Thailand’s Personal Data Protection Act (PDPA)

Alexandre Dupont

Orbis Legal Advisory Ltd


On 27th May 2019, Thailand’s Personal Data Protection Act, B.E. 2562 (2019) (PDPA) was published in the Royal Government Gazette. Here are a few key terms and takeaways:

Personal Data 
means any data pertaining to a person, which enables the identification of that person, whether directly or indirectly, but not including data which specifies only the name, title, workplace, or business address and data of the deceased specifically.

Data Controller
means any person or entity which has the power to make decisions regarding collection, usage and disclosure of the Personal Data.

Data Processor
means any person or entity that conducts any collection, usage and disclosure of Personal Data on behalf of, or under the instruction of the Data Controller.

Collection, Use and Disclosure of Data
Consent must be obtained from the Data Owner before acquiring collection, usage and disclose of Personal Data. The consent must be separate and clearly visible by the Data Owner and must at least contain the purposes of data collection, types of Personal Data to be collected and time period for which it will be kept, types of relevant third parties to whom the Personal Data will be disclosed, information regarding the Data Controller and their contact information as well asthe rights of Personal Data Owner under the PDPA. There are some exceptions when the Personal Data can be collected without consent (e.g. vital interest, public interest, legal obligations, and legitimate interest).

Data Owners’ Rights
Data Owners may request their data to be revised, updated and/or erased and may also request a digital copy of such data.

The PDPA has the extraterritoriality effect of the law which means that the law is also applicable to Data Controllers outside Thailand and there is a requirement for the Data Controller outside Thailand to appoint a representative within the jurisdiction.

Non-compliance with the PDPA by the Data Controller and/or Data Processor may result in administrative fines of up to THB 5 million, criminal penalties with imprisonment up to one year and/or fines of up to THB 1 million, as well as punitive damages up to twice the amount of the actual damages incurred by the Data Owner.

Companies and organizations have one year from the publication date to comply with the PDPA’s provisions.

ORBIS Thailand recently launched a Cybercrime Litigation service which coordinates with Technology Crime Suppression Division to help prevent cybercrime attacks against your privacy and property.

For further information, please contact Orbis:

Alexandre Dupont, Partner – Alexandre.dupont@orbis-alliance.com

Join our Legal Network