Data Protected - Thailand
Last updated February 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
Personal Data Protection Act B.E. 2562 (2019) (the “Thai PDPA”).
Entry into force
Provisions in relation to the establishment of Office of the Personal Data Protection Committee became effective on 28 May 2019.
Other provisions governing the collection, use and disclosure of personal data and other rights and obligations thereunder became effective on 1 June 2022.
The Personal Data Protection Committee ("Committee") has published various secondary legislation and guidelines (“Regulations”) covering matters such as: (i) details of records of processing activities; (ii) security measures; (iii) complaint process; (iv) application and setting of administrative penalties; (v) data breach notification; and (vi) transfer of personal data to third countries.
Additionally, the Committee has published practice guidelines on privacy notice and consent.
Further regulations and guidelines are expected to be published for public consultation in due course.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
The Personal Data Protection Committee
Office of the Personal Data Protection Committee
7th Floor, Ratthaprasasanabhakti Building
Government Complex
Chaengwattana Road
Thung Song Hong Sub-District, Lak Si District
Bangkok, Thailand 10210
E-mail: saraban@pdpc.or.th
Tel: +662-142-1033 and +662-141-6993
Facebook: www.facebook.com/pdpc.th
Notification or registration scheme and timing
There is no obligation for a general notification or a registration scheme under the Thai PDPA except for the the notification of a data protection officer and the data breach notification.
Exemptions to notification
Not applicable.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The Thai PDPA applies to the processing activities of a controller or processor who has an establishment in Thailand.
Similar to GDPR’s extraterritorial reach, the Thai PDPA also applies to processing activities of a controller or processor outside of Thailand to the extent they: (i) target the offering of products or services to individuals in Thailand; or (ii) monitor behaviour of individuals in Thailand.
Is there a concept of a controller and a processor?
Yes. A controller is a person who makes decisions in relation to the processing of personal data i.e. a controller decides “what” personal data will be processed for and “how” it will be done.
A processor is a person who processes personal data on behalf of a controller.
Are both manual and electronic records subject to data protection legislation?
Yes. The Thai PDPA governs the processing of personal data recorded in any form.
Are there any national derogations?
Certain Thai PDPA requirements on the collection, use and disclosure of personal data and data subject rights do not apply to some law enforcement activities enforced by state agencies such as: the National Anti-Corruption Commission; the Revenue Department; and the Secretariat of the Cabinet.
_____________________________________________________________________ Top
Personal Data
What is personal data?
Personal data is data related to a natural person which can identify such person whether directly or indirectly, excluding data of deceased persons.
Is information about legal entities personal data?
No.
What are the rules for processing personal data?
The rules of processing personal data are built around eight principles that broadly align with the GDPR and other established data protection laws.
The first principle is that personal data must be processed lawfully in accordance with any of the following lawful bases: (i) consent of the individual; (ii) to prepare a historical document or statistical study; (iii) to protect the vital interest of an individual; (iv) to undertake any necessary contractual obligation between the individual and the controller, or to comply with the individual’s request prior to entering into such contract; (v) to undertake any necessary obligation of the controller in relation to public interest; (vi) for a legitimate interest of any individual or juristic person (including the controller); and (vii) to undertake any legal obligation of the controller.
The second principle is that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
The third principle is that personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
The fourth principle is that personal data must be accurate and kept up to date.
The fifth principle is that personal data must be kept for no longer than is necessary.
The sixth principle is that personal data must be processed in accordance with the individual’s rights
The seventh principle is that personal data must be kept secure.
The eighth principle is that personal data must not be transferred to third countries which do not provide adequate protection.
Are there any formalities to obtain consent to process personal data?
When requesting consent (which must be in writing or electronically), the controller must: (i) state the purpose for which the processing of the personal data is to be made; (ii) present the request for consent in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language; and (iii) neither be deceptive nor misleading to the individual in respect of such purpose.
Consent must also be obtained prior or at the time the personal data is processed, and must be freely given, specific and informed.
Consent cannot be a condition for the entering into of a contract or provision of such service, if the relevant processing is not necessary for that contract or service.
The individual shall have the right to withdraw his or her consent at any time. It must be as easy to withdraw as to give consent. The withdrawal of consent shall not affect the lawfulness of any processing based on the consent prior to its withdrawal.
The Committee has published the practice guidelines on how to obtain consent which provide clarity and examples of the Thai PDPA requirements.
Are there any special rules when processing personal data about children?
If the individual is between 10 and 20 years old, consent must be obtained from the individual and his/her legal guardian, unless it relates to an act that a minor is permitted to perform on his or her own as prescribed by the Civil and Commercial Code of Thailand.
If the individual is 10 years old or below, consent must be obtained from the individual’s legal guardian.
Are there any special rules when processing personal data about employees?
There are no additional rules when processing personal data about employees.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Sensitive personal data is personal data relating to race, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual orientation, criminal records, health data, disability, trade union data, genetic data, biometric data or any other data which may affect the individual in the same manner, as prescribed by the Committee.
Are there additional rules for processing sensitive personal data?
Yes. Sensitive personal data can only be processed on the following lawful bases: (i) consent of the individual; (ii) to protect the vital interest of any individual; (iii) to undertake any legal activities of non-profit organisation for its members or ex-members and such sensitive personal data is not disclosed outside the organisation; (iv) the sensitive personal data was publicly available by the individual’s express consent; (v) it is necessary for the establishment, fulfilment or exercise of legal right or raise against legal right; and (vi) to undertake any necessary legal obligation in relation to preventive medicine, public health, labour protection, research or any other purpose for public interest.
Are there additional rules for processing information about criminal offences?
Collection of personal data relating to criminal offences shall only be carried out under supervision of the authorised official authority or the collection of such data has been implemented according to data protection measures prescribed by the Committee.
Are there any formalities to obtain consent to process sensitive personal data?
Same as for non-sensitive personal data as described above.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
A data protection officer (“DPO”) must be appointed if: (i) the controller or processor is a government agency as prescribed by the Committee; (ii) the processing activities of a controller or processor require constant review of personal data or system due to large amounts of personal data as prescribed by the Committee; or (iii) the main activity of a controller or processor involves the processing of sensitive personal data.
The Committee has published the secondary legislation on item (ii) to provide clarity on processing activities and large amount of personal data.
A controller or processor must notify information on the appointed DPO (i.e., name, contact address and contact channels) to data subjects and the Office of the Committee.
What are the duties of a data protection officer?
The data protection officer must advise the controller or processor, including their employees or contractors, in relation to the carrying out of duties under the Thai PDPA. They must also inspect the operations in relation to the processing of personal data of the controller or processor, including their employees or contractors for compliance with the Thai PDPA.
The data protection officer must co-ordinate and co-operate with the Office of the Committee on any issues relating to the processing of personal data of the controller or processor, including their employees or contractors in regard to the carrying out of duties under the Thai PDPA.
Finally, the data protection officer has a duty to keep confidential personal data learnt or acquired from the carrying out of their duties under the Thai PDPA.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
No.
Are privacy impact assessments mandatory?
No.
_____________________________________________________________________ Top
Rights of Individuals
Privacy notices
On or before a collection of personal data, the individual must be informed or aware of the information listed below: (i) the purpose of the processing of his/her personal data; (ii) whether the collection of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and of the possible consequences of failure to provide such data; (iii) if personal data is to be stored and the retention period for which such personal data will be stored; (iv) the categories of person or organisation of which the personal data may be disclosed to; (v) the identity and contact details of the controller (or other company that collected such personal data) and the controller's representative or data protection officer (if appointed); and (vi) the rights of the individual.
In addition, the practice guidelines require additional information such as the appliable lawful basis and details of cross-border transfer. The practice guidelines also require that, in the case where controller collects personal data from sources other than data subject, the controller must put in place certain data protection measures.
Rights to access information
An individual can ask a controller for a copy of his or her personal data or ask if there has been unauthorised collection of his/her personal data.
The controller must comply with such request unless it is permitted by law or a court order, and the request for a copy of the personal data might cause damage to the rights and freedom of other persons.
Rights to data portability
Where the controller provides personal data to the individual, it should be in a format which is readable or commonly used by ways of automatic tools and can be used or disclosed by automated means.
The individual can also: (i) ask the controller to transfer the personal data in that format directly to other controllers if it can be done by the automatic means; and (ii) directly obtain the personal data in such formats as the controller sends or transfers to other controllers, unless it is impossible to do so because of the technical circumstances.
Right to be forgotten
An individual can ask the controller to erase, destroy or anonymise his/her personal data in the following cases: (i) when the personal data is no longer needed for the purposes of the collection, use, or disclosure of personal data; (ii) when the individual withdraws his/her consent to the collection, use, or disclosure of personal data, and the controller no longer has the power under the law to collect, use, or disclose said personal data; (iii) when the individual objects against the collection, use, or disclosure of his/her personal data and the controller has no lawful ground to reject the request; and (iv) when the personal data has been unlawfully collected, used, or disclosed as prescribed in the Thai PDPA.
Objection to direct marketing
An individual has the right to object to the processing of the personal data concerning him or her where the processing of such personal data is for the purpose of direct marketing.
Other rights
An individual also has a right to: (i) object the processing of his/her personal data; (ii) ask to restrict the processing of his/her personal data; and (iii) ask to rectify or update his/her personal data to be accurate and up-to-date.
Unlike GDPR, the Thai PDPA does not provide a right not to be subject to a decision based solely on automated processing, including profiling.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
A controller must use security measures to prevent a loss or unauthorised access to or processing of personal data.
The Regulations set out details of securities measures that must be taken.
Where the controller provides access to a non-controller (such as a processor), the controller must prevent the unauthorised use or disclose of the personal data by that person.
A controller must ensure its system deletes personal data when the relevant retention period has passed, or such personal data is no longer relevant or necessary.
Specific rules governing processing by third party agents (processors)
A processor must: (i) only process personal data under an instruction received from the controller, except where such instruction is against the laws or the provisions of personal data protection under the Thai PDPA; (ii) arrange for appropriate security measures to prevent loss or unlawful or unauthorised processing of personal data; and (iii) arrange for and keep a record of processing activities of personal data as prescribed by the Committee.
Notice of breach laws
If there is a breach of personal data, the controller must notify the Office of the Committee without delay and within 72 hours of identifying the breach, unless it poses no risks to the rights and freedom of an individual.
If the breach poses a high risk to the rights and freedom of an individual, the controller shall notify such breach to the individual without delay together with remedial guidelines.
A processor must inform the relevant controller if there is a data breach.
The Committee has published secondary legislation setting out the procedures and exemptions applicable to a controller in relation to its obligation to notify the Office of the Committee and the data subject of a breach of personal data.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
Personal data can only be transferred to a third country if the receiving country has adequate personal data protection standards or one of the conditions below apply.
The conditions for transfer are: (i) the transfer is necessary to comply with the law; (ii) the individual has given his/her consent for the transfer having been informed of the inadequacy of the data protection laws in the receiving country; (iii) the transfer is necessary for the performance of the contract to which the individual is or will be a party; (iv) the transfer is to perform the controller’s duty under a contract between the controller and a third party for the benefit of the individual; (v) the transfer is for prevention or quelling of danger to life, body, or health of the individual or other persons, when the individual is unable to provide consent at the time; or (vi) the transfer is necessary for a public task.
The Committee has published secondary legislation to prescribe criteria to decide the “adequacy” of personal data protection standards of recipient countries. Examples of these prescribed criteria are: (i) having standards or legal mechanics that are not below what have been set out by the Thai personal data protection laws; and (ii) having an organisation or authority that has the power and is responsible for the enforcement of data protection laws, with such powers and responsibilities not below what have been set out by the Thai personal data protection laws.
Notification and approval of national regulator (including notification of use of Model Contracts)
The Thai PDPA also allows international transfers of personal data where: (i) it is a transfer to a controller or processor within a group company and such group company has established binding corporate rules as approved by the Committee; and (ii) in the case where the Committee’s approval to the binding corporate rules is not yet granted, a controller or processor can transfer personal data to third countries if the controller or processor has arranged for appropriate measures, as well as efficient legal remedial measures pursuant to the Committee’s guideline.
The Committee has published the secondary legislation to prescribe: (i) minimum requirements to be included in binding corporate rules such as clauses in relation to data protection, data subject rights and the complaint handling process for the personal data which has been transferred to the third country; and (ii) acceptable appropriate safeguards which may be in the form of (a) standard contractual clauses (of a data transfer agreement), (b) certification relating to cross-border transfers of personal data (for which the Committee will further issue a certification requirement) and (c) a state treaty or agreement (between government agencies of Thailand and a recipient country).
Use of binding corporate rules
Please see above.
_____________________________________________________________________ Top
Enforcement
Fines
Sanctions of up to THB 5 million (approximately EUR 150,000) for an administrative fine and up to THB 1 million (approximately EUR 30,000) for a criminal fine are available.
Criminal fines can be imposed on a director, manager or responsible person of an entity in breach of the Thai PDPA.
Imprisonment
Breach of the Thai PDPA can result in up to one year imprisonment. This can be imposed on the director, manager or responsible person of an entity in breach of the Thai PDPA.
Compensation
Individuals can obtain compensation for the actual damages incurred by the non-compliance. Such compensation includes expenses paid by the individual in preventing possible damages or mitigating actual damages.
The court has the power to order the controller or the processor to pay punitive damages in addition to the actual damages of up to two times the actual damages.
Other powers
The competent official has investigative powers, and to make directions e.g., take corrective actions.
Practice
The Committee was established on 11 January 2022 and there is no current enforcement nor practice as of the date of this document.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
In addition to the Thai PDPA, there are also other industry-specific law relating to data protection which applies to business operator in that industry, for example, telecommunication, healthcare and financial institution.
The Act on Commission of Offences relating to Computer B.E. 2550 (2007), as amended (“Thai Computer Crime Act”) also contains general rules on the use of “computer data” and duty of a service provider to maintain computer traffic data for a period of time.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
N/A.
Regulatory guidance on the use of cookies
N/A.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
Under a Notification of the Ministry of Digital Economy and Society issued under Computer Crime Act, direct marketing by email is permitted provided that the receiver can easily opt-out or unsubscribe.
Conditions for direct marketing by e-mail to corporate subscribers
See above.
Exemptions and other issues
Failure to provide the recipients of the direct marketing email with an opt-out option or failure to honour such intention of the recipient will result in a fine of not exceeding THB 200,000 (approximately EUR 6,000).
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
There is no general rule governing direct marketing by telephone. However, there are certain regulations that are applicable to specific industries such as insurance or financial institution. Generally, these regulations will set out the period during which direct marketing calls can be made and other controls which need to be e.g. the requirement to terminate the call without delay if the recipient does not wish to continue the conversation.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
See above.
Exemptions and other issues
N/A.
_____________________________________________________________________ Top