Provisions of the Personal Data Protection Act deferred
A Royal Decree was recently issued stating that data controllers in certain entities and businesses are not yet subject to the Personal Data Protection Act, 2562 B.E. (2019) (“the PDPA”). Therefore, the enforcement of certain provisions of the PDPA is deferred to 31 May 2021.
Keywords: Mazars, Thailand, Legal, PDPA, Royal Decree, Data Controllers, Personal Data, Ministry of Digital Economy and Society
11 June 2020
Deferred provisions:
- Chapter 2 – Personal Data Protection
- Personal data collection/Use and disclosure of personal data
- Chapter 3 – Rights of Data Subject
- Chapter 5 – Complaints
- Chapter 6 – Civil Liabilities
- Chapter 7 – Penalties
- Criminal and administrative penalties
- Section 95 – Transitional Provision
- Personal data collected before the effective date of PDPA
Exempt entities and businesses | |||
1. | Governmental authorities | 12. | Tourism businesses |
2. | Governmental authorities of foreign states and international organizations | 13. | Communications, telecommunications, computer, and digital businesses |
3. | Foundations, associations, religious organizations, and non-profit organizations | 14. | Financial, banking, and insurance businesses |
4. | Agricultural businesses | 15. | Immovable property businesses |
5. | Industrial businesses | 16. | Professional businesses |
6. | Commercial businesses | 17. | Administration businesses and its supporting businesses |
7. | Medical and public health businesses | 18. | Science and technology, academic, social welfare, and arts businesses |
8. | Power, steam, water, and waste management businesses and related businesses | 19. | Educational businesses |
9. | Construction businesses | 20. | Entertainment and recreation businesses |
10. | Repair and maintenance businesses | 21. | Security service businesses |
11. | Transportation, logistics, and warehouse businesses | 22. | Household and community businesses where the classification of the business is not clear |
As a result, most businesses in Thailand now have a one-year period in which to establish and improve their internal measures and systems pertaining to the collection, use, disclosure, and transmission of personal data to comply fully with the PDPA.
Even though certain data controllers are exempt from certain provisions of the PDPA, the data controllers must still take the security measures regarding personal information set out by the Ministry of Digital Economy and Society.
Source: The Royal Gazette
Want to know more?