Thai Personal Data Protection Act

The Thai Personal Data Protection Act has been fully enacted since June 2022. However, the PDPA requires sub-legislation on many provisions, to be issued by the Personal Data Protection Committee. 
The Committee has commenced to issue such sub-legislation. The following notable regulations have been issued: 

  1. Certain small businesses are not required to comply with the requirement to record processing activities as outlined in Article 39 of the PDPA. The notification was enacted as of 21 June 2022. Small and medium companies should check if they are covered by the notification.
  2. For other businesses, the Committee has issued a notification on preparing and maintaining processing records. The notification clarifies the recording duties under Article 39 of the PDPA and should be strictly followed by all companies not falling under aforementioned exception. The effective date of the notification is 17 December 2022. 
  3. Section 37 of the PDPA prescribes that personal data has to be stored by using appropriate security measures so that the personal data cannot be accessed, used, altered, etc. Now, the Committee has issued a regulation outlining the details of what are considered appropriate security measures. All companies are required to check if the current methods fall within the notification. The effective date of the notification is 21 June 2022.
Compliance with the PDPA is a new challenge for companies in Thailand. Please feel free to reach out to us for comprehensive advise and compliance checks. 

 From The Newsletter


Contact Person Picture

Martin Chrometzka

Associate Partner

+66 2 0794 711

Send inquiry

Deutschland Weltweit Search Menu