Royal Decree to Postpone Full Enforcement of Personal Data Protection Act of Thailand Finally Published

On 8 May 2021, the Royal Decree on Organisations and Businesses of Which Data Controllers are Exempted from Compliance with the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) No. 2, B.E. 2564 (2021) (“Royal Decree”) was finally published in the Government Gazette.  The Royal Decree becomes effective as of 9 May 2021, resulting in the period of exemption from compliance with the PDPA officially extended for another year.

Previously, in May last year, the Royal Decree on Organisations and Businesses of Which Data Controllers are Exempted from Compliance with the Personal Data Protection Act B.E. 2562 (2019), B.E. 2563 (2020) was enacted to postpone partial enforcement of the PDPA until 1 June 2021, which is fast approaching.  The Royal Decree was originally enacted to take effect during the period of 27 May 2020 to 31 May 2021.  However, under the amended Royal Decree, the effective period of compliance exemption is extended to 31 May 2022.  Therefore, the PDPA will fully come into force as of 1 June 2022.

This Royal Decree to defer the full enforcement of the PDPA was forwarded to the Cabinet by the Ministry of Digital Economy and Society (“MDES”). The Cabinet said that the main reason for the deferral is that the country is currently facing a difficult time with the pandemic and the processes for relevant sub-regulations has not been settled yet, including the appointment of the 16-member Personal Data Protection Committee. 

In effect, enforcement of the key substantive provisions of the PDPA will continue not to be applicable to the entities and businesses listed under the Appendix of the Royal Decree until 1 June 2022.

There are 22 types of entities and businesses in said list, which seems to cover almost all businesses, as follows:

• Government agencies
• Foreign State agencies and international organisations
• Foundations, associations, religious organisations and non-profit organisations
• Agricultural business
• Industrial activities
• Commercial activities
• Medical and public health affairs
• Energy, steam, water and waste disposal business, including related businesses
• Construction business
• Repair and maintenance services
• Businesses related to transportation, logistics and storage of goods
• Tourism business
• Communication, telecommunications, computers and digital businesses
• Finance, banking and insurance businesses
• Real estate business
• Professional business
• Administration and support services
• Science and technology affairs, academic work, social work and arts
• Educational business
• Entertainment and recreation activities
• Security business
• Household affairs and community enterprises which cannot be clearly classified

Despite the fact that most of the key legal operative provisions of the PDPA will continue not to be applicable to these 22 types of entities until 1 June 2022, data controllers still have their obligations under the law to provide appropriate measures to secure personal data; in particular, maintaining “confidentiality of data”, “integrity of data” and “availability of data”.

Under the Official Notification on Standards for Personal Data Security B.E. 2563 (2020) (“Security Standard Notification”), data controllers are required to inform their security measures for protection of personal data to their personnel, staff, employees and other relevant parties, as well as build awareness of the importance of personal data protection among them. 

Moreover, Data Controllers must implement security measures which include administrative safeguards, technical safeguards and physical safeguards for control of data use and access. These measures shall at least include data access control, designation of data access permission and rights, user access management, designation of user responsibilities, and provisions of monitoring and checking methods relevant to access, alteration, deletion or transfer of personal data.