You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

January 19, 2022

Thailand Establishes Personal Data Protection Commission

Thailand has completed the establishment of the Personal Data Protection Commission (PDPC), the regulator under the country’s Personal Data Protection Act B.E. 2562 (PDPA), strongly indicating that the planned full enforcement of the PDPA on June 1, 2022, is likely to proceed as scheduled.

The establishment of the PDPC was finalized on January 18, 2022, when the Announcement of the Prime Minister’s Office on the Appointment of Chairperson and Honorary Members of the PDPC was published in the Government Gazette.

As stipulated in the PDPA, the PDPC consists of:

  • The chairperson, appointed based on knowledge, skills, and experience;
  • The vice-chairperson, who is the permanent secretary of the Ministry of Digital Economy and Society;
  • Five commission members, designated based on their positions in certain government agencies (as prescribed under the PDPA); and
  • Nine honorary commission members appointed based on knowledge, skills, and experience in personal data protection, consumer protection, technology and telecommunication, social science, law, health, finance, or other relevant fields.

As the vice-chairperson and the five commission members are appointed to the PDPC based on their positions, the January 18 announcement appointing the chairperson and the nine honorary commission members completes the formation of the PDPC.

The full enforcement of the PDPA has been previously postponed, and many businesses had expressed concern that another extension would be forthcoming before the current enforcement date. However, the successful establishment of the PDPC is a fundamental prerequisite to enforcement and indicates that the effective date of the PDPA on June 1, 2022, is unlikely to be further postponed. In addition, the PDPA’s draft subordinate regulations that were the subject of a series of public hearings last year are likely to be issued in the near future.

Companies and other organizations that are not yet compliant with the PDPA should now assess their current practices for handling and processing personal data in order to ensure that any compliance gaps can be closed or minimized before the full enforcement date.

For more details on the requirements under the PDPA and its subordinate regulations, please consult the Tilleke & Gibbins data privacy team by contacting Nopparat Lalitkomon at [email protected] or +66 2056 5646, Gvavalin Mahakunkitchareon at [email protected] or +66 2056 5648, or Thammapas Chanpanich at [email protected] or +66 2056 5561.