Thailand postpones the implementation of the data protection act until 1 June 2022

By: Samata Masagee, Komson Suntheeraporn, Nahsinee Luengrattanakorn, Thawalkorn Pattanachote

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into effect since 28 May 2019 with most provisions scheduled to take full effect on 27 May 2020. Previously, the enforcement of the PDPA for 22 types of businesses listed here1 has been postponed to 31 May 2021.

On 5 May 2021, the Cabinet has approved a draft royal decree proposing to postpone the enforcement of the PDPA for another year, making the PDPA fully enforceable from 1 June 2022 onwards. The Ministry of Digital Economy and Society (MDES) has requested for a second postponement after the PDPA was expected to be in force this upcoming June, citing the impact of the COVID-19 pandemic on organisations in Thailand. More specifically, the MDES recognised that it would be too onerous for organisations in the private sector (especially SMEs) and public sector to comply with the requirements under the PDPA, on top of dealing with the current COVID-19 situation in Thailand.

Another reason for supporting a postponement is that the Personal Data Protection Committee (PDPC) has yet to be established. Even though public hearings by MDES (as the temporary Office of the Personal Data Protection Committee) have taken place in March 2021 to consider certain draft rules and guidelines under the PDPA, the timeline for the actual implementation of these sub-regulations is not yet clear.

It should be noted that whilst the PDPA is not fully enforced at this stage, data controllers are still required to have in place personal data security measures in accordance with the standard prescribed by the MDES. Such standard has recently been set out under the Notification of the Ministry of Digital Economy and Society Re: Personal Data Security Standards B.E. 2563 (2020) (Notification)2. This means that organisations should not view this postponement as an ultimate exemption from the PDPA.

In addition, organisations should keep up to date with local regulatory requirements and ensure that their compliance measures will be effective when the law comes into full force. This is an opportunity to make or continue with necessary preparations such as:

  • Identifying and raising awareness among key players in your organization of the laws on data protection
  • Starting documenting the flow of personal data held by your organisation, where the data came from, how it is used and who it is shared with
  • Preparing or reviewing the current privacy notices/policy
  • Identifying and documenting lawful basis for the use of data or refreshing existing consents
  • Putting in place cross-disciplinary data breach management policies and team to manage data breach incidents effectively
  • Designating a Data Protection Officer (DPO)

1 English translation of Royal Decree: Prescribing Agencies and Businesses Whose Personal Data Controllers Are Not Subjected to Enforcement under Personal Data Protection Act B.E. 2562 (2019) B.E. 2563 (2020) here
2 For more details of this Notification, please refer to our previous alert here