You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

March 13, 2018

Thailand: Update on the Latest Draft of the Personal Data Protection Act

Subscribe to Updates

In January 2018, the government called for the fourth public hearing of the draft Personal Data Protection Act. There were no substantial changes in this draft as compared to the prior version published in March 2015, although minor changes were made. This article reviews some of the key provisions in the latest draft bill, noting where changes have been made from the previous draft.

§5: Definition of “Personal Data” – unchanged

“Personal Data” means any data pertaining to a person, which enables the identification of that person, whether directly or indirectly, but not including data which specifies only the name, title, workplace, or business address and data of the deceased specifically.

§5: Definition of a “Data Controller” – unchanged

“Personal Data Controller” means a person or juristic person with the power and duty to make decisions regarding the collection, use, or disclosure of personal data.

§5: Definition of “Data Processor” – updated

“Personal Data Processor” means a person or a juristic person that collects, uses, or discloses Personal Data on behalf of, or in accordance with, the instructions of a Personal Data Controller.

§20: Consent Requirements and Exemptions – updated

Consent from a Data Subject is still required for the collection of Personal Data. Under the 2015 draft, consent is exempted if data is collected:

  1. for conducting research, statistical analysis, or for the public interest, and the data is kept confidential;
  2. for preventing emergencies or protecting others from danger;
  3. from publicly available information;
  4. in compliance with the law; or,
  5. for other reasons as further prescribed by the Commission.

The new 2018 draft includes two additional provisions:

  1. for the public interest or in the exercise of a government authority, which is the Data Controller, provided that it does not violate the fundamental rights and freedom of the Data Subject; and
  2. for the legitimate interests of the Data Controller or a third party, provided that it does not violate the fundamental rights and freedom of the Data Subject.

§23: Cross-border Transfer of Personal Data – unchanged

Overseas transfers of Personal Data must be made in accordance with a specific regulation, which is to be prescribed by the Commission, except in the following cases:

  • where the law so prescribes;
  • where the consent of the Data Subject has been obtained;
  • where it is in compliance with a contract entered into by the Data Subject and the Data Controller;
  • where it is for the interests of the Data Subject, who is unable to give consent at such time;
  • where it is a transmission to a person who has been granted a mark certifying the standards in relation to personal data protection; or
  • other cases as prescribed by the Commission.

§28: Data Controller’s Duties – updated

Under the 2015 draft, the Data Controller is required to meet the following requirements:

  • Security Measures. Arrange for appropriate security measures to prevent unauthorized access.
  • Prevention Measures. If the personal data must be disclosed to another person (non-Data Controller), the Data Controller must prevent that person from using or disclosing the Personal Data unlawfully, or without authorization.
  • Deletion Requirement. Destroy Personal Data when the permitted period expires, or the Data Subject revokes their consent.
  • Notification of Breach. Inform the Data Subject of any breach incident without delay. The number of cases in which the Data Subjects have been affected must also be reported to the Commission, as required by the Commission.
  • New Internal Assessment Requirement. Frequently assess possible impacts to Personal Data from a privacy aspect.

§29: Data Processor’s Duties – new

The Data Processor is required to:

  • arrange for collection, use, or disclosure of Personal Data, specifically in accordance with the instructions of the Data Controller, except for those instructions which are unlawful or which fall outside the personal data protection requirements under this act;
  • arrange for appropriate security measures to prevent unauthorized access to Personal Data; and
  • prepare and maintain records for processing transactions, as further required by the Commission.

§69 – 73: Penalties – updated

Imprisonment penalties have all been removed. The monetary fines remain unchanged.

§81: Grandfather Provision – new

The Data Controller may continue to use data that was collected before the law became effective for the purpose for which the Data Subject was initially informed. However, the Data Controller must arrange to obtain the consent of preexisting Data Subjects within a period, and under conditions, to be further prescribed by a ministerial regulation, provided that the period under the ministerial regulation does not exceed three years.

Effective Date

The 2018 draft Personal Data Protection Act will be effective 365 days after publication in the Government Gazette. When the law eventually comes into effect, it is sure to have a major impact on business operations. All businesses will need to continue to closely monitor the progress of the Personal Data Protection Act as it continues to move through the legislative process.

Download Full Article
Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 24, 2024

Practical Law: Intellectual Property Transactions in Vietnam 2024

Experts from Tilleke & Gibbins’ intellectual property team have contributed an updated Intellectual Property Transactions in Vietnam to Thomson Reuters Practical Law, a high-level comparative overview of  laws and regulations across multiple jurisdictions. Intellectual Property Transactions focuses on business-related aspects of intellectual property, such as the value of intellectual assets in M&A transactions, and the licensing of IP portfolios. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations. IP audits. IP aspects of M&A: Due diligence, warranties/indemnities, and transfer of IPRs. Employee and consultant agreements. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Vietnam overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Practical Law: Intellectual Property Transactions in Thailand 2024

Intellectual property specialists from Tilleke & Gibbins in Thailand have contributed an updated Intellectual Property Transactions in Thailand overview for Thomson Reuters Practical Law, an online publication that provides comprehensive legal guides for jurisdictions worldwide. The Thailand overview was authored by Darani Vachanavuttivong, managing partner of Tilleke & Gibbins and managing director of the firm’s regional IP practice; Titikaan Ungbhakorn, senior associate and patent agent; and San Chaithiraphant, senior associate. The chapter delivers a high-level examination of critical aspects of IP law, including IP assignment and licensing, research and development collaborations, IP in mergers and acquisitions (M&A), securing loans with intellectual property rights, settlement agreements, employee-related IP issues, competition law, taxation, and non-tariff trade barriers. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations: Management of improvements, derivatives, and joint ownership of IP. IP aspects of M&A: Due diligence and critical considerations during mergers and acquisitions. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Thailand overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Acted for Nordic Transport Group in its Acquisition of Freightzen Logistics

Acted as lead counsel for Nordic Transport Group A/S (NTG), an international freight forwarding company based in Denmark, in its acquisition of a stake in Asia-based Freightzen Logistics Ltd., Inc. through a newly established subsidiary, NTG APAC Holding Pte. Ltd.
Read More
July 23, 2024

Tilleke & Gibbins Lawyers Recognized in Who’s Who Legal Southeast Asia Guide 2024

In the Who’s Who Legal (WWL) Southeast Asia guide for 2024, a total of 12 Tilleke & Gibbins lawyers have been distinguished as market leaders in various legal practice areas. The firm’s 12 recognized lawyers, singled out for their commitment to delivering exceptional legal services to Tilleke & Gibbins’ clients, are grouped into seven practice areas: Asset Recovery: Thawat Damsa-ard Data: Alan Adcock, Athistha (Nop) Chitranukroh Franchise: Alan Adcock, Jay Cohen Intellectual Property: Alan Adcock (Patents, Trademarks), Darani Vachanavuttivong (Patents, Trademarks), Kasama Sriwatanakul (Trademarks), Linh Thi Mai Nguyen (Trademarks), Somboon Earterasarun (Trademarks), Wongrat Ratanaprayul (Patents) Investigations: John Frangos and Thawat Damsa-ard Labor, Employment, and Benefits: Pimvimol (June) Vipamaneerut Life Sciences: Alan Adcock, Loc Xuan Le The annual WWL Southeast Asia rankings guide, published by the London-based group Law Business Research, aims to identify the foremost legal practitioners across a range of business law practice areas. The rankings are largely based on feedback and nominations received from other WWL-ranked and nominated attorneys around the world. These peer-driven recognitions highlight Tilleke & Gibbins’ dedication to maintaining the highest standards of legal service and helping clients achieve success. To read more about the WWL Southeast Asia guide, or to browse the full results, please visit the WWL website.
Read More
Load More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice