Skip to main content

Subsidiary Legislation of Personal Data Protection Act

  • Articles

Subsidiary Legislation of Personal Data Protection Act

Full enforcement of the Thai Personal Data Protection Act BE 2562 (2019) (the “PDPA”) has been deferred for another year, meaning that it will  be fully effective as of 1 June 2022. During this period, however, a data controller is required to put in place appropriate personal information security measures as required by the ‘Notification of the Ministry of Digital Economy and Society, re: Personal Data Security Measures Standard BE 2563 (2020)’; which has been extended to cover the period until 31 May 2022, by virtue of the ‘Notification of the Ministry of Digital Economy and Society, re: Personal Data Security Measures Standard (No. 2) BE 2564 (2021)’.

Many companies are currently working to adopt relevant measures, policies and document forms, so that the collection, use and disclosure of personal data are all in line with the PDPA before its  full enforcement. However, there are difficulties in fully understanding the PDPA’s requirements due to a lack of necessary sub-legislations. In such regard, the Thai Government is preparing to issue a number of appropriate sub-legislations which would help businesses to implement measures and fulfil their duties as required under the PDPA.

As of today, two public hearings on PDPA sub-legislations have been held, in accordance with the two groups of relevant PDPA sub-legislations. The first public hearing was conducted online in February 2021, and covered the following issues:

  • Criteria and method for obtaining consent
  • Responsibilities of data controller pertaining to measures in dealing with data subjects’ requests for the exercise of rights and data breach notification
  • Privacy notice
  • Data security measures
  • Suitable measures for processing sensitive personal information
  • Data protection officers (DPO)
  • Criteria and personal data protection policy for cross-border data transfer
  • Complaint process

The second public hearing was held online recently during 7-10 June 2021 and covered, among others, the following matters:

  • Scope of the PDPA application and designation of a representative
  • Data subjects’ rights
  • Coordination between the regulatory bodies
  • Responsibility of data processor
  • Exemption from the PDPA

There were several interesting legal issues raised during the two public hearings on PDPA sub-legislation, e.g.  the Government is considering the issuance of consent forms, both binding and non-binding (model form) versions, taking into account the standard of each business sector. Moreover, the Government also discussed the possibility to further exempt additional activities from the application of the PDPA. Section 4 of the PDPA does not apply to certain activities or certain entities; and it further provides that any other exemptions can/will be prescribed by Royal Decree. Possible exemptions discussed included non-filing system activities; the disclosure of personal data to seek legal consultancy or instigate legal proceedings; personal data processed by legal professional; to conduct research and statistical analysis, or as a confidential reference.

Please note there is still another public hearing to discuss the last group of the PDPA sub-legislations; the timeline of which has not yet been fixed by the relevant authority. In this regard, it is expected that the PDPA sub-legislation should be ready to be issued within one year following the successful establishment of the Personal Data Protection Committee.

This Newsletter is intended merely to provide a regulatory overview and is not intended to be comprehensive; it is NOT a provision of legal advice. Should you have any questions on this or on any other areas of law, please do not hesitate to contact the following:

Chanakarn Boonyasith
Partner

Pitchabsorn Whangruammit
Attorney-at-Law