PDPA updates: What is the PDPA in Thailand?

The PDPA is a statute that prohibits the unauthorized disclosure of a data subject’s personal information. The PDPA will apply to any collection, use, or disclosure of personal data collected within Thailand by a data controller or data processor. When a data controller or data processor is based outside of Thailand, however, the PDPA still applies if the data subject whose data is collected, used, or disclosed is located in Thailand.

What are the four declarations of the PDPA updates?

1. Relaxation of the Data Protection Officer's data record requirements for small-to-medium-sized organizations (SMEs)

SMEs and community companies are no longer required to log data controllers’ working records.

The exception applies to the organizations listed below:

➤ SMEs and factories that employ no more than 200 people and earn no more than 500 million baht per year, or a retail shop or corporation that employs no more than 100 people and earns no more than 300 million baht per year
➤ Community businesses
➤ Enterprises that benefit society
➤ Cooperatives
➤ Foundations, associations, religious organizations, and non-governmental organizations (NGOs)
➤ Family firms or similar enterprises

2. Terms and procedures for creating and maintaining personal data records for data protection officers

Companies have been given a 180-day grace period to prepare for the PDPA’s enforcement and become completely compliant, according to the latest statements.

Latest PDPA updates released

3. Data protection officers' security measures

The third notification establishes the minimal standards for securing personal data in accordance with the Digital Economy and Society Ministry’s safety measures.

Furthermore, to guarantee that these procedures are implemented, the minimum safety criteria have been established in such a manner that they would not impose a significant financial burden on businesses.

4. Administrative fines or penalties imposed by the specialized committee

Prior to the implementation of these new announcements, the PDPA imposed severe penalties for individuals who violated it.

When will these steps be implemented?

The complete PDPA law went into force on June 1st, but these new announcements took effect on June 21st, 2022. Four additional announcements are also expected to be made before the end of June. There is presently no information on what these further announcements are about.

Protect your company's sensitive data

Contact us

310 client reviews (4.8/5) ⭐⭐⭐⭐⭐

Legal obligations