Thailand Focus
Thailand: Personal Data Protection Act
June 2019
OVERVIEW
On 28 May 2019, the Personal Data Protection Act (“PDPA”)
became law in Thailand.
The PDPA signals a new dawn in the handling of personal data.
Prior to the PDPA, Thailand did not have an overarching law
governing the protection of personally identifiable information.
The collection, use and disclosure of personal data in Thailand
were regulated to an extent by a patchwork of laws including the
Constitution, sector-specific legislation and various
self-regulatory codes.
The PDPA is similar to the EU General Data Protection Regulation
(often referred to as GDPR) regime, bringing personal data
protection law in Thailand in line with other jurisdictions.
There is a one-year grace period for organisations to become
compliant with the PDPA and for the formation of the regulator
and issuance of subordinate regulations.
WHAT YOU NEED TO KNOW
• The PDPA introduces two key roles in collecting, processing and
transfer of personal data. The Personal Data Administrator (“Data
Administrator”) will have overall responsibility to determine and
control the use of personal data. The Personal Data Processor
(“Data Processor”) will be responsible for using, disclosing or
processing the data on behalf of, or in accordance with, the
instructions of a Data Administrator.
• Affirmative consent must be obtained from the data subject in
order for Data Administrators to legitimately collect personal
data. Data Administrators must obtain consent for any use
or disclosure of data that is beyond the original collection
request. There are however limited circumstances in which Data
Administrators may be exempt from obtaining the data subject’s
consent.
• The PDPA applies to all organisations that collect, use or disclose
personal data in Thailand. This is regardless of whether they are
formed or recognised under Thai law; and whether they have
residence, office or place of business in Thailand.
 WWW.DLAPIPER.COM

• Cross-border transfer of personal data outside of Thailand
is prohibited, unless the recipient country’s data protection
standard is equivalent or higher than the PDPA. Limited
exceptions are available.
• There is a one-year grace period before the PDPA is enforced.
Non-compliance may attract fines, imprisonment, or both.
PDPA KEY DEFINITIONS
• Personal Data is defined as “any data pertaining to a person
that enables the identification of that person, whether directly or
indirectly, but specifically excluding data of the deceased”.
• Person is defined as a “natural person”. This means that the
PDPA only protects the data of natural persons.
• Data Administrator is defined as “a person or an entity who
determines the purposes for which and the manner in which any
personal data are, or are to be processed.” Data Administrators
have primary responsibility for ensuring that processing
activities are compliant with the PDPA.
• Data Processor is defined as “a person or an entity that collects,
uses, or discloses personal data on behalf of, or in accordance
with, the instructions of a Data Administrator.”
THE REGULATOR
The Personal Data Committee (“Regulator”) will be established
to regulate compliance with the PDPA, under the supervision of
the Minister of Digital Economy and Society. Data Administrators
are therefore required to cooperate with the Regulator.
requiring compliance through a prescribed form may prove
challenging, given that Data Administrators may develop their own
mechanisms for gaining and assessing consent.
If a Data Administrator uses or discloses personal data beyond
the original purpose for which the data subject had given
consent, further specific consent is required for each separate
purpose.
Data subjects have the right to refuse to consent, and the right
to withdraw any consent they have given, at any time. Following
any such refusal or withdrawal of consent, Data Administrators
should be wary of proceeding with the proposed data
processing activity.
Sensitive Personal Data is described in the PDPA as information
on a person’s race, ethnicity, political opinion, religious or
philosophical beliefs, sexuality, health, genetic, criminal record,
physical or psychological condition. The PDPA requires Sensitive
Personal Data to be handled carefully. We expect the Regulator
to provide further guidance on this in due course.
EXEMPTIONS
Organisations are not required to obtain consent from data
subjects in the following scenarios: 
• It is necessary in order to enter into or perform a contract with
the data subject;

• The Data Administrator has a legal obligation to perform such

CONSENT REQUIREMENTS
data processing; or
Consent from a data subject is required for the collection of
personal data. • It is necessary for the performance of tasks carried out by a
public authority or private organisation acting in the public
The PDPA requires consent to be specifically given, either in interest.
the form of writing or through electronic means. The request
The Regulator is expected to provide guidance on the scope of
must be clearly separated from other messages. The message
the exemptions.
must be delivered in a format which is easily accessible and
understandable, using language that is easy to understand.
TERRITORIAL SCOPE
The message should not be misleading or cause data subjects to
The territorial scope of the PDPA is not limited only to
misunderstand the purpose of collecting the data.
organisations established or operating in Thailand.

Organisations are permitted to use personal data collected before

The data protection obligations under the PDPA will generally
the effective date of the PDPA for the purposes for which the
apply to all organisations that collect, use or disclose personal
data was collected. To do so, organisations through their Data
data in Thailand. This is regardless of whether they are formed
Administrators must notify its data subjects of its intention to do
or recognised under Thai law, and whether they are resident or
so and permit data subjects to opt-out. This process is likely to be
have an office or place of business in Thailand.
costly for large organisations that hold vast volumes of personal
data, such as healthcare service providers, telecommunications
The extraterritorial scope of the PDPA represents a significant
services, financial institutions and government departments.
expansion of Thailand’s data protection obligations to cover all
processing activities relating to Thailand-based data subjects.
The Regulator can “require the Data Administrators to request
consent from the data subject in accordance with the form and
statement prescribed by the Committee”. However, in practice,

2
 WWW.DLAPIPER.COM

RESTRICTIONS TO CROSS-BORDER TRANSFER Data breaches may attract administrative fines of up to THB
Personal data may not be transferred outside of Thailand, 5,000,000, a maximum of one-year imprisonment, or both.
unless the recipient country has data protection standards
commensurate or better than the PDPA, except in cases where: The amount of a fine and imprisonment (if any) is dependent
on the nature of the data breach. For example, a person found
• The data subject has given consent and proper notification guilty of collecting and disclosing personal data for unlawful
has been given by the Data Administrator; purposes may be liable to a fine not exceeding THB 1,000,000 or
to imprisonment for a term not exceeding one year, or both.
• The transfer is necessary for the performance of a contract
between the Data Administrator and data subject; or
WHAT SHOULD ORGANISATIONS DO
• The transfer is necessary in order to protect the vital interests Consent will likely prove to be one of the biggest obstacles for
of the data subject. It will be interesting to see guidance to be many organisations, particularly relating to the processing of
published by the Regulator on what constitutes “vital interests” sensitive personal data.
of the data subject.
Organisations should review their data protection policies and
This will have an impact on multinational organisations that
practices to ensure that they can take any necessary steps to
routinely transfer data across borders. However, given that many
ensure compliance with the PDPA, particularly in relation to
organisations in Europe will already comply with similar (and
transfer of personal data-to-data processors. Steps should also
likely more stringent) data protection laws, the impact of the
be taken to nominate Data Administrators and identify Data
PDPA may be limited regarding cross-border transfer of data.
Processors. Equally, existing personal data within organisations
should be adequately protected to avoid unauthorised access or
NOTIFICATION OF DATA BREACH
misuse of personal data.
In the event of a data breach, Data Administrators must report
the breach to the Regulator without undue delay, and in any
Organisations without a presence in Thailand, but who target or
event within 72 hours of becoming aware of it. 
monitor Thai individuals, should understand the impact of the
PDPA and prepare plans to ensure its business is compliant.
ENFORCEMENT GRACE PERIOD
There is a one-year grace period before the PDPA is enforced.
Given the sanctions associated with mishandling personal
The Regulator will issue guidelines shortly to assist Data
data, organisations and Data Administrators should have in
Administrators’ compliance plans.
place stringent internal procedures to ensure compliance
with the PDPA.
SANCTIONS
The Regulator have authority to pursue data breaches against
organisations or Data Administrators in the criminal courts.

Key Contacts
Peter Shelford Chadaporn Ruangtoowagoon
Country Managing Partner Of-Counsel
Bangkok Bangkok
+66 2686 8500 +66 2686 8579
peter.shelford@dlapiper.com chadaporn.ruangtoowagoon@dlapiper.com

Pattama Jarupunphol Robert Tang

Senior Associate Senior Consultant
Bangkok Bangkok
+66 2686 8574 +66 2686 8551
pattama.jarupunphol@dlapiper.com robert.tang@dlapiper.com

Sarita Prukaroon
Associate
Bangkok
+66 2686 8554
sarita.prukaroon@dlapiper.com

3

Thailand: Cyber-security Act
OVERVIEW
On 27 May 2019, the Cyber-security Act (“CSA”) became law
in Thailand.
There is no grace period under the CSA, meaning the CSA
was effective from 28 May 2019 onwards.
WHAT IS THE CSA?
The CSA is the first-ever law relating to cyber-security in Thailand
and imposes numerous burdens on certain public and private
sectors, prompting concerns over government intervention
affecting fundamental rights and privacy of individuals.
The objective of the CSA is to preserve cyber-security and
provide measures to address cyber threats, which could affect
national security and public order. The CSA also requires strict
regulatory compliance. This increases operational costs as well
as impose additional legal and commercial risks to businesses.
WHO IS THE REGULATOR?
The CSA establishes two supervisory governmental bodies: the
National Cyber-security Committee (“NCSC”) and the
Cyber-security Supervisory Committee (“CSSC”).
The NCSC is responsible for producing the Cyber-security Policy
and Plan. The CSSC is responsible for supervising and enforcing
the CSA at the operational stage.
WHOM DOES IT APPLY TO?
The CSA applies to both public organisations and private
entities that are a “Critical Information Infrastructure Entity”.
The criteria to determine whether an organisation is a Critical
Information Infrastructure Entity have not yet been published.
Additionally, in order to qualify as a Critical Information
Infrastructure Entity, the public organisation or private entity
must also provide services concerning “Critical Information
Infrastructure” in the following sectors:
• National Security;
• Material Public Service;
• Banking and Finance;
• Information Technology and Telecommunications;
• Transportation and Logistics;
• Energy and Public Utilities;
• Public Health; and
• Other sectors, as declared by the NCSC.
WWW.DLAPIPER.COM
The CSA defines “Critical Information Infrastructure” as a
computer or computer system used by a public organisation or
private entity in its own operations concerning national security,
public safety, national economic security or public
interest-related-infrastructure.
WHAT ARE “CYBER-SECURITY” AND “CYBER THREATS”?
• “Cyber-security” means measures or operations specified
to prevent, tackle and reduce risks from domestic and
international “Cyber Threats” which affect national security,
economic security, military security and public order.
Illustrative examples of Cyber-security are encryption,
authentication, boundary firewalls and internet gateways.
• “Cyber Threats” means any unlawful act using a computer or
computer system or malicious programme to harm another
computer system, computer information or information and
being the imminent threats that will cause damage or affect
the function of a computer, computer system or relevant
information. There are three levels of Cyber Threats under
the CSA, being Non-Severe, Severe and Critical.
Illustrative examples of Cyber Threats are malware, phishing,
and man-in-the-middle.
WHAT ARE THE KEY STATUTORY OBLIGATIONS?
A Critical Information Infrastructure Entity is subject to the
following key obligations under the CSA. These obligations cover
different scenarios i.e. in advance of, in the course of and in the
wake of a Cyber Threat.
Arrangement of and Compliance with Code of Conduct and
Standard Framework
A Critical Information Infrastructure Entity is required to
arrange and comply with its own Code of Conduct and Standard
Framework in relation to Cyber-security, which should comply
with the centralised Cyber-security Policy and Plan as issued
by the NCSC. The Code of Conduct and Standard Framework
should comprise of, at a minimum, an audit and risk assessment
regarding the Cyber-security and Cyber Threats response plan.
Reporting Obligations
A Critical Information Infrastructure Entity is obliged to report
to the NCSC Office with (i) names of executives and operation
officers taking coordinating roles regarding Cyber-security,
(ii) names and contact details of owners, possessors of
computers and controller of computer systems, and
4

(iii) the significant Cyber Threat incident.
The CSA requires the immediate reporting of a Cyber Threat to
the regulatory authorities. On the face of it, this appears overly
burdensome, given that Critical Information Infrastructure
Entity is likely to focus its time on dealing with the Cyber Threat.
We anticipate there to be further guidance on the reporting
requirements in the yet to be published NCSC’s Cyber-security
Policy and Plan.
Rectification of Unstandardized Cyber-security
If the Cyber-security of a Critical Information Infrastructure Entity
does not meet specified minimum standards, the CSSC may
order the entity to undertake remedial action.
Annual Assessment and Inspection
A Critical Information Infrastructure Entity is required to conduct
an annual risk assessment and inspection relating to
Cyber-security.
Surveillance of Cyber Threats
A Critical Information Infrastructure Entity must have in place
procedures in relation to surveillance of Cyber Threats, including
solutions to preserve Cyber-security. A Critical Information
Infrastructure Entity also needs to conduct an operational
readiness test in respect of tackling Cyber Threats.
In cases where Cyber Threats have occurred or may potentially
occur, a Critical Information Infrastructure Entity is required to
assess the situation and proceed with the measures set out
in its Code of Conduct and Standard Framework, including
immediately reporting to the NCSC and its supervisory authority.
WHAT SHOULD CRITICAL INFORMATION INFRASTRUCTURE
ENTITIES BE AWARE OF IN CASE OF CYBER THREATS?
A Critical Information Infrastructure Entity should be alert to
“Government Intervention” possibly taking place in cases of
severe and critical Cyber Threats.
In cases where severe Cyber Threats occur or are likely to occur,
the CSSC is authorised to access to information, enter into
premises of relevant or suspicious persons, and confiscate
computer equipment relating to the Cyber Threat, upon the
issuance of an emergency court warrant. However, if there are
credible grounds that a computer or computer system is linked
to a Cyber Threat, the CSSC may take action without the need to
obtain a court warrant.
WWW.DLAPIPER.COM
In case of emergency and critical Cyber Threats, the National
Security Council will take over the role of the CSSC whilst
the NCSC is also empowered to proceed with preventive
and remedial actions as necessary prior to the issuance of
the emergency court warrant. Further, the NCSC or CSSC is
permitted to request real-time information from any person
linked to a critical Cyber Threat.
It is also important to note that the CSA only allows appeals
in respect of governmental orders regarding non-severe
Cyber Threats.
WHAT ARE THE PENALTIES IMPOSED BY THE CSA FOR
NON-COMPLIANCE?
The NCSC may file criminal proceedings against a Critical
Information Infrastructure Entity for a breach of the CSA.
A wide-range of sanctions (i.e. fines and imprisonment) may be
imposed. The fine and term of imprisonment will depend on
the nature and severity of the offence. The CSA may additionally
impose a daily administrative fine in cases where a regulatory
order has been disregarded during a severe Cyber Threat
incident.
For example, the criminal court may impose a daily fine of up to
THB 10,000 for a breach of certain provisions of the CSA until
the breach is cured or impose a maximum fine of THB 300,000
for failing to comply with a CSSC Order during a severe Cyber
Threat; or impose a maximum term of imprisonment of 3 years.
It is important to note that there are violations that may attract
both a fine and a term of imprisonment.
Directors or responsible persons of juristic entities may be
personally liable under the CSA if a violation of the CSA results
from their order, action or omission.
WHAT ARE THE NEXT STAGES OF CSA IMPLEMENTATION?
Although the CSA has now come into force, subordinate
legislation and guidelines have yet to be published. The most
anticipated regulations include the criteria for a Critical
Information Infrastructure Entity and the centralised Cyber-
security Policy and Plan. These regulations are necessary so that
affected entities may prepare its Code of Conduct and Standard
Framework in compliance with the CSA.
5
 WWW.DLAPIPER.COM

Key Contacts
Peter Shelford Don Rojanapenkul
Country Managing Partner Partner
Bangkok Bangkok
+66 2686 8500 +66 2686 8500
peter.shelford@dlapiper.com don.rojanapenkul@dlapiper.com

Ekasit Suttawat Robert Tang

Senior Associate Senior Consultant
Bangkok Bangkok
+66 2686 8596 +66 2686 8551
ekasit.suttawat@dlapiper.com robert.tang@dlapiper.com

Thawalkorn Pattanachote
Legal Assistant
Bangkok
+66 2686 8573
thawalkorn.pattanachote@dlapiper.com

DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com.
This publication is intended as a general overview and discussion of the subjects dealt with, and does not create a lawyer-client relationship. It is not intended to be,
and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on
the basis of this publication. This may qualify as “Lawyer Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
Copyright © 2019 DLA Piper. All rights reserved. | JUN19 | A01018