Thailand’s Government has finally published The Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”) in the Government Gazette, and thus has become effective from 27th May 2019. The Act was approved and endorsed by the National Legislative Assembly on 28th February 2019 (“PDPA”), thereafter had been submitted for royal endorsement and subsequent publication in the Government Gazette. The PDPA’s will provide Thailand with its very first consolidated law to govern data protection in the country. Thailand’s Government has largely drawn concepts from the EU General Data Protection Regulation (GDPR), with certain modifications suitable to the national perspective. Thus Lexology reports that “compliance with the GDPR does not necessarily mean compliance with the PDPA”. Key takeaways from the PDPA What is 'personal data'? The PDPA defines it broadly as “information relating to a person which is identifiable, directly or indirectly”. The Act clarifies that information relating to private businesses and deceased persons are excluded from the Act. “Sensitive personal data”: the Act has provided a specific category of “sensitive personal data” which includes “personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical belief, criminal record, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, and prohibits the collection of sensitive personal data without express consent from the data subject, except in certain prescribed circumstance (e.g., medical emergency or a required by law)”, as per Hunton Privacy Blog. What is 'data controller'? It is defined as a…
