Chandler MHM

Doing Business in Thailand

Chapter 13 - Personal Data Protection

This chapter will discuss and provide basic background information on the Personal Data Protection Act, B.E. 2562 (2019) (the “PDPA”), which has been effective since 1 June 2022 after a two‐year postponement. The PDPA is the primary law regulating processing of Personal Data (as defined below). The PDPA focuses on the protection of data subjects whose Personal Data is processed, including collection, storage, use, disclosure, etc., regardless of the original source of such Personal Data. Entities that make decisions and process Personal Data (known as “Personal Data Controllers” under the PDPA) are required to have a lawful basis for processing any Personal Data and maintain proper security measures to prevent any loss, unauthorized access, use, or disclosure of Personal Data. These requirements also apply to service providers who process Personal Data as instructed by or on behalf of a Personal Data Controller (known as “Personal Data Processors” under the PDPA).