Thailand: Adopted decree on exemption of data controllers duties under the Personal Data Protection Act (PDPA)

On 17 August 2023, the Ministry of Digital Economy and Society adopted a Royal Decree outlining exceptions to data controller obligations under the Personal Data Protection Act (PDPA). This decree stipulates that data controllers are not bound to adhere to Chapters 2 and 3 of the PDPA when responding to personal data requests from specific government entities. These include the National Anti-Corruption Commission, Revenue Department, Customs Department, Excise Department, recognised local government organisations responsible for tax collection, Secretary of the Cabinet carrying out royal prerogatives, and state agencies acting under laws of public interest. The Royal Decree specifies that such requests must align with public interest objectives as sanctioned by law, without unduly burdening the data controller. Furthermore, personal data can be shared without consent when legally authorised state agencies specify the relevant statutory provisions. Both data subjects and controllers retain the right to approach the PDPA's Expert Committee for clarifications or resolutions.