Add a bookmark to get started

9 May 20213 minute read

Thailand postponed the implementation of the data protection act until 1 June 2022

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into effect since 28 May 2019 with most provisions scheduled to take full effect on 27 May 2020. Previously, the enforcement of the PDPA for 22 types of businesses listed here1 has been postponed to 31 May 2021 pursuant to the Royal Decree Establishing Organisations and Businesses that the Data Controllers are Exempted from the Applicability of the PDPA B.E. 2562 B.E. 2563 (2020) issued on 21 May 2020 (Royal Decree). 

On 8 May 2021, an amendment to the Royal Decree was published in the Royal Gazette (Royal Decree No.2), which postpone the full enforcement of the PDPA for another year, making the PDPA fully enforceable from 1 June 2022 onwards.

The Ministry of Digital Economy and Society (MDES) has requested for a second postponement (i.e. Royal Decree No.2) after the PDPA was expected to be in force this upcoming June, citing the impact of the COVID-19 pandemic on organisations in Thailand. More specifically, the MDES recognised that it would be too onerous for organisations in the private sector (especially SMEs) and public sector to comply with the requirements under the PDPA, on top of dealing with the current COVID-19 situation in Thailand.

Another reason for supporting a postponement is that the Personal Data Protection Committee (PDPC) has yet to be established. Even though public hearings by MDES (as the temporary Office of the Personal Data Protection Committee) have taken place in March 2021 to consider certain draft rules and guidelines under the PDPA, the timeline for the actual implementation of these sub-regulations is not yet clear. 

It should be noted that whilst the PDPA is not fully enforced at this stage,  data controllers are still required to have in place personal data security measures in accordance with the standard prescribed by the MDES. Such standard has recently been set out under the Notification of the Ministry of Digital Economy and Society Re: Personal Data Security Standards B.E. 2563 (2020) (Notification)2. This means that organisations should not view this postponement as an ultimate exemption from the PDPA.

In addition, organisations should keep up to date with local regulatory requirements and ensure that their compliance measures will be effective when the law comes into full force. This is an opportunity to make or continue with necessary preparations such as:

  • Identifying and raising awareness among key players in your organisation of the laws on data protection
  • Starting documenting the flow of personal data held by your organisation, where the data came from, how it is used and who it is shared with
  • Preparing or reviewing the current privacy notices/policy
  • Identifying and documenting lawful basis for the use of data or refreshing existing consents
  • Putting in place cross-disciplinary data breach management policies and team to manage data breach incidents effectively
  • Designating a Data Protection Officer (DPO)

English translation of Royal Decree Establishing Organisations and Businesses that the Data Controllers are Exempted from the Applicability of the PDPA B.E. 2562 B.E. 2563 (2020) here
For more details of this Notification, please refer to our previous alert here