The Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) has been effective since May 28, 2019. However, most of its provisions were not due to become effective until one year thereafter, ie May 27, 2020. The PDPA, which adopts many of the same concepts as the European Union’s General Data Protection Regulation (“GDPR”) and other international standards, aims to protect the personal data of a natural person in three main areas ie (i) how the data is acquired; (ii) rights of the data subject; and (iii) security of data storage systems and data transfers.
However, it was announced on May 19, 2020 that the cabinet has approved a draft Royal Decree (“RD”) proposing to postpone the enforcement of the PDPA for another year for 22 business industries. The postponement is effective from May 27, 2020 until May 31, 2021.
According to the Cabinet resolution, the reasons for this postponement are varied including the lack of readiness on the part of operators to comply with the PDPA, the need to use advanced technology that many operators are not equipped for, and the fact that the PDPA entails numerous requirements that need to be studied and understood thoroughly for effective implementation. Therefore, the Cabinet deemed that another one-year transition period should be granted.
According to the summary of the Cabinet resolution, the draft of the RD prescribes that Chapter 2 (Personal Data Protection), Chapter 3 (Use or Disclosure of Personal Data), Chapter 5 (Filing of Complaints), Chapter 6 (Civil Liability), Chapter 7 (Punishment) and Section 951 of the PDPA will not be enforced against the following organisations and businesses:
- governmental agencies;
- foreign governmental agencies and international organisations;
- foundations, associations, religious organisations; non-profit organisations;
- businesses relating to agriculture;
- businesses relating to industry;
- businesses relating to commerce;
- businesses relating to medicine and public health;
- businesses relating to energy, steam, water and waste disposal and related businesses;
- businesses relating to construction;
- businesses relating to repairs and maintenance;
- businesses relating to transportation, logistics and goods storage;
- businesses relating to tourism;
- businesses relating to communications, telecommunications, computers and digital;
- businesses relating to finance, banking and insurance;
- businesses relating to real estate;
- professional occupations;
- businesses relating to management and supporting services;
- businesses relating to science and technology, academia, social administration and arts;
- businesses relating to education;
- businesses relating to entertainment and recreation;
- businesses relating to security service; and
- household businesses and community enterprises which cannot be clearly categorised.
If it is uncertain whether an organisation or a business qualifies as an exempt business, the Personal Data Protection Commission will be empowered to determine this.
It should be noted, however, that according to the said summary, data controllers are still required to provide data security measures that are in accordance with the standard described by the Ministry of Digital Economy and Society. However, as of the date of this newsletter, such standard has not been prescribed yet.
This newsletter only provides a brief analysis. Please contact the authors if you require further information on the issues raised in this publication or related issues.
1. Section 1 95 “For the personal data collected by the personal data controller before the date the PDPA comes into force, the personal data controller can further collect and use such personal data according to the existing purpose, provided that the personal data controller shall set up a method for consent revocation and disseminate and publicise the same to the personal data owners who do not allow the personal data controller to collect and use the said personal data to ensure that they can easily give a notice of consent revocation. The disclosure and other arrangements which are not related to the collection and use of the personal data under paragraph one shall be in compliance with the PDPA.”
This newsletter is intended to highlight an overview of key issues for ease of understanding, and not for the provision of legal advice. If you have any questions about this newsletter, please contact your regular contact persons at Mori Hamada & Matsumoto or Chandler MHM Limited. If you should have any inquiries about the newsletter, or would like more information about Chandler MHM Limited, please contact firstname.lastname@example.org.