The Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”) was published in the Royal Gazette on 27 May 2019 as the main legislation governing personal data protection in Thailand. Similar to the General Data Protection Regulation (GDPR), the PDPA imposes a number of significant obligations on persons involving in the process of collecting, using or disclosing personal data. In this regard, the primary elements of the PDPA regarding the protection of personal data were initially planned to take full effect on 27 May 2020, but have ultimately been delayed until 1 June 2021.

During this transitional period, data controllers (i.e. those who have the power and duties to make decisions regarding the collection, usage or disclosure of personal data) remain obliged to provide security measures for personal data in accordance with the Notification of Ministry of Digital Economy and Society regarding the Standards of Maintaining the Security of Personal Data B.E. 2563 (A.D. 2020) (the “Notification”) as follows:

1. to inform its personnel, staffs, employees, workers or relevant persons of the security measures, as well as create awareness of personal data protection for such persons to strictly comply with; and
2. the security measures shall comprise administrative, technical and physical safeguards regarding access control of personal data, which shall at least cover control over access to personal data and data processing equipment, authorisation or rights to access personal data, user access management, user responsibilities and examination of previous access, change, deletion or transfer of personal data.

In light of the above, the data controllers may possibly opt for other measures having standards which are not lower than those prescribed in the Notification.
 

This document is solely intended to provide an update on recent development in Thailand legislation and is not purported to provide a legal opinion, nor a legal advice to any person.