Personal Data Protection Act of Thailand Comes into Force

The first ever Personal Data Protection Act B.E. 2562 (A.D. 2019) of Thailand (“PDPA”) was published in the Government Gazette on 27th May 2019.  Its provisions on establishing regulatory and enforcement bodies come into force on and from 28th May 2019.  Its Chapters 2, 3, 5, 6 and 7 and Sections 95 and 96 (on personal data protection, right of data subjects, complaints, civil liabilities and penalties) will come into force on 28th May 2020.  The PDPA has adopted some principles from the European Union’s General Data Protection Regulation 2016/679.

We summarized some of its key provisions as follows:

1.   Collection, use and disclosure of personal data of data subjects in Thailand by data controllers or data processors can be made only if explicit consent has been given by the data subjects, except for a few exceptions.

2.   The Personal Data Protection Commission (“PDPC”) and the Office of the PDPC are established to issue and enforce implementation rules under the PDPA.

3.   Personal data can be collected only as necessary and only for a lawful purpose of the data controller.

4.   Data controllers must inform data subjects of the purposes and timeframe for collecting their personal data, the types of persons or authorities to which the collected personal data will be disclosed, the information of the data controllers and the rights of the data subjects (to access, make a copy, raise objection, request to destroy or cease of using their personal data).

5.   Data controllers are prohibited from collecting personal data from any source other than from the data subject, except for a few exceptions.

6.   Data controllers and data processors must implement appropriate measures to protect and secure collected personal data.

7.   Transfer of personal data from Thailand to a foreign country or an international organization can be made only if such country or organization has sufficient standards of personal data protection.

8.   Data controllers and data processors who violate provisions of the PDPA and cause injury to data subjects are liable for paying civil compensation and punitive damages to the injured data subject in addition to criminal liabilities.


The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.