Thailand’s Personal Data Protection Act further postponed due to the Covid-19 pandemic
The Personal Data Protection Act BE 2562 published in the Government Gazette on May 27, 2019, was originally scheduled to become fully effective on 27 May 2020. However, the plan was put to a halt due to the raging of the Covid-19 pandemic. The epidemic has dealt a heavy blow to all sectors of the economy, IP included. Consequently, the Government had deferred the full enforcement of the Personal Data Protection Act to May 27, 2021.
However, it is not yet the end of the suspension of the Act. On May 5, 2021, the Thai Cabinet had further delayed the enforcement of the Personal Data Protection Act to one year (June 1st, 2022).
Though, the postponement of the Act may benefit some organizations. This is due to the fact that the new legislation will bring significant changes to the current data protection regulatory environment. Therefore, it will create some difficulties for businesses to adapt to the new reforms.
Therefore, the further expansion of the Personal Data Protection Act relieves the impact of the law on stakeholders by giving them supplementary time to prepare for June 1st, 2022.
Grandfather provision (Section 95 of the Personal Data Protection Act)
The Personal Data Protection Act allows the Data Controller (DC) to continue to keep and use personal data which was collected before the Act becomes effective provided the collection or use is within the scope of the original purpose.
The Data Controller must however prepare and publicize a method for the DS to easily withdraw his or her consent through an opt-out procedure.
Action point: Whether your company has an “opt-out” procedure for past personal data collected. This should be in place before June 1st, 2022.
Cross border transfer of personal data (Sections 16.5, 28, 29 of the Personal Data Protection Act)
The recipient country (e.g. Germany) of personal data collected in Thailand must have “adequate personal data protection standards” and the migration of data must comply with the rules of the protection prescribed by the Personal Data Protection Committee (PDPC). As of today, these rules have not yet been enacted. However, there is one exemption when there is a personal data protection policy with overseas to the Data Controller’s affiliates (i.e. corporate rules), such policy shall simply be reviewed and certified by the Personal Data Protection Committee.
Action point: Whether your company has a global personal data protection policy covering the migration of personal data to your HQ office or other offices. If not, consider developing a policy to cover Thailand.
Appointment of a Data Protection Officer (Section 26 of the Personal Data Protection Act)
A Data Protection Officer shall be appointed if the activities of the Data Controller or DP require regular monitoring due to the large scale and/or sensitivity of personal data. The scale shall be determined by the Personal Data Protection Committee. The Data Protection Officer’s activities shall be filed to the Personal Data Protection Committee. The Data Protection Officer should be able to communicate in Thai.
Action point: Verify the size and nature of personal data in Thailand and whether this may require appointing a Data Protection Officer. The law is still silent on the threshold of personal data in order to appoint a Data Protection Officer. We shall await the Personal Data Protection Committee to issue a notification on the threshold.
Key Actions & Time Frame
*** Other Articles***
– You could visit here to see Procedure of Thailand Trademark Registration.
– You could visit here to check the required documents for filing trademark in Thailand here.
– You could read 06 Frequent Questions About Filing Trademark In Thailand here.
– You could visit here to see Power of Attorney of trademark in Thailand here.
– You could read 07 Legal Notes To Thailand Trademark Law You Need To Know here
Contact AAA IPRIGHT: Email: [email protected]
Or sending your inquiry by filling the form:
