PDPA went into effect June 2021 and is the first consolidated law governing data protection in Thailand. The PDPA was signed in 2019 but was postponed following the Cabinet’s approval of a royal decree that proposed enforcement begin in 2022.
The key principles are based on GDPR. The Act gives individuals full right to transparency with regards to their personal information. All Thai organizations that collect resident data or collect data from within the borders, irrespective of whether they’re formed or recognized under Thai law, are residents, or have a business within the borders must comply. Any data that belongs to the citizens of Thailand no matter where it is being accessed from, inside or outside Thailand, falls under PDPA.
Any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons.
Any personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner as to be prescribed by the PDPC.
The personal data arising from the use of technics or technology related to the physical or behavioral dominance of a person, which can be used to identify such person apart from other persons, such as facial recognition data, iris recognition data, or fingerprint recognition data.