THAILAND: Personal Data Protection Act Comes into Force 1 June 2022

Thailand’s first Personal Data Protection Act (PDPA) comes into effect on 1 June 2022. The PDPA requires data controllers and processors (data users) to ensure that data owners give explicit consent for any use, disclosure or collection of personal information and regulates its subsequent use. Exemptions are granted for public interest; contractual obligations; or legislation compliance. The PDPA supports various free trade agreements’ data regulation, digital commerce and online banking requirements. 

The Act applies both to organisations in Thailand and abroad that control and process data from sales or consumer behaviour in the country. It identifies two categories: general data including name, date of birth and contact details; and sensitive data on race, sex, religion, health, biometrics and politics. 

Data owners are guaranteed rights, including being informed of intended data use; accessing data held; rectification of inaccuracies; objecting inappropriate use; restricting processing; data erasure; and the right to data portability. Data users must now inform data owners of any security breaches. 

Violators face fines between THB500,000 (US$14,432) and THB5 million, plus punitive compensation. Regulatory panels will address complaints and implement the law.