This chapter provides an overview of the legal system and key laws for foreign companies doing business in Thailand. Presented in a question-and-answer format, the chapter examines the rules governing foreign investment, business vehicles, employment, tax, competition, intellectual property, marketing agreements, e-commerce, data protection, and product liability.
June 19, 2024
On June 14, 2024, the Personal Data Protection Committee (PDPC) released a draft notification under the Personal Data Protection Act 2019 (PDPA), setting out criteria for how data controllers must delete, destroy, and de-identify personal data. According to the PDPA, a data subject can request that a data controller delete, destroy, or de-identify their personal data in any of the following circumstances: The personal data is no longer necessary for the purposes for which it was collected, used, or disclosed. The data subject has withdrawn their consent for the processing of the personal data, and no other lawful basis for processing remains. The data subject has objected to the processing of their personal data on grounds of legitimate interests or official tasks, the data controller has no other compelling grounds to refuse the request, and the data is not needed for legal claims. The data subject objects to the processing of their personal data for direct marketing purposes. The processing of personal data is unlawful. The draft stipulates that data controllers respond to a data subject’s request to delete, destroy, or de-identify personal data immediately, and within 60 days of receiving the request. If the data controller cannot fulfill the request immediately, they must take interim measures to ensure that the personal data is made difficult to collect, use, or disclose. This includes implementing measures such as preventing access to the data and applying appropriate security measures to protect the data from unauthorized use or disclosure. De-identification or Anonymization of Personal Data In certain circumstances, a data controller may opt to de-identify or anonymize personal data, rather than delete or destroy it. If doing so, the data controller must satisfy the following criteria: There must be a structured process to remove or eliminate all direct identifiers linked to the