the number will continue to rise during 2024. Both public and private companies have used M&A as a method to achieve their goals and expand their business activities rather than setting up a new business from scratch. Currently, M&A activities are particularly active among private companies, particularly smaller transactions between private companies, because M&A as a business tool is now easier to access than it has been in the past. However, public companies continue to be key players in M&A activities in Thailand.
RECENT DEVELOPMENTS
The Thai government issued merger control regulations at the end of 2018, and companies, lawyers and business consultants have since had to take the new laws into consideration when conducting M&A activities. In addition, there is a new concept of M&A transactions under the Civil and Commercial Code called “merger”. This is where two or more companies merge, but only one participant survives.
In 2023, there were several remarkable deals. One notable deal is the sale of the KFC business in Thailand by Restaurants Development to a subsidiary of an Indian-listed company for more than THB4 billion (USD109.5 million).
METHODS FOR M&A ACTIVITIES
The acquisition of a company’s shares and the acquisition of a business and assets are the most common acquisition methods in Thailand.
Founding Partner
Warot Advisory Services
Bangkok
Tel: +66 8 1802 5698
Email: warot@warotadvisoryservices.com
Acquisition of shares. Share acquisition is the most common method for a company to acquire a target company. It is easier to implement, but due diligence must be conducted to identify risks in the target company, and indemnities and warranties should be incorporated in the share purchase agreement.
It is worth noting that the transfer of shares will be subject to stamp duty in Thailand at a rate of 0.1% of the greater of transfer value or par value.
Acquisition of businesses/assets. The acquisition of assets should be considered when the acquirer does not want to run the risk of the target company having hidden legal and tax liabilities which, in this case, would generally remain with the target company and not transferred with the business or its assets.
Nonetheless, the Foreign Business Act may restrict foreign companies from directly holding a business and/or its assets. In that case, a Thai company must be established to hold the target business and its assets in Thailand. In addition, certain legal requirements would also have to be met.
Please note that the transfer of assets is normally subject to value-added tax and certain transactional documents are subject to stamp duty and other fees in Thailand.
Joint Venture company. A joint venture company can be set up between companies (either between foreign and Thai companies; between two or more foreign companies; or between only Thai companies) to operate a business in Thailand that may require knowledge and know-how from both parties. In some cases, the joint venture companies are set up specifically to comply with the Foreign Business Act, where the foreign companies would like to do business that is usually restricted for them in Thailand.
Relevant regulations. Civil and Commercial Code (CCC). The CCC plays an important role in private M&A transactions as they become more active in Thailand. In some cases, consultation with the registrar is recommended, especially when the deal structures are complex.
The Department of Business Development is a government agency that oversees the CCC.
Foreign Business Act (FBA). The FBA is the most important regulation to be considered when foreign companies conduct M&A transactions in Thailand. The FBA forbids or otherwise restricts foreign nationals and companies from doing some business activities in Thailand, including most associated with the service industry.
For FBA restrictions, a “foreigner” is classified as: a foreign individual; a company incorporated outside Thailand; or a company incorporated in Thailand but majority-owned by foreign individuals or foreign companies.
In some cases, foreign companies shall not be able to hold more than 50% of shares in a Thai company. The Foreign Business Department in the Ministry of Commerce is a government agency that oversees the FBA.
Trade Competition Act (TCA). Since the TCA came into effect in 2018, it has played an important role in Thai M&A transactions. Any M&A transaction that meets the requirements under the TCA must: (1) obtain pre-approval; or (2) issue a post- notification of the transactions. In short, pre-approval will be required if the proposed M&A transaction creates a monopoly, and post-notification will be required if the M&A transaction reduces competition in the market.
The Office of the Trade Competition Commission is a government agency that oversees the TCA.
Labour Protection Act (LPA). In share acquisition transactions, there will be no requirement to obtain prior consent from the employees as, legally speaking, the employer remains the same.
However, in the acquisition of businesses and/or assets that involve the transfer of employees, the LPA requires all rights, duties and privileges of the employees to be assumed by the new employer, and the transfer of employment must be consented to by the employees. If any employee does not consent or does not want to work for the new employer and the existing employer stops operations, it is deemed that the employment contract is terminated and the employee will be entitled to severance pay from the existing employer.
The Department of Labour Protection and Welfare is a government agency that oversees the LPA.
Other Laws and Regulations. If any parties in an M&A is a public limited or listed company, the Public Limited Companies Act and the Securities and Exchange Act will also be important regulations to be taken into consideration. The Land Code (together with the FBA) must also be considered when land is included as a target company asset.
It is important to note that M&A activities in different industries may be subject to different and specific regulations.
CHOICE OF ACQUISITION FUNDING
In acquisition transactions, an acquirer must decide whether to fund the vehicle with debt or equity, or even a hybrid instrument, which combines the characteristics of debt and equity.
Debt. The advantage of using debt is the deductibility of interest for tax purposes and the ease in repatriating the investment through the repayment of principal. On the other hand, the payment of dividends is not deductible and returns of capital can be an onerous and time-consuming task.
Thailand does not have thin capitalisation rules.
Equity. An acquirer may use equity to fund its acquisition. However, this method may not be attractive since dividends are not deductible for Thailand tax purposes, and dividends cannot be distributed unless the company is profitable. Also, a return of capital (equity) will be more difficult than a return of the loan.
However, in the cases of a joint venture or investment in startups, it is more common to seek equity funding rather than debt funding.
Entire business transfer, amalgamation and merger. Under the Thai Revenue Code, a company may conduct an entire business transfer under which the business and liabilities of one company are transferred to another company through a share swap. If all conditions are met, the entire business transfer will be considered a tax-free transaction.
Thailand also has an amalgamation process where two companies can merge to form a new company. This transaction should be free from Thai corporate income tax, and any tax losses in either of the original companies will be lost (not carried over to the new company). Both the original companies will be dissolved as a part of the amalgamation process.
The merger is a new concept under the CCC and gives companies more flexibility in business acquisitions. Nonetheless, the new merger regime has not been widely adopted due to a lack of knowledge about, and uncertainty of, the related rules and regulations.
WAROT WANAKANKOWIT
1055/655 State Tower 31st Floor
Silom Road Silom, Bangrak
Bangkok – 10500 Thailand
www.warotadvisoryservices.com
Privacy laws and personal data protection regulation
In the past, Thailand never had specific legislation regarding personal data protection. Specific laws applied only to protect the information of individuals that was in the possession or control of a state agency, while other personal data protection regulations were scattered among general laws, e.g. the Constitution and laws pertaining to wrongful acts specified under the Civil and Commercial Code.
In 2019, the National Legislative Assembly approved Thailand’s first consolidated Personal Data Protection Act (2019) (PDPA), which came into full effect on 1 June 2022. The PDPA provides key points of protection on details, criteria, process, standards or relevant guidelines, which are stipulated in the sub-legislatives or regulations issued or to be issued by the Personal Data Protection Committee.
IMPACT ON BUSINESS PRACTICES
The PDPA affects every person/business that collects, uses, discloses or transfers personal data, regardless of the quantity of personal data processed. However, some businesses, e.g. SMEs or charitable foundations, may be exempted from certain requirements under the PDPA, subject to certain criteria.
Following enactment of the PDPA, businesses are required to change the way they collect, use, disclose or transfer personal data, which includes personal data of their clients, customers, business partners and employees. Personal data can no longer be kept forever, and its processing must be based on a legal basis provided under the PDPA.
Managing Partner
Veritas Law
Bangkok
Tel: +66 2286 5191; +66 8 2353 8888
Email: ruengrit@veritaslaw.co.th
Businesses in Thailand have been actively amending their handling of personal data to comply with the PDPA since it took effect, as it imposes severe penalties on persons who fail to comply. The following civil, administrative and criminal penalties shall be imposed:
- Civil liability: compensation for damages up to two times the quantum of the actual damages;
- Administrative liability: an administrative fine up to THB5 million (USD137,700); and/or
- Criminal liability: an imprisonment for a term not exceeding six months to one year and a fine not exceeding THB500,000 to THB1 million, or both (as the case may be).
It is crucial to note that not only the business entities but also the directors, managers or authorised persons who instructed the businesses may be punished with the same criminal penalties.
Therefore, all business entities that process the personal data of persons in Thailand must create a new culture in processing personal data, and everyone in these organisations, from top-level management to operating personnel, must be aware of and comply with the PDPA.
In addition, a privacy policy and personal data handling flows and procedures must be prepared or revisited for PDPA compliance. Failure to comply with the PDPA may lead to data leaks resulting in organisations being penalised with sanctions under the PDPA.
KEY POINTS OF PDPA
What is personal data? The PDPA specifies to what extent and to whom it is applicable. Personal data is defined as “any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons”. Any data under this definition shall be protected under the PDPA.
The PDPA also defines the data that requires special care in handling. It is practically known as “sensitive data”, which means personal data pertaining to race, ethnic origin, political opinions, culture, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data that may affect the data subject in the same manner.
Senior Associate
Veritas Law
Bangkok
Tel: +66 2286 5191
Email: chotika@veritaslaw.co.th
The PDPA applies to protect only individuals whose personal data has been processed by a data controller and/or data processor by means regulated under the act. The data of the juristic person is, therefore, not protected by the PDPA.
Relevant parties. Under the PDPA, five major parties are subject or relevant to the act: the data subject; the data controller; the data processor; he data protection officer; and the Personal Data Protection Commission.
The data controller is a person or a juristic person having the power and duties to make decisions regarding the collection, use or disclosure of personal data. The data processor is a person or a juristic person who operates in relation to the collection, use or disclosure of personal data pursuant to the orders given by or on behalf of a data controller, where such person or juristic person is not the data controller.
Thus, the data controller/data processor could be either an individual or an entity, but a data controller collects, uses, discloses or transfers personal data of a data subject to its discretion, while a data processor processes personal data on behalf of, or by order of, a data controller.
The PDPA mainly imposes duties and obligations on the data controller. The main duties of the data controller can be placed in two categories:
- Duties towards the data subject. The main duties include providing the data subject with the minimum information required under the PDPA on the processing of personal data, and ensuring that the rights of the data subject are recognised under the act.
- Duties within businesses. The main duties include an implementation of security measures including data disposal procedure, notifying of data breaches, preparing data processing agreements, keeping records of processing activities, or ensuring sufficient data protection standards of the country to which personal data is transferred.
The PDPA imposes fewer duties on the data processor, but in some circumstances the data processor may also be liable under the act as if it were the data controller, if it processes personal data beyond the order or instruction of the data controller.
In addition to the data controller and data processor, other persons may be required to be appointed by a data controller or data processor. These are:
- A data protection officer (DPO), the person who must have knowledge or expertise with respect to personal data protection, because a DPO is required to give advice to and investigate the performance of data a controller/data processor and co-ordinate and co-operate with the Office of Committee; and/or
- A representative in Thailand in case personal data is processed overseas.
In the processing of personal data, the committee shall be a regulator to assure compliance with the PDPA.
Scope of application. The PDPA adopts both a territorial and an extraterritorial basis. Both data controller and data processor, in Thailand and overseas, shall be subject to the PDPA if they process personal data of subjects in Thailand, with certain exceptions.
Legal basis. While seeking consent is a key principle to the processing of personal data, the PDPA provides exceptions for processing personal data on the following bases:
- Historical purposes, research or statistics;
- Vital interest;
- Legal obligation;
- Contractual basis;
- Public interest; or
- Legitimate interest.
For the processing of sensitive data, certain additional legal bases must be met.
Rights of data subjects. Under the PDPA, subject to exceptions, data subjects shall enjoy the following rights:
- Right to be informed;
- Right to access/obtain records;
- Right to data portability;
- Right to object;
- Right to erasure;
- Right to restrict processing;
- Right to rectify;
- Right to withdraw consent; and
- Right to complain.
Based on the above-mentioned, it is important for data subjects to be informed of the purpose and the basis for processing personal data, including the type of personal data to be processed and the period for which the personal data will be retained.
If personal data may be disclosed, data subjects must be informed of the categories of persons or entities to which the collected personal data may be disclosed. Finally, the information and contact channel details of the data controller, representative (if applicable) or data protection officer including the rights of a data subject must also be informed.
PREPARATION AND IMPLEMENTATION
If not yet in compliance, a business should commence gap analysis to identify non-compliance with the PDPA in its practice. A legal basis for processing personal data on each activity must be determined. A privacy policy must be prepared or revisited including other relevant policies and underlying documentation. All relevant persons in the organisation must be trained, and all business partners must acknowledge the change of the personal data protection culture in the business.
In addition, a business may consider simultaneously implementing its personal data management process and its IT security measures. The security measures must have a minimum security standard that is no less than that set out in the notification of the committee.
The minimum standards align with the concepts in the International Organisation for Standardisation and the International Electrotechnical Commission standard 27001 (ISO/IEC 27001), in which the main concepts include confidentiality, integrity and the availability of data.
MULTINATIONAL CORPORATIONS
Even though GDPR regulations were used as a guideline in drafting the PDPA, including enforcement, businesses should keep in mind that GDPR-compliant companies may not be compliant with the PDPA in all aspects. Businesses should also implement personal data protection regimes in their organisations to be compliant with the PDPA. Personal data transfer among subsidiaries must also follow the requirements and restrictions of the PDPA.
VERITAS LAW LIMITED
No 179 Bangkok City Tower, 5th Floor,
South Sathorn Road, Thungmahamek,
Sathorn, Bangkok 10120 THAILAND
Tel: +66 2286 5191
Email: ruengrit@veritaslaw.co.th
www.veritaslaw.co.th
