Further to the Thai Cabinet’s approval in principle of another one-year exemption from certain provisions under the Personal Data Protection Act (the PDPA), Royal Decree Re: the PDPA (No. 2) was issued on May 8, 2021, to implement the decision and definitively confirm the exemption to the end of May 2022.
The royal decree extends the original one-year exemption period (implemented by a previous royal decree, issued in May 2020) from May 2021 to the end of May 2022. As a result, the provisions relating to personal data protection, data subject rights, complaints, civil liabilities, penalties, and grandfather provisions, will not be effective in June 2021, but will instead take effect on June 1, 2022.
The extension is applicable to a wide-ranging list of operations including banking, commercial activities, communications and telecommunications, construction, digital, education, energy, finance, insurance, medical and public health, professional practices, real estate, tourism, and transportation (among others).
What does the extension mean for businesses?
PDPA compliance assessment suggestions
When conducting PDPA compliance-related activities, we recommend that businesses (i.e. data controllers) avoid focusing too much on collecting consent from their individual customers if possible, as relying on consent as the lawful basis is vulnerable and can be withdrawn at any time. As the PDPA is still relatively new, a common misconception has arisen that consent is always required, but this is not the case. In fact there are several more durable lawful bases that data controllers can rely upon, such as contractual necessity, legitimate interest, and legal obligations, which should be made use of where possible.
In addition, when preparing a privacy notice for compliance with the PDPA notification requirements (under section 23 of the act), businesses should ensure that the notice provides “clear and sufficient information” so that the data subjects can understand and reasonably expect the implications that may arise as a result of providing their personal data.
It should be highlighted that, unlike other requirements, the concept and requirements for personal data about children (minors) differ from international standards as they have been localized for Thailand specifically to align with the provisions relating to minors under the Thai Civil and Commercial Code.
With regard to PDPA cross-border transfer requirements, international and local MNCs with affiliates and subsidiaries in multiple jurisdictions may consider preparing their binding corporate rules (or localizing them as appropriate) for cross-border transfers of personal data within their group of companies.
The Personal Data Protection Commission’s supplemental regulations will be issued in due course to give more clarity on the 72-hour data breach notification requirements and the data protection officer (DPO) required qualifications.
Lastly, the PDPA includes a grandfather provision that could enable businesses to continue to collect and use personal data within the scope of their original purpose after the PDPA becomes fully effective in 2022. Business should pay careful attention to those requirements and their implications for existing practices and processes when implementing their compliance plan.