Provisions of the Personal Data Protection Act deferred

A Royal Decree was recently issued stating that data controllers in certain entities and businesses are not yet subject to the Personal Data Protection Act, 2562 B.E. (2019) (“the PDPA”). Therefore, the enforcement of certain provisions of the PDPA is deferred to 31 May 2021.

Keywords: Mazars, Thailand, Legal, PDPA, Royal Decree, Data Controllers, Personal Data, Ministry of Digital Economy and Society

11 June 2020

Deferred provisions:

  • Chapter 2 – Personal Data Protection
    • Personal data collection/Use and disclosure of personal data
  • Chapter 3 – Rights of Data Subject
  • Chapter 5 – Complaints
  • Chapter 6 – Civil Liabilities
  • Chapter 7 – Penalties
    • Criminal and administrative penalties
  • Section 95 – Transitional Provision
    • Personal data collected before the effective date of PDPA

Exempt entities and businesses

1.

Governmental authorities

12.

Tourism businesses

2.

Governmental authorities of foreign states and international organizations

13.

Communications, telecommunications, computer, and digital businesses

3.

Foundations, associations, religious organizations, and non-profit organizations

14.

Financial, banking, and insurance businesses

4.

Agricultural businesses

15.

Immovable property businesses

5.

Industrial businesses

16.

Professional businesses

6.

Commercial businesses

17.

Administration businesses and its supporting businesses

7.

Medical and public health businesses

18.

Science and technology, academic, social welfare, and arts businesses

8.

Power, steam, water, and waste management businesses and related businesses

19.

Educational businesses

9.

Construction businesses

20.

Entertainment and recreation businesses

10.

Repair and maintenance businesses

21.

Security service businesses

11.

Transportation, logistics, and warehouse businesses

22.

Household and community businesses where the classification of the business is not clear

 As a result, most businesses in Thailand now have a one-year period in which to establish and improve their internal measures and systems pertaining to the collection, use, disclosure, and transmission of personal data to comply fully with the PDPA.

Even though certain data controllers are exempt from certain provisions of the PDPA, the data controllers must still take the security measures regarding personal information set out by the Ministry of Digital Economy and Society.

Source: The Royal Gazette  

Want to know more?