Last review date: 10 January 2024
☒ omnibus – all personal data
☒ sector-specific — e.g., financial institutions, governmental bodies
☒ constitutional
Omnibus
Thailand's Personal Data Protection Act B.E. 2562 (2019) (PDPA), as a consolidated/omnibus law, was approved by the National Legislative Assembly in February 2019 and published in the Government Gazette in May 2019. It is the first consolidated legislation governing the collection, use, disclosure, and cross-border transfer of personal data, with extraterritorial effect. Following three-year-long postponements by the Thai Government due to the COVID-19 pandemic, the PDPA became fully effective on 1 June 2022.
Following the PDPA’s effective date, several sub-regulations and guidelines under the PDPA were officially published by the Personal Data Protection Committee (PDPC), while there are a number of draft sub-regulations which are still under consideration in the pipeline.
Sector-specific
Personal data is regulated/restricted in sector-specific laws, which include the following:
- Telecommunications – The Notification of the National Telecommunications Commission Re: re: Measures to Protect the Rights of Telecommunications Service Users Related to Personal Data, Rights to Privacy, and Liberty to Communicate through Telecommunications prescribes requirements for telecommunications license holders to collect, process, and maintain the personal data of their telecommunications users.
- Credit Bureau – The Credit Information Business Act B.E. 2545 (2002) was enacted with the following objectives: (i) to control credit bureau companies and credit information transactions; (ii) to protect the rights of data subjects; and (iii) to ensure that reliable information is given to processors of credit information.
- Child Protection – The Child Protection Act B.E. 2546 (2003) prescribes protection for children, including information about children who are under 18 years of age and their parents.
- Public Health – The National Health Act B.E. 2550 (2007) provides protection for personal health information. No one shall disclose such information in a manner that causes damage to data subjects, unless consent is obtained or other exceptions apply.
- Banking and E-payment – The Payment System Act B.E. 2560 (2017) empowers the Bank of Thailand to issue notifications prescribing rules for the provision of regulated payment systems and regulated payment services in respect of the retention and disclosure of personal data of service users.
- Insurance – The Notification of the Office of Insurance Commission (OIC) Re: Rules, Methods for Issuing and Offering of Non-life Insurance Policy for Sale and the Performing of Duty of Non-life Insurance Agent, Broker and Bank B.E. 2563 (2020); and the Notification of OIC Re: Rules, Methods for Issuing and Offering of Life Insurance Policy for Sale and the Performing of Duty of Life Insurance Agent, Broker and Bank B.E. 2563 (2020) specify that an organization, agent and broker must have customers' data management, storage and protection system or procedure purs uant to the data protection laws. In addition, The Notification of OIC Re: Personal Data Protection Guideline for Non-life Insurance Business B.E. 2564 (2021); The Notification of OIC Re: Personal Data Protection Guideline for Life Insurance Business B.E. 2564 (2021); and The Notification of OIC Re: Personal Data Protection Guideline for Loss Adjuster Business B.E. 2564 (2021) prescribe the guidance, recommendation, and practices for personal data protection in insurance industry for compliance with the PDPA.
Government Agencies – The Official Information Act B.E. 2540 (1997) provides protection for personal data of individuals which is in the possession or control of a state agency.
Constitutional
The right to privacy has long been recognized in the Thai legal system and upheld under the Thai Constitution. Therefore, a person shall have the right to be afforded protection against undue exploitation of their personal data, as provided by law.
Theoretically, any violation of the Thai Constitution that results in damage to others may constitute a wrongful act (a tort) under the Thai Civil and Commercial Code. However, to date, no court decision that interprets the provisions of the Constitution in this light has been issued.
