You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

May 12, 2021

Personal Data Protection Act: Royal Decree Extends Compliance Date to June 1, 2022

Subscribe to Updates

Further to the Thai Cabinet’s approval in principle of another one-year exemption from certain provisions under the Personal Data Protection Act (the PDPA), Royal Decree Re: the PDPA (No. 2) was issued on May 8, 2021, to implement the decision and definitively confirm the exemption to the end of May 2022.

The royal decree extends the original one-year exemption period (implemented by a previous royal decree, issued in May 2020) from May 2021 to the end of May 2022. As a result, the provisions relating to personal data protection, data subject rights, complaints, civil liabilities, penalties, and grandfather provisions, will not be effective in June 2021, but will instead take effect on June 1, 2022.

The extension is applicable to a wide-ranging list of operations including banking, commercial activities, communications and telecommunications, construction, digital, education, energy, finance, insurance, medical and public health, professional practices, real estate, tourism, and transportation (among others).

What does the extension mean for businesses?

  • The extension will give businesses more flexibility in preparing for compliance with the PDPA.
  • During the extension period, businesses should continue to monitor supplemental regulations that will be issued for public hearings before implementation. As with the principles recognized in the PDPA itself, which are materially influenced by international data protection standards (especially the EU’s General Data Protection Regulation, or GDPR), the government has publicly announced that the supplemental regulations will recognize and follow international standards of personal data protection (again, particularly those of the GDPR).
  • Overseas-established businesses may fall within the scope of the PDPA if they are offering goods or services to data subjects in Thailand (with or without an exchange of money or other valuable property) or monitoring the behavior of data subjects taking place in Thailand. This is sometimes referred to as “extraterritoriality,” and is similar to an internationally recognized principle of the GDPR.
  • Data controllers must still implement security measures for personal data protection, in accordance with the standards prescribed by the Ministry of Digital Economy and Society (MDES). The MDES is expected to issue another notification on those standards in the near future, similar to the prior MDES notification dated July 17, 2020, which is due to expire at the end of this month. The requirements will likely follow the same principles (such as access control standards, user responsibilities, record monitoring, etc.).
  • Businesses that have not yet conducted their self-assessment for compliance with the PDPA should take this opportunity to begin the process, start identifying compliance gaps, and develop their mitigation plans for closing such gaps.

PDPA compliance assessment suggestions

When conducting PDPA compliance-related activities, we recommend that businesses (i.e. data controllers) avoid focusing too much on collecting consent from their individual customers if possible, as relying on consent as the lawful basis is vulnerable and can be withdrawn at any time. As the PDPA is still relatively new, a common misconception has arisen that consent is always required, but this is not the case. In fact there are several more durable lawful bases that data controllers can rely upon, such as contractual necessity, legitimate interest, and legal obligations, which should be made use of where possible.

In addition, when preparing a privacy notice for compliance with the PDPA notification requirements (under section 23 of the act), businesses should ensure that the notice provides “clear and sufficient information” so that the data subjects can understand and reasonably expect the implications that may arise as a result of providing their personal data.

It should be highlighted that, unlike other requirements, the concept and requirements for personal data about children (minors) differ from international standards as they have been localized for Thailand specifically to align with the provisions relating to minors under the Thai Civil and Commercial Code.

With regard to PDPA cross-border transfer requirements, international and local MNCs with affiliates and subsidiaries in multiple jurisdictions may consider preparing their binding corporate rules (or localizing them as appropriate) for cross-border transfers of personal data within their group of companies.

The Personal Data Protection Commission’s supplemental regulations will be issued in due course to give more clarity on the 72-hour data breach notification requirements and the data protection officer (DPO) required qualifications.

Lastly, the PDPA includes a grandfather provision that could enable businesses to continue to collect and use personal data within the scope of their original purpose after the PDPA becomes fully effective in 2022. Business should pay careful attention to those requirements and their implications for existing practices and processes when implementing their compliance plan.

Related Professionals

Industries

Aviation

Consumer Products

Energy

Insurance

Life Sciences

Technology

Practices

Corporate/M&A

Location

RELATED INSIGHTS​

July 24, 2024

Practical Law: Intellectual Property Transactions in Vietnam 2024

Experts from Tilleke & Gibbins’ intellectual property team have contributed an updated Intellectual Property Transactions in Vietnam to Thomson Reuters Practical Law, a high-level comparative overview of  laws and regulations across multiple jurisdictions. Intellectual Property Transactions focuses on business-related aspects of intellectual property, such as the value of intellectual assets in M&A transactions, and the licensing of IP portfolios. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations. IP audits. IP aspects of M&A: Due diligence, warranties/indemnities, and transfer of IPRs. Employee and consultant agreements. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Vietnam overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Practical Law: Intellectual Property Transactions in Thailand 2024

Intellectual property specialists from Tilleke & Gibbins in Thailand have contributed an updated Intellectual Property Transactions in Thailand overview for Thomson Reuters Practical Law, an online publication that provides comprehensive legal guides for jurisdictions worldwide. The Thailand overview was authored by Darani Vachanavuttivong, managing partner of Tilleke & Gibbins and managing director of the firm’s regional IP practice; Titikaan Ungbhakorn, senior associate and patent agent; and San Chaithiraphant, senior associate. The chapter delivers a high-level examination of critical aspects of IP law, including IP assignment and licensing, research and development collaborations, IP in mergers and acquisitions (M&A), securing loans with intellectual property rights, settlement agreements, employee-related IP issues, competition law, taxation, and non-tariff trade barriers. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations: Management of improvements, derivatives, and joint ownership of IP. IP aspects of M&A: Due diligence and critical considerations during mergers and acquisitions. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Thailand overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Acted for Nordic Transport Group in its Acquisition of Freightzen Logistics

Acted as lead counsel for Nordic Transport Group A/S (NTG), an international freight forwarding company based in Denmark, in its acquisition of a stake in Asia-based Freightzen Logistics Ltd., Inc. through a newly established subsidiary, NTG APAC Holding Pte. Ltd.
Read More
July 23, 2024

Tilleke & Gibbins Lawyers Recognized in Who’s Who Legal Southeast Asia Guide 2024

In the Who’s Who Legal (WWL) Southeast Asia guide for 2024, a total of 12 Tilleke & Gibbins lawyers have been distinguished as market leaders in various legal practice areas. The firm’s 12 recognized lawyers, singled out for their commitment to delivering exceptional legal services to Tilleke & Gibbins’ clients, are grouped into seven practice areas: Asset Recovery: Thawat Damsa-ard Data: Alan Adcock, Athistha (Nop) Chitranukroh Franchise: Alan Adcock, Jay Cohen Intellectual Property: Alan Adcock (Patents, Trademarks), Darani Vachanavuttivong (Patents, Trademarks), Kasama Sriwatanakul (Trademarks), Linh Thi Mai Nguyen (Trademarks), Somboon Earterasarun (Trademarks), Wongrat Ratanaprayul (Patents) Investigations: John Frangos and Thawat Damsa-ard Labor, Employment, and Benefits: Pimvimol (June) Vipamaneerut Life Sciences: Alan Adcock, Loc Xuan Le The annual WWL Southeast Asia rankings guide, published by the London-based group Law Business Research, aims to identify the foremost legal practitioners across a range of business law practice areas. The rankings are largely based on feedback and nominations received from other WWL-ranked and nominated attorneys around the world. These peer-driven recognitions highlight Tilleke & Gibbins’ dedication to maintaining the highest standards of legal service and helping clients achieve success. To read more about the WWL Southeast Asia guide, or to browse the full results, please visit the WWL website.
Read More
Load More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice