Published in Asian-mena Counsel: Data + Cyber Security Special Report 2020


Screenshot 2020-11-19 at 3.43.47 PM

Screenshot 2020-11-19 at 12.17.54 PM


By Kwang-Wook Lee, Helen H. Hwang, Chulgun Lim and Keun Woo Lee, Yoon & Yang



The Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) was enacted on May 27, 2019.  Prior to the end of the original one-year grace period for full enforcement of the PDPA, a Royal Decree was issued which prescribed a list of organisations and businesses that would be temporarily exempted from enforcement.  The list was so extensive and the choice of words so overarching that all legal practitioners agreed that it was designed for all business operators and other types of entities as well.  Hence, we were effectively given a second grace period which will end on May 31, 2021.  Although the enforcement was postponed for another year, all business operators are required to arrange and maintain security and protection of personal data as prescribed by the Ministry of Digital Economy and Society (“MDES”).

The MDES issued the Ministerial Notification Re: Standards of Security Protection of Personal Data, B.E. 2563 (2020), with an effective date from July 18, 2020 until May 31, 2021.  The descriptions therein regarding notification and safety requirements are comparatively generic and do not prescribe specific standards, applications, or technical measures.  Furthermore, the notification itself is thought to be effectively unenforceable given the grace period that has already been announced.  It, therefore, is seen as a hybrid message to the operators to remind them to be mindful of this law and that the regulatory environment will be tougher in the coming months. Therefore, operators should start to plan their compliance.

Nevertheless, due to the current lack of specific guidelines, rules, and other regulations, only some business operators have commenced an internal process to prepare themselves for the law. Preparation would include undertaking internal due diligence and gap analysis to learn about how personal data comes into each of their business arms, where such data is stored and transferred to, and how each entity within their commercial loop treats and utilises such data. This would also require instituting use of internal and external documents, including many types of personal data policies, consent forms, ad hoc notices, and specific-purpose standards of operations, guidelines, and protocols.  Some operators, however, have stated that they want to wait for more supplementary regulations from the Personal Data Protection Committee, as they feel that the PDPA will need supplementary regulations to make it whole and fully functional. This would include supplementary regulations about country and organisation white lists, categorical exemptions, thresholds for necessity to have a data protection officer, guidelines on offshore transfer rules, etc.

Screenshot 2020-11-19 at 3.44.17 PM

Based on our experience working with numerous clients to achieve compliance with data protection laws and regulations, one of our key takeaways is to avoid being over-complacent.  The operators should note that the internal preparation process to comply with the PDPA will take several months. Firstly, the process to undertake self-due diligence or gap analysis may take one to three months.  Pinpointing the issues found during the self-due diligence or gap analysis and deciding how to plug the gaps with suitable documentation (with the appropriate facts included therein), and subsequent creation and revision of documents takes at least one or two months.  Then the operators will have to deal with implementation, which will necessitate training in order to allow management and operators to familiarise themselves with the new processes.  Lastly, it may be necessary to recalibrate how the different IT applications and systems work.  Given the time required to complete these steps, the remaining time until the end of the grace period on May 31, 2021 is short.  The operators should further note that although it is true to say that that the law will not be fully functional without supplementary regulations, however, a majority of the provisions of the law can, and certainly will, be fully or at least partially enforceable on their own. For example, the requirements on notification, attainment of lawful basis, consent, liaison with data subjects, and safety of storage. Even certain sections that currently seem to be less than clear may be quickly completed by official consultation and approval by the Personal Data Protection Committee, such as those related to offshore transfer.

We, therefore, do not recommend that operators wait, and suggest that they undertake internal preparations to the extent that they can as soon as possible. This would eliminate risks posed by certain provisions becoming immediately enforceable on June 1, 2021, and avoid the operator being scrutinised or prosecuted by the authorities for such breach.



Screenshot 2020-11-19 at 3.48.38 PM




Official Publication: Asian-mena CounselClick Here to read the full issue of Asian-mena Counsel: Data + Cyber Security Special Report 2020.


Related Articles by Firm
New regulation on the prohibition of sales of alcoholic beverages online
In line with evolving trends in technology, certain entrepreneurs and retailers have started using online channels to sell alcoholic beverages, which makes it difficult to ensure the sale of such beverages is in accordance with existing laws ...
Nok Air Rehabilitation Proceedings – Updates for Creditors and Lessors
As the global travel industry continues to grapple with the effects of COVID-19, many companies are now beginning to seek protections under various insolvency regimes ...
Thai data privacy act exemptions
A cabinet resolution has approved a draft Royal Decree on temporary exemption of PDPA enforcement for some organisations and businesses.
Procurement of power from community-based power projects
These projects are intended to help generate and distribute income to local communities and promote their participation in local power projects.
Updated standards for e-meeting security
The Emergency Decree requires that electronic meetings follow the security protocols set forth under a notification from the Ministry of Information and Communication Technology.
Waste to energy projects in Thailand
A brief overview of the legal issues related to the development of a municipal solid waste to energy project.
Scrutinising CP Group’s acquisition of Tesco
The decision of Thailand’s competition authorities will set a precedent regarding merger control and provide clarity on market definitions.
PPP projects in Thailand’s EEC
Thailand will continue to aggressively move forward with legislation that streamlines implementation of important PPP projects. This legislative trend presents new opportunities for foreign and local investors alike, with a focus particularly in Thailand’s infrastructure sector ...
Community-based power projects in Thailand
A feed-in tariff scheme for power generated by community-based projects has been approved.
Thailand Plus incentives under BOI
The two new incentives encourage companies to move from overseas to Thailand.
Thailand’s OTCC issues first industry-specific conduct guidelines
Guidelines on the conduct between wholesale and retail business operators and their trade partners announced by the Office of Trade Competition Commission.
Amendment to the Consumer Protection Act 
The Act strengthens the law relating to the safety of products and services.
Personal Data Protection Act published in the Government Gazette
Business operators should ensure that their businesses comply with the PDPA.
Amendment to Thai Arbitration Act
The Amendment expands the ability of foreign arbitrators and representatives to act in arbitral proceedings.
Update on Stamp Duty regulating electronic transactions
A new notification requires parties who enter certain electronic transactions to pay stamp duty in cash.
Ministerial Regulation removing back office services from the Foreign Business Operations Act announced
Certain back office service businesses will no longer require a foreign business licence.
Developments in Thai M&A
Corrupt practices, environmental breaches and merger filing are becoming more significant priorities for clients ...
Thailand: Projects and Energy
Commentary on the latest developments in the Thai projects and energy sector ...
Secondary laws under the Trade Competition Act BE 2560
The enactment of these five Notifications represents a significant leap of progress.
Thailand Update: Amendment to Work Permit Law
In response to criticism, the government decided to amend the Emergency Decree on Managing of Foreigners with relaxed penalties ...
Leasing of residential buildings − A contract-controlled business
The Contract Committee of The Consumer Protection Board recently announced a new Notification which designates the lease of residential property as a “contract-controlled business”.
New Mining Regulations for Thailand
On 30th January 2018, the Ministry of Industry issued a new notification regarding prohibited actions for foreigners ...
Mergers and acquisitions in Thailand
A number of factors are making Thailand a target of choice for international and regional investment ...
Thailand Anti-Corruption Update
National Anti-Corruption Commission Guidelines to Supplement Section 123/5 of the Organic Act on Counter Corruption ...
Amendment to the Thai Civil and Commercial Code
Part IX: Combination of Limited Companies ...
Thailand: Amendment to the Public Company Act
The National Council for Peace and Order has considered the lack of clarity on conditions, procedures and time limitations related to the laws governing business operations ...
Thailand: The Act on the Amendment to the Civil Procedure Code (No. 30) B.E. 2560 (2017)
There are a number of amendments to the current Civil Procedure Code (CPC) as part of its legal execution ...
Projects & Energy Special Report: Thailand: New Minerals Act
A new Minerals Act (BE 2560 (2017) was published on March 2, 2017 and took effect on August 30, 2017 (180 days after the publication date) ...
Thailand: ERC Announcement - Purchase of Electricity From Hybrid-Renewable Energy Small Power Producers
The Energy Regulatory Commission (ERC) issued an invitation to bid for the sale of electricity from Hybrid-Renewable Energy Small Power Producers (SPP) on 4 August 2017 ...
Thailand: New Amendment to the Labor Law
The Labor Protection Act B.E. 2541 (“LPA”) was first enacted in February 1998; the LPA has been amended several times ...
Thailand: Extension of the Reduced VAT Rate
Value added tax (VAT) is an indirect, non-cumulative, consumption tax levied on the supply of goods or provision of services in Thailand ...
Thailand: Ten year visa extension
Due to the rapidly increasing number of foreign senior-citizens seeking Thailand as a retirement destination, Thailand’s Cabinet recently approved the ten-year retirement visa extension ...
Thailand: The New Trade Competition Act
On 24 March 2017, the National Legislative Assembly (the “NLA”) in Thailand passed the final reading of the draft Trade Competition Act ...
Thailand: Amendment to BOI Act to create new BOI benefits
The Thai government has recently been promoting “Thailand 4.0”, which refers to creative and innovative industries ... as a master plan to pull Thailand out of the middle-income trap and toward becoming a high-income country ...
Energising Thailand’s M&A sector
With a focus on the energy and natural resources sector, Chandler & Thong-ek Partner Ratana Poonsombudlert answers our questions on Thailand’s M&A present and future
Related Articles
Related Articles by Jurisdiction
Scrutinising CP Group’s acquisition of Tesco
The decision of Thailand’s competition authorities will set a precedent regarding merger control and provide clarity on market definitions.
Latest Articles