You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

May 20, 2020

Personal Data Protection Act: Thai Cabinet Provides Partial Compliance Extension to May 2021

On May 19, 2020, the Thai Cabinet approved the implementation of a royal decree providing a one-year exemption from certain provisions under the Personal Data Protection Act 2019 (PDPA).

The royal decree, once published in the Royal Gazette, will be effective from May 27, 2020, until May 31, 2021. Based on the Cabinet’s announcement, the decree is expected to provide exemption from the following chapters and provisions of the PDPA:

  • Chapter II: Personal Data Protection;
  • Chapter III: Rights of the Data Subject;
  • Chapter V: Complaints;
  • Chapter VI: Civil Liability;
  • Chapter VII: Penalties; and
  • Section 95: Grandfather provision.

A wide-ranging list of categories should be provided in the decree, identifying operations in the private, public, and social enterprise sectors that qualify for the exemption. In the current draft, these businesses include, for example, banking, commercial, communications and telecommunications, construction, digital, education, energy, finance, insurance, medical and public health, professional practices, real estate, tourism, and transportation.

The government anticipates that the extension will give applicable business operators and organizations more flexibility in preparing themselves for compliance with the PDPA. However, it should be emphasized that, during the one-year extension period, businesses should continue to internally roll-out their assessment programs and make use of the time to understand their current practices for handling and processing personal data are, as well as to identify and resolve any compliance gaps. Building awareness of the PDPA within the organization before May 31, 2021, will continue to be essential for PDPA compliance.

It is important to highlight that data controllers must still implement security protection measures for personal data, in accordance with the standards prescribed by the Ministry of Digital Economy and Society.

If you have any questions about the PDPA, the royal decree, and their implementation, please do not hesitate to contact any member of the Tilleke & Gibbins PDPA team, including Athistha (Nop) Chitranukroh at [email protected], Nopparat Lalitkomon at [email protected], or Gvavalin Mahakunkitchareon at [email protected].

RELATED INSIGHTS​