Data Privacy

Data privacy in Thailand is governed by the Personal Data Protection Act BE 2562 (2019).

There are no special regimes that apply in specific sectors. The PDPA applies to the collection, use and disclosure of personal data by any organisation in Thailand.

Regarding specific data types, the PDPA sets out special conditions on sensitive personal data, which includes personal data relating to race; ethnic origin; political views; doctrinal, religious or philosophical beliefs; sexual behaviour; criminal record; health record; and biometric information. The processing of sensitive data is allowed only where:

• the explicit consent of the data subject has been obtained;
• the processing is performed for legitimate purposes (eg, to prevent harm to an individual’s health or for social security purposes);
• the processing is required to exercise a legal claim or defence; or
• the data has already been disclosed to the public with the data subject’s explicit consent.

No bilateral or multilateral instruments relating to data privacy have effect in Thailand.

The bodies responsible for enforcing the data privacy legislation in Thailand are the Ministry of Digital Economy and Society and the Personal Data Protection Committee. These government authorities mainly:

• draft and enact specific regulations and/or notifications under the PDPA;
• provide official interpretations; and
• render orders in relation to the PDPA.

Although regulations and notifications under the PDPA have not yet been issued and the PDPA is not yet fully in force in certain sectors (ie, the industrial and commercial industries), most companies have been preparing to comply with its requirements – for example, by drafting a privacy policy, appointing a data protection officer, preparing a request form for data subjects and so on. At present, the PDPA includes no provisions on industry standards or best practices; we would therefore advise that all legal provisions relating to the PDPA be strictly followed.

The Personal Data Protection Act (PDPA) applies to the collection, use and disclosure of personal data by organisations (ie, data controllers and/or data processors) that are located in Thailand, regardless of whether such collection, use or disclosure of personal data takes place in Thailand.

Regarding extraterritorial scope, the PDPA also applies to data controllers and data processors that are located outside Thailand where:

• the data that is collected, used or disclosed relates to data subjects who are located in Thailand;
• their activities relate to the offer of goods or services to data subjects in Thailand, regardless of whether payment is required; or
• the data subjects’ behaviour is monitored in Thailand.

The PDPA does not apply to public authorities that maintain state security, such as the financial security of the state or public safety, including in relation to the prevention of money laundering, forensic science or cybersecurity.

Yes, please see question 2.1.

(a) Data processing

There is no specific definition of ‘data processing’ set out in the Personal Data Protection Act (PDPA). However, it can be assumed that ‘data processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction.

(b) Data processor

The PDPA defines a ‘data processor’ as a natural or legal person that undertakes the collection, use or disclosure of personal data pursuant to orders given by or on behalf of a data controller, whereby such person is not the data controller.

(c) Data controller

The PDPA defines a ‘data controller’ as a natural or legal person who has the power and duties to make decisions regarding the collection, use or disclosure of personal data.

(d) Data subject

There is no specific definition of a ‘data subject’ set out in the PDPA. However, it can be assumed that a ‘data subject’ is any individual who owns personal information and can be identified, directly or indirectly:

• via such personal information, such as a name, an ID number or location data; or
• via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.

In other words, a ‘data subject’ is an end user whose personal data can be collected.

(e) Personal data

The PDPA defines ‘personal data’ as information that:

• directly or indirectly relates to an individual;
• stipulates specific requirements relating to certain types of data; and
• applies to the collection, use or disclosure of personal data.

(f) Sensitive personal data

There is no specific definition of ‘sensitive data’ set out in the PDPA. However, it can be assumed that ‘sensitive data’ is any data relating to race; ethnic origin; political view; doctrinal, religious or philosophical beliefs; sexual behaviour; criminal record; health record; and biometric information.

(g) Consent

There is no specific definition of ‘consent’ set out in the PDPA. However, it can be assumed that ‘consent’ means permission from a data subject allowing a data controller to collect his or her personal data. In addition, under the PDPA, a data controller must obtain the explicit consent of the data subject, either in writing or in electronic form, in order to collect his or her personal data.

There are no other key terms which are relevant in the data privacy context in Thailand at this time.

Under the Personal Data Protection Act (PDPA) as currently in force, the registration of data controllers and processors is not required in Thailand. An individual or entity will automatically become a data controller when it collects the personal data of a data subject. In addition, the PDPA states that data controllers must not collect, use or disclose personal data unless one of the following applies:

• The data subject has provided his or her prior consent;
• The processing is necessary for the performance of a contract;
• The processing is necessary for compliance with a law to which the data controller is subject;
• The processing is necessary to address a danger to the data subject’s life;
• The processing is necessary for the performance of a task carried out in the public interest by the data controller to achieve a purpose relating to public interest research and statistics; or
• The processing is necessary in the legitimate interests of the data controller, where such interests do not override those of the data subject.

Please see question 4.1.

Please see question 4.1.

The Personal Data Protection Act (PDPA) states that data controllers must not collect, use or disclose personal data unless one of the following applies:

• The data subject has provided his or her prior consent;
• The processing is necessary for the performance of a contract;
• The processing is necessary to comply with a law to which the data controller is subject;
• The processing is necessary to address a danger to the data subject’s life;
• The processing is necessary to perform a task carried out in the public interest by the data controller to achieve a purpose relating to public interest research and statistics; or
• The processing is necessary in the legitimate interests of the data controller, where such interests do not override those of the data subject.

The PDPA recognises consent as a legal basis for the collection, use or disclosure of personal data, and includes specific information on how consent can be obtained and withdrawn.

In addition, the PDPA states that the collection of sensitive data is prohibited unless an exemption applies, such as where the data subject has provided explicit consent.

Currently, specific regulations, announcements and notices in relation to the processing of personal data have not yet been enacted under the PDPA; therefore, the key principles that apply to processing data are the general provisions under the PDPA. A data controller and/or data processor must follow the provisions under the PDPA (eg, in relation to the collection, use and disclose of personal data; the appointment of a data protection officer; data breach notifications).

As mentioned in question 1.5, the PDPA is not yet fully in force and the regulator has not yet issued any regulations or notices on its practical enforcement. It is thus not possible to advise on other requirements, restrictions and best practices in relation to the processing of personal data until such regulations and notices have been issued.

Regarding data transfers inside Thailand, the Personal Data Protection Act (PDPA) states that a data controller must not collect, use or disclose data, including by transferring data to third parties, unless:

• the data subject has provided his or her prior consent; or
• there is a legal basis to allow the data controller to do so (eg, public interest, legitimate interest, addressing a danger to the data subject’s life).

Cross-border data transfers are permitted only to destination countries or international organisations that afford an adequate level of protection as prescribed by the Personal Data Protection Committee (PDPC), unless such transfer fulfils one of the following legal criteria:

• The consent of the data subject has been obtained;
• The transfer is necessary to perform an obligation under a contract or is at the request of the data subject;
• The transfer is performed for a significant public interest;
• The transfer is performed pursuant to the law; or
• The transfer is intended to prevent or address a danger to the life, body or health of the data subject or another person, and the data subject is incapable of giving his or her consent.

As yet, the existence of an adequate level of protection has not been established or prescribed by the PDPC. Once the existence of an adequate level of protection and a personal data protection policy have been established, a data controller or data processor will be permitted to transfer personal data abroad only where there are appropriate safeguards in place, with effective legal remedies that ensure the data subject’s rights.

As mentioned in question 6.1, a cross-border transfer is permitted only to destination countries or international organisations that afford an adequate level of protection as prescribed by the PDPC, unless the transfer fulfils certain legal criteria.

Please see question 5.3.

Under the Personal Data Protection Act (PDPA), the following rights are afforded to each data subject:

• Right to erasure: A data subject has the right to request that his or her personal information be deleted, unless exceptions apply;
• Right to be informed: A data subject has the right to be informed of specific information relating to the collection and processing of personal data;
• Right to object: A data subject has the right to object to the processing of his or her personal data, and to withdraw his or her consent to the processing at any time;
• Right to access: A data subject has the right to access his or her personal data that has been collected and processed by the data controller; and
• Right to data portability: A data subject has the right to receive his or her personal data in a structured, commonly used and machine-readable format, and to transmit such data to third parties.

In addition, in order to collect a data subject’s personal data, the data controller must provide the data subject with information relating to the processing of his or her personal data, such as details of:

• the personal data to be collected;
• the purposes of collection; and
• the fundamental rights of the data subject.

However, there are cases in which a data controller must disclose information relating to the processing of the data subject’s personal data without obtaining his or her consent, such as where the collection is to prevent or address damage to a patient’s life, body or health.

Aside from the right to be informed, which must be observed prior to obtaining a data subject’s consent, a data subject can exercise his or her rights by submitting a request to the data controller or data processor. Further guidance on the submission of this request will be published by the Personal Data Protection Committee.

Data subjects have the right to claim for compensation due to the data controller’s failure (either intentional or negligent) to comply with the PDPA. Under the PDPA, data subjects can lodge a complaint relating to personal data protection to the expert committee(s) to be organised as required under the PDPA.

However, under the PDPA, a data controller is not subject to an obligation to provide compensation where it can be proven that:

• damages were caused by force majeure or by an action of the data subject himself or herself; or
• the actions of the data controller were performed based on legitimate grounds.

Yes, the appointment of a data protection officer (DPO) is mandatory in Thailand. Under the Personal Data Protection Act (PDPA), data controllers and data processors, including their representatives, must appoint a DPO. A DPO must be appointed in the following general circumstances:

• The processing is carried out by a public authority or body;
• The activities of the data controller or data processor relate to the collection, use or disclosure of data and require regular monitoring of personal data or the data system on a large scale; or
• The core activities of the data controller or data processor relate to the collection, use or disclosure of certain categories of data (eg, sensitive data, trade union information, personally identifiable information or any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee (PDPC)).

Where a data controller and a data processor are members of the same business, a single DPO can be appointed, provided that the DPO is easily accessible by both the data controller and the data processor. The appointment of a single DPO is also permitted for public authorities or bodies (which are data controllers or data processors) that have a large organisational structure or several establishments.

Where a data controller and/or data processor fails to appoint a DPO, it will be liable to an administrative fine of up to THB 1 million.

The appointment of a DPO must be considered based on the candidate’s expert knowledge and expertise in personal data protection, which will be further specified by the PDPC.

The key responsibilities of a DPO are to:

• inform and advise the data controller or data processor and its employees on its obligations under the PDPA;
• monitor the performance and processing operations of the data controller or data processor, including its employees and service providers; and
• act as a contact point for the data controller or data processor.

Yes, in Thailand, the role of DPO can be outsourced; however, the PDPA does not set out specific provisions in this regard. As mentioned in question 8.2, the PDPC will further specify related requirements, restrictions and best practices.

Data controllers and data processors must maintain a record of their personal data processing activities (both in writing and in electronic form). The PDPA prescribes the specific information that a data controller must record with regard to the verification of data subjects and the competent authority, which includes:

• the details of the data controller;
• the purposes of the processing;
• the details of the collected personal data;
• the rights to access and means of accessing the personal data, including the conditions of access and the persons who are authorised to access such data;
• the retention period of the personal data; and
• a general description of applicable security measures.

If the data controller is a foreign entity, it must designate a local representative in Thailand. The local representative of the data controller must perform activities on behalf of the data controller, including recording its processing activities in the same manner as the data controller.

However, the requirements relating to data processing records will not apply to a small organisation, unless the processing:

• is likely to present a risk to the rights and freedoms of a data subject;
• is not occasional; or
• includes special categories of sensitive data.

The PDPA does not provide a list of processing information that a data processor must record. However, according to the PDPA, a notification on data processing records will be published by the relevant authority in the future.

The Personal Data Protection Act (PDPA) states that a data controller and data processor must provide appropriate security measures in order to prevent the unauthorised loss, access, change of use, revision or disclosure of personal data. Currently, the PDPA does not provide a list of appropriate technical and organisational measures. However, the PDPA will provide a list of security measures for personal data protection in a supplemental regulation of the Personal Data Protection Committee (PDPC).

Yes, in the case of a personal data breach, the data controller must notify the regulator (ie, the PDPC) of the breach, except where the breach is unlikely to result in a risk to the data subject’s rights and freedoms. In addition, the data controller must notify the personal data breach to the PDPC without undue delay and, where feasible, within 72 hours of becoming aware of it.

The PDPA does not currently set out requirements for the notification of personal data breaches to the PDPC. However, such requirements will be prescribed in the future in a supplemental regulation of the PDPC.

Yes, if a personal data breach is likely to present a high risk to a data subject’s rights and freedoms, the data controller must notify the breach to the data subject. Currently, the PDPA sets out no exemptions from this requirement. However, specific exemptions will be prescribed in a future supplemental regulation of the PDPC.

In addition, the PDPA sets out no requirements to notify a data subject of a personal data breach. However, requirements will be prescribed in a future supplemental regulation of the PDPC.

Other requirements, restrictions and best practices will be further specified in a future supplemental regulation of the PDPC.

The Labour Protection Act and the Social Security Act oblige employers to collect and retain a record of employees’ personal information (eg, name, age, salary, identification card number). The Personal Data Protection Act (PDPA) also requires employers, as data controllers, to provide employees, as data subjects, with information relating to the processing of their personal data prior to or during the collection of such data, such as:

• the retention period;
• their rights as data subjects;
• the employer’s contact information;
• the possible consequences of failure to provide their personal data; and
• any third parties to which their personal data will be disclosed.

To reiterate, however, as yet there are no specific guidelines on these obligations.

There are no specific laws and regulations that allow for the surveillance of employees in Thailand.

The PDPA is not yet fully in force; it will take full effect on 1 June 2021. In the meantime, employers, as data controllers, should make preparations to ensure compliance with the PDPA (eg, appointing a data protection officer; installing data retention technology).

There are no specific requirements or restrictions that apply to the use of cookies in Thailand. However, the provider of any website will be regarded as a data controller according to the Personal Data Protection Act (PDPA) and must thus comply with the provisions prescribed in the PDPA.

There are no specific requirements and restrictions that apply to cloud computing services in Thailand. However, a cloud computing service provider will be regarded as a data controller according to the PDPA, and must thus comply with the provisions prescribed in the PDPA.

The PDPA is not yet fully in force and supplemental regulations have not yet been issued by the Personal Data Protection Committee. As such, there are no other requirements, restrictions or best practices to consider at present.

No data privacy disputes have been brought as yet under the Personal Data Protection Act (PDPA), as the act is not yet fully in force. Normally, the courts will consider disputes involving violations of data privacy according to the Civil and Commercial Code. We assume that once the PDPA has taken full effect, the Thai courts will adopt the PDPA principles accordingly.

As mentioned in question 12.1, the Civil and Commercial Code will apply to disputes that involve personal privacy, including data privacy violations. However, under the code, the data subject must have suffered damage as a result of the violation; otherwise, he or she may be unable to bring a case in court, as the dispute in practice is a tort-based dispute. If there are provable damages, the court may order the violator to pay damages to the data subject according to the code.

Although the PDPA is not yet fully in force, some cases relating to the violation of personal privacy have nonetheless been heard. For example, in Supreme Court Decision 4893/2558, the court found that the two defendants had violated the plaintiff’s personal privacy and ordered them to pay damages to the plaintiff for this violation.

The Personal Data Protection Act (PDPA) is not yet fully in force and supplemental regulations have not yet been issued by the Personal Data Protection Committee (PDPC). Once the PDPC has issued such regulations, data controllers should have clear rules and procedures to comply with the PDPA.

Please note that the Personal Data Protection Act (PDPA) was due to be fully enforced on 27 May 2020, however, based on the Royal Decree on Organizations and Businesses of which Personal Data Controllers are Exempt from Complying with the Personal Data Protection Act (Royal Decree), the enforcement date has been postponed to 1 June 2021. The Royal Decree lists various types of business which are qualified for the extension of the enforcement including businesses in communication, telecommunication, digital, science, technology, banking, education, industrial and commercial industries, among others.

As the PDPA is not yet fully in force, companies should be making preparations to comply with their duties as data controllers under the act. First, a company should determine whether the PDPA applies to its organisation and activities. If so, it should map data flows within its organisation (ie, what data it collects and how this data is used), and prepare a privacy notice to inform data subjects of the personal data collected. This should be done before the PDPA takes full effect on 1 June 2021.

Regarding the future collection, disclosure and use of personal data, companies should identify the legal basis for such collection, use or disclosure in order to determine whether consent from data subjects is required. A data controller will need to present a privacy notice to, and request consent (if required) from, the data subject from which personal data will be obtained.