Thailand Law Library

by Thailand Lawyer

His Majesty King Phra Poramenthra Ramathibodi Sisin Maha Vajiralongkorn Phra Vajira Klao Chao Yu Hua hereby issues a royal command to proclaim that:

Whereas it is deemed appropriate to issue a law concerning personal data protection.

This Act contains certain provisions in relation to the restriction of right and freedom of a person, which Section 26, in conjunction with Section 32, Section 33 and Section 37 of the Constitution of the Kingdom of Thailand so permit by virtue of the law.

The rationale and necessity to restrict the rights and freedom of a person in accordance with this Act are to efficiently protect personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated. The enactment of this Act complies with the criteria under Section 26 of the Constitution of the Kingdom of Thailand.

His Majesty hereby issues a royal command that the Act be enacted, with advice and consent from the National Legislative Assembly acting as the parliament, as per the following details.

This Act is called the "Personal Data Protection Act, B.E. 2562".

This Act shall come into effect on the date following the date of the publication in the Government Gazette, except for the provisions of Chapter II, Chapter III, Chapter V, Chapter VI, Chapter VII, and Section 95, and Section 96, which shall come into effect after the lapse of a period of one year from the date of its publication in the Government Gazette.

In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any business or any entity, the provisions of such law shall apply, except:

1. For the provisions with respect to the collection, use, or disclosure of Personal Data and the provisions with respect to the rights of data subjects including relevant penalties, the provisions of this Act shall apply additionally, regardless of whether they are repetitious with the above specific law.
2. For the provisions with respect to complaints, provisions granting power to the expert committee to issue an order to protect the data subject, and provisions with respect to the power and duties of the Competent Official, including relevant penalties, the provisions of this Act shall apply in the following circumstances:
   1. In the event that such law has no provision with respect to complaints;
   2. In the event that such law has the provisions giving the power to the competent official, who has the power to consider the complaints under such law, to issue an order to protect the data subject, but such power is not equal to the power of the expert committee under this Act; and either the competent official who has power under such law makes a request to the expert committee, or data subject files a complaint with the expert committee under this Act, as the case may be.

This Act shall not apply to:

1. The collection, use, or disclosure of the Personal Data by a Person who collects such Personal Data for personal benefit or household activity of such Person only;
2. Operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity;
3. A Person or a juristic person who uses or discloses Personal Data that is collected only for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for public interest;
4. The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case may be;
5. Trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
6. Operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.

The exceptions to apply all or parts of the provisions of this Act to any Data Controller in any manner, business or entity, in a similar manner to the Data Controller in paragraph one, or for any other public interest purpose, shall be promulgated in the form of the Royal Decree.

The Data Controller under paragraph one (2) (3) (4) (5) and (6) and the Data Controller of the entities that are exempted under the Royal Decree in accordance with paragraph two shall also put in place a security protection of Personal Data in accordance with the standard.

This Act applies to the collection, use or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use or disclosure takes place in the Kingdom of Thailand or not.

In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities:

1. The offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject; or
2. The monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.

In this Act,

1. "Personal Data" means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular;
2. "Data Controller" means a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data;
3. "Data Processor" means a Person or a juristic person who operates in relation to the collection, use or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller;
4. "Person" means a natural person;
5. "Committee" means the Personal Data Protection Committee;
6. "Competent Official" means any person appointed by the Minister to perform acts under this Act;
7. "Office" means the Office of the Personal Data Protection Committee;
8. "Secretary-General" means the Secretary-General of the Personal Data Protection Committee;
9. "Minister" means the Minister who is in charge under this Act.

The Minister of Digital Economy and Society shall be in charge under this Act, and shall have the power to appoint the Competent Official to perform acts under this Act.