On May 24, 2021, Notification Re: Security Standards for Personal Data (No. 2) was issued by Thailand’s Ministry of Digital Economy and Society (MDES) to further extend the validity of the minimum security standards for personal data to May 31, 2022. The minimum standards remain otherwise unchanged from the measures detailed in Tilleke & Gibbins’ client alert on the MDES’ previous notification.
The obligation for data controllers to implement security measures which meet or exceed the minimum required standards has been in place since July 18, 2020, and is intended to be an interim measure before the implementation of Thailand’s Personal Data Protection Act (PDPA). However, in light of the ongoing Covid-19 crisis, the recent Royal Decree Re: the Personal Data Protection Act (PDPA) (No. 2) extended the effective date of most provisions of Thailand’s PDPA to May 31, 2022, which would have created a one-year gap in the obligation. The minimum security standards have therefore been extended to cover the same period.