The Thai Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) comes into full force on 1 June 2022. The PDPA technically came into force in 2019, but enforcement of the core provisions of the PDPA, including those imposing duties on data controllers and data processors as well as punishments for violations of the PDPA, was postponed was until 1 June 2022 (“Full Enforcement Date”).
There was talk about deferring the Full Enforcement Date until after implementing regulations and guidelines were issued since Thai laws tend to be rather “thin” on detail. But it now appears that full enforcement of the PDPA will happen before any implementing or explanatory regulations and guidelines are issued
We are therefore now suggesting preparation for full implementation of the Thai PDPA in its current form. And we suggest that our clients and prospective clients do so addressing these five basic sets of questions and questions:
- Do you understand your duties and requirements under the PDPA?
- Do have personal data security standards? Have you put in place measures to meet those standards?
- Have you notified your staff, employees, and any relevant persons of the measures to raise awareness of the importance of personal data protection and to encourage compliance?
- Have you prepared your data inventory? Do you know the data flows and risks at each data gateway? Have you appointed suitable personal and staff (including a Data Protection Officer, if required) to oversee and be responsible for PDPA compliance and updates?
- Have you prepared key required documents under the PDPA, such as privacy policies, privacy notices, consent forms, data processing agreements, data transfer agreements and documents relating to the data subject’s rights and records?
Compliance with the personal data protection laws of other countries, such the EU General Data Protection Regulation (GDPR) or California data protection law, may not be sufficient. Conduct an independent review based on Thai law.