Update on Thailand PDPA amendment 2020

Thailand Focus

Data Protection, Privacy and Security Alert


Thailand's Personal Data Protection Act (PDPA) is in the process of being updated, and full implementation and compliance are expected by 1 June 2021. Nevertheless, whilst there is no penalty being enforced at this stage, all data controllers (and data processors) are now required to have in place personal data security measures in accordance with the standard prescribed by the Ministry of Digital Economy and Society. Such standard has recently been set out under the Notification of the Ministry of Digital Economy and Society Re: Personal Data Security Standards B.E. 2563 (2020) (Notification) which was released by the Thai Ministry of Digital Economy for Society and is effective from 18 July 2020.

The Notification sets out minimum standards for the personal data security measures covering administrative safeguard measures, technical safeguard measures, and physical safeguard measures in respect of the access to, or controlling the use of, personal data (Measures).

Specifically, the Measures set out the following:

  1. Access control of personal data as well as the procurement of equipment used for the collection and processing of personal data needs to take into consideration usage, safety and security;
  2. Entities must now set out the relevant criteria that will be put in place with respect to authorisation/rights in accessing personal data;
  3. User access management protocols must be put in place to control the access of personal data by only permitted personnel;
  4. User responsibilities must be clearly specified for the prevention of unauthorised access, disclosure, knowledge and copying of personal data, and stealing of equipment that collects or processes personal data; and
  5. Retroactive inspections of access, alterations, erasures, or transfers of personal data must be able to be arranged in line with suitable methods used in the collection, use or disclosure of personal data.

Please note that the above measures constitute a base level of data security standards that the Notification sets forward. In practice, the specific data security measures implemented by any given company may vary, but such measures must have security standards no lower than those mentioned above.

In addition to implementing the Measures (which would include creating a data inventory and updating or procuring a new IT system) as above explained, the data controllers (and data processors) under the PDPA are also required under the Notification to now notify staff, employees, and/or any relevant persons of the Measures under this Notification in order to raise awareness of the importance of personal data protection and to encourage strict compliance.

If you have any questions for what this means for you or your company, please contact the authors of this article.

Visit Privacy Matters for more of DLA Piper's Global Privacy & Data Protection Resource.