Search for:

The Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) has been published in the Government Gazette on 27 May 2019.

1. Timeframe

With very few exceptions, companies and organizations collecting, using, disclosing, and/or transferring personal data will have preparation time for a period of one year to become fully compliant with key provisions on personal data protection before the penalties kick in. The sub-regulations should be completely issued within the next two years.

2. Seven key things to know

A summary of the seven key things you should know about the PDPA key points is as follows:

    (1) Personal Data. The PDPA governs any data of an alive person that could identify that person directly or indirectly. For example, any personal data of an individual handled by the company, including customer data, employee data, data of directors, shareholders, contractors, suppliers, seminar and market survey participants, and data involving customer complaints and inquiries would be subject to the PDPA.
    (2) Players. The Personal Data Protection Committee will be established to set out further sub-regulations and protect the rights of the data subjects. Any entities collecting, using, disclosing and/or transferring personal data will be required to comply with the PDPA as a data controller and/or a data processor (which have different roles and obligations).
    (3) Applicability. The PDPA has extraterritorial applicability. Thus, data controllers and data processors both in and outside of Thailand could be subject to the PDPA.
    (4) Legal basis. In order to collect, use, disclose and/or transfer personal data, the data controller has to rely on legal basis, which could be consent or other exemptions (e.g., vital interest, public interest, legal obligations, and legitimate interest).
    (5) Personnel. The data controller and the data processor could be required to appoint a data protection officer and a representative in Thailand, which subject to future sub-regulations.
    (6) Rights of data subjects. The data controller has to guarantee the rights of the data subjects.
    (7) Penalties. The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class action lawsuit. The director of a company could also be subject to penalties under the PDPA.

3. What to do next?

We urge all entities to immediately assess their internal personal data governance and start taking action for compliance. The road to full compliance with the PDPA could involve the engagement from all departments in an entity and appropriate “tone at the top” through senior management endorsement of the privacy governance framework. Within a transitional period of one year, there are a number of steps to be taken, e.g., (1) conduct data mapping, (2) determine legal basis
and applicable obligations, (3) revisit privacy notice and create relevant legal documents, (4) implement data management process and operation system, and (5) maintain compliance with the PDPA. The right approach for your company should be customized to fit the size and the business operation of each entity.

GDPR-compliant companies should also revisit compliance with PDPA as there are differences in the aspects of compliance.

We will continue to update you with a series of updates and recommendations from now until the effective date of the PDPA in 27 May 2020.


Dhiraphol Suwanprateep is a partner in Baker McKenzie's Bangkok office, where he is head of the IT/Communications Practice Group and co-head of the Intellectual Property Practice Group. Mr. Suwanprateep advises clients on government initiatives, particularly Thailand's Digital Economy Initiative which promotes the local ITC sector through strategies aimed at developing related infrastructure, accelerating innovation, and transforming the country's economy into one that is based on digital technologies. His work also involves advising on the amended Computer Crime Act which increases penalties for cyber crimes. He is also a regular commentator and contributor to local, regional and global media on the government's proposed initiatives and frequently participates in local community engagements throughout the country. Dhiraphol joined Baker McKenzie in 1987 and became a partner in 1992.


Nont is a partner in Baker McKenzie Bangkok's Intellectual Property and Technology practice group. He has more than 25 years of experience representing a wide range of business and institutional clients in various Intellectual Property (IP) and Technology matters.

He is a Certified Information Privacy Professional Europe (CIPP/E) by the International Association of Privacy Professionals (IAPP) and is a regular contributor at events held by international and local associations on TMT issues including personal data protection laws, cybersecurity laws and many other related topics.