Thailand’s Personal Data Protection Act BE 2562 (PDPA)
Data privacy in Thailand was largely established when the PDPA went into effect June 2021 and is the first consolidated law governing data protection in Thailand. The PDPA was signed in 2019 but was postponed following the Cabinet’s approval of a royal decree that proposed enforcement begin in 2022 to enact protections for data privacy in Thailand.
The key principles are based on GDPR. The Act gives individuals full right to transparency with regards to their personal information. All Thai organizations that collect resident data or collect data from within the borders, irrespective of whether they’re formed or recognized under Thai law, are residents, or have a business within the borders must comply. Any data that belongs to the citizens of Thailand no matter where it is being accessed from, inside or outside Thailand, falls under PDPA for data privacy in Thailand.
Primary Legislation
- The Constitution of the Kingdom of Thailand supports the human dignity, rights, freedoms, and equality of all Thais protected under the customary practices of the Government of Thailand.
- The Constitution recognizes the right to privacy as well as the right to protection against undue exploitation of personal data relating to his or her individuality.
- In case of a violation of the right to privacy, the affected individual may be entitled to claim damages in tort under the Thai Civil and Commercial Code.
Secondary Legislation
- The secondary legislation requires the Personal Data Controller to maintain suitable security measures.
- It also states the Criteria and Methods for organizing, making and keeping records, including processing activities.
- Small and medium enterprises are exempt from the requirement of organizing, making and keeping records, including processing activities
- It also states the criteria for issuing administrative fines and orders of the expert committee.
Key Definitions
Personal Data
Any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons.
Sensitive Data
Any personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner as to be prescribed by the PDPC.
Biometric Data
The personal data arising from the use of technics or technology related to the physical or behavioral dominance of a person, which can be used to identify such person apart from other persons, such as facial recognition data, iris recognition data, or fingerprint recognition data.
Similarities Between PDPA and GDPR
- Both laws have a similar legal framework when it comes to how and when data is collected.
- Under both, all kinds of data—be it individual in nature or a combination of various information that can identify a person—will be considered personal data.
- Both require a Data Processing Officer for a large-scale organization.
- Both ensure the information privacy and protection of citizens that fall under their jurisdiction, irrespective of whether or not the data controller or processor is within the law’s territorial bounds.
- Both require explicit and clear consent of individuals before processing their information.
- Both grant equal rights to the data of subjects, and only protect the rights of living subjects, excluding information regarding deceased subjects
- Under both, data subjects must be notified within three days in case of a data breach.
Differences Between PDPA and GDPR
| PDPA | GDPR | |
|---|---|---|
| Personal Scope | Does not apply to public authorities that maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity. | Applies to data controllers and data processors who may be public bodies. |
| Material Scope | Does not differentiate or refer to automated and non-automated means of processing. Excludes ‘the House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose personal data in their consideration under the duties.’ | Applies to the processing of personal data by automated means or non-automated means if the data is part of a filing system. It also does not exclude legislative bodies |
The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.