Follow us
cs@jandassociates.co

 Thailand

Image Alt
  >  PDPA

OVERVIEW

Thailand has completed the establishment of the Personal Data Protection Commission (PDPC)

The regulator under the country’s Personal Data Protection Act B.E. 2562 (PDPA), strongly indicating that the planned full enforcement of the PDPA on June 1, 2022, is likely to proceed as scheduled.

The establishment of the PDPC was finalized on January 18, 2022, when the Announcement of the Prime Minister’s Office on the Appointment of Chairperson and Honorary Members of the PDPC was published in the Government Gazette.

AS STIPULATED IN THE PDPA, THE PDPC CONSISTS OF:

  • The chairperson, appointed based on knowledge, skills, and experience;
  • The vice-chairperson, who is the permanent secretary of the Ministry of Digital Economy and Society;
  • Five commission members, designated based on their positions in certain government agencies (as prescribed under the PDPA); and
  • Nine honorary commission members appointed based on knowledge, skills, and experience in personal data protection, consumer protection, technology and telecommunication, social science, law, health, finance, or other relevant fields.
  • As the vice-chairperson and the five commission members are appointed to the PDPC based on their positions, the January 18 announcement appointing the chairperson and the nine honorary commission members completes the formation of the PDPC.

 

 

 

 

 

The PDPA is considered the first Thai law designed to govern data protection in the digital age and has been considered comparable to the European General Data Protection Regulation (GDRP). Key aspects of the PDPA include data processing, data collection, data storage, and data consent protocols. Once implemented, the PDPA is expected to change the landscape of personal data protection in Thailand. The legislation mandates that data controllers and processors who use personal data must receive consent from data owners and use it only for expressed purposes. The PDPA imposes punishment for non-compliance of up to THB 5 million in administrative fines and up to THB 1 million in criminal fines.

 

Prior to June 1, 2022, data controllers are allowed to continue to process personal data collected if the purpose for which the personal data was collected remains the same. However, data controllers/processors must publicize a consent withdrawal method and notify the data subjects of the same so that data subjects have the option to withdraw their consent/opt-out.  However, if a data controller/processor uses or discloses personal data beyond the original purpose for which the data subjects had previously given consent, further specific consent is required for each separate purpose. With the PDPA becoming fully enforceable, data collectors and users need to ensure systems are compliant with the necessary requirements

Contact us for more info: cs@jandassociates.co