The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has been enforced since 2019 but the enforcement of key provisions, including those imposing duties on data controllers and data processors as well as punishments upon violators, are postponed and will be fully implemented from 1 June 2021 (“Full Enforcement Date”) going forward. Whilst there are doubts among the business operators that the Full Enforcement Date may be postponed again as Thai government is still in the process of forming the Personal Data Protection Committee (“PDPC”), the tentative Full Enforcement Date remains unchanged according to relevant official. It may therefore be possible that the PDPC will be formed and related sub-regulations and guidelines will be issued immediately prior to the Full Enforcement Date. As we are all data controllers (and may also be data processors) under applicable data privacy laws, including the PDPA, it may be essential to look into ourselves now if we are also subject to the PDPA and whether we are ready yet for this PDPA fully implementation. At least our front yards should be prepared by being able to answer if you understand or have done anything yet in compliance with the PDPA requirements whether, for example:
  • Have you put in place personal data security measures accordance with the minimum standard prescribed under related notification?
  • Have you notified staff, employees, and/or any relevant persons of the measures to raise awareness of the importance of personal data protection and to encourage strict compliance?
  • Do you understand duties and requirements under the PDPA?
  • Have you prepared your data inventory, knowing how the data flows and risks at each data gateway, including appointing appropriate personal/staff (including the Data Protection Officer) to be in charge and responsible for the PDPA compliance and update?
  • Have you prepared key documents under the PDPA, such as privacy policy, privacy notice (under Section 95 and in general), consent form, data processing agreement, data transfer agreement and documents relating to the data subject’s rights and record?
For those familiar with the personal data protection laws in other countries, in particular the EU General Data Protection Regulation (GDPR), it may be beneficial to recheck if you are also subject to the PDPA and whether all documents under such international laws are fully compliant with the PDPA. Legal Concept Ltd. View PDF
Post Views: 21