Appointment of Personal Data Protection Committee and Enforcement of Personal Data Protection Act

On 18 January 2022, the Prime Minister’s Office announced the appointment of a Chairperson and 9 honorary directors for the Personal Data Protection Committee, in correspondence with Sections 8(1), 8(4) and 10 of the Personal Data Protection Act BE 2562 (2019) (“PDPA”), effective as of 11 January 2022. Under the PDPA, the Personal Data Protection Committee will have the power, among others, to propose a master plan on the operation for the promotion and protection of personal data, to set out guidance or measures regarding protection of personal data as well as to issue notifications or rules for the execution of the PDPA. With this successful appointment of the Personal Data Protection Committee, it is expected that Thai Government will not postpone enforcement of the PDPA for another year, causing the law to fully come into force in Thailand as of 1 June 2022.

Originally, the PDPA was set to became effective in 2020. However, due to the ongoing COVID-19 situation and an acknowledgement that Thailand was not yet ready for the PDPA, the Thai Government decided to postpone the PDPA twice, both in 2020 and 2021.

In addition to the appointment of the Personal Data Protection Committee, for the PDPA to be enforced this year, another important pending matter is the issuance of PDPA subsidiary legislation, for which there has been a public hearing on the three groups of subsidiary legislation. Said three groups of subsidiary legislation encompass regulations on various topics that could help businesses to better understand about their legal obligations and necessary measures which should be implemented to be in line with the PDPA. In this regard, the appointment of the Personal Data Protection Committee should expedite the issuance of these subsidiary legislations, which are expected to be issued before the effective date of the PDPA.

Once the PDPA becomes fully effective, in order to legally collect, use or disclose personal data, business entrepreneurs deemed as a Data Controller or Data Processor must fulfil certain requirements. One of the important obligations is that the Data Controller will be unable to collect personal information unless the data subject gives his/her consent for such purposes; or the Data Controller can rely on other legal basis, namely research or statistics, vital interest, contracts, public tasks, legitimate interests or legal obligations. Other requirements and conditions set out under the PDPA in relation to the collection, use and disclosure of personal data also prompts businesses to identify all personal data they have obtained (commonly referred to as ‘data mapping’) in order to enable them to fully understand their duties under the PDPA. Additionally, all businesses are recommended to review or prepare certain forms/legal documents thus to ensure their compliance with the PDPA, such as the consent form, privacy notice/policy, any relevant agreement with a third party and other relevant policies.

Since the concept of personal data protection law is new in Thailand, to ensure that businesses will have sufficient time to adjust until the actual enforcement date, any preparation for PDPA compliance should commence promptly without waiting until the PDPA becomes fully effective, or sub-regulations thereof are issued.

This Newsletter is intended merely to provide a regulatory overview and is not intended to be comprehensive; it is NOT a provision of legal advice. Should you have any questions on this or on any other areas of law, please do not hesitate to contact the following:

Chanakarn Boonyasith
Partner 

Pitchabsorn Whangruammit
Attorney-at-Law