This chapter provides an overview of the legal system and key laws for foreign companies doing business in Thailand. Presented in a question-and-answer format, the chapter examines the rules governing foreign investment, business vehicles, employment, tax, competition, intellectual property, marketing agreements, e-commerce, data protection, and product liability.
November 8, 2024
On October 31, 2024, Thailand’s Office of the Personal Data Protection Committee (PDPC) opened a public consultation period on its draft notifications—one directed at data controllers and another at data processors—regarding exemptions from the requirement to create and maintain records of processing activities (ROPAs) under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The draft notification for data controllers aims to amend and revoke certain aspects of the first ROPA exemption notification issued in June 2022 and outlines the criteria for data controllers to be exempted from the obligation to prepare and maintain such records. Although it is officially titled “Notification of the Personal Data Protection Committee on Exemption from Record-Keeping Requirements for Small Business Data Controllers,” this draft notification applies to all types of exempted data controllers (see list below), and not only small businesses. The draft notification for data processors is new and does not replace any prior notification. The criteria under both draft notifications exempt certain data controllers and data processors from the obligation to maintain ROPAs, but exempted data controllers are not free from the obligation to retain information on the rejection of data subjects’ requests to exercise certain rights under the PDPA. While these criteria remain consistent with the June 2022 ROPA exemption notification, there are a few key takeaways from the notifications, as detailed below. Types of Exempted Parties The draft notification on data controllers adds condominium and housing estate juristic persons, as well as individuals, to the list of parties eligible for an exemption, while removing internet cafes from the list. The new draft notification for data processors mirrors the corresponding list in the draft notification for data controllers. The complete list of parties eligible for ROPA exemptions under the draft notifications is as follows: SMEs according to the law on