Skip to main content

Another Postponement of Personal Data Protection Act

  • Articles

Another Postponement of Personal Data Protection Act

After a long anticipation of the possibility to a further postponement of the  Thai Personal Data Protection Act BE 2562 (2019) (the PDPA), it has now been  confirmed that the full enforcement thereof will be postponed for another one year. On 5 May 2021, the Cabinet has approved in principle the Draft Royal Decree causing the PDPA to be fully effective on 1 June 2022. Originally, the PDPA, which was enacted in May 2019, was set to be fully effective on 27 May 2020; and was later postponed by the Royal Decree dated 21 May 2020 suspending its enforcement to become effective on 1 June 2021. Hence, by another postponement, the PDPA will now be suspended from its original enforcement date for two years  from its enactment. It is also expected that sub-legislations under the PDPA (none exists, at  present) should be passed, by or before the new effective date.

In spite of the postponement, all businesses are recommended to study and understand the PDPA as well as implement relevant measures and put in place necessary legal documents, as soon as practical without waiting for the extended enforcement date. This is to ensure that there will be  sufficient time to adjust necessary proceedings in order to be in line with the PDPA along the way until the actual enforcement date .

Other than that, during the suspension of its enforcement, businesses that are in the capacity of Data Controller are continuously required to put in place an appropriate personal information security measures as required by the ‘Notification of the Ministry of Digital Economy and Society, re: Personal Data Security Measures Standard BE 2563 (2020)’ which covers administrative safeguard, technical safeguard and physical safeguard on the following issues:

  • Personal data access control including devices used to collect and process the personal data, taking into account its usage and security;
  • Determine condition regarding authorisation or rights to access to personal data;
  • Manage and administer users’ access to personal data in order to limit access to such data to only authorised persons;
  • Determine users’ duties in order to prevent unauthorised access or disclosure of personal data or any person gaining knowledge of the personal data, hacking and/or copying personal data, or stealing personal data storage or processing devices; and
  • Determine the method which enables Data Controller to trace back the access, alteration, deletion or transfer of personal data.

 As for the official details about this postponement, there is a need to wait for the issuance of such Royal Decree in Royal Gazette.