All companies need to be ready for the changes in personal data protection laws in 2019. Thailand’s legislator, the National Legislative Assembly approved the Personal Data Protection Act (PDPA) on February 28, 2019. After royal assent, the law will be published in the Government Gazette and then passed into law this year. The law will be supplemented by subordinate legislation and a procedural framework later in the year which we will update reader on in further updates. Thailand data protection laws will be brought in line with international standards, such as the European Union’s General Data Protection Regulation.
Key changes brought by the PDPA are:
- Consent: data controllers must get written or online consent from data subjects prior to processing their personal data in various ways;
- Sensitive data: there is added protection for sensitive personal data;
- “3rd Country” transfers are restricted;
- Applies to companies operating outside of Thailand: even if the data controller company is based outside of Thailand, the laws will apply to them if they use the services in Thailand;
- Company needs a data controller representative: Data controllers outside Thailand must appoint a representative within the jurisdiction, who has certain rights;
There are severe penalties for non-compliance and include criminal and civil penalties.
Any companies collecting any data from people residing in Thailand (whether foreigner or Thai citizens) should seek legal advice to ensure they comply with the new laws. To ensure that your business is ready, you can contact Silk Legal and we will put together a team of lawyers which will ensure your company is in compliance with the new laws.