Thailand: Personal Data Protection Act (PDPA) in force with grace period

The Personal Data Protection Act (PDPA) is published in the Thai Official Gazette. The PDPA introduces the "Personal Data Protection Committee" as the main regulator for data protection, and is delegated to determine measures and sanctions concerning PDPA compliance and establish guidelines for personal data controllers and processors. The PDPA establishes the main legal bases to process personal data (consent, contract, public interest, legitimate interest of data controller). The personal data controllers and processors are obliged to notify the data subject about data collection practices, maintain records of personal data processing activities, appoint a Data Protection Officer and notify data breaches. Special categories of sensitive data require dedicated legal bases. The following rights are granted to data subjects: the right to be informed on the data processing, the right to access a copy of personal data, the right to rectification of incomplete or inaccurate data, the right to erasure, the right to opt-out from certain types of data collection or use, and the right to data portability. Finally, dedicated administrative and criminal penalties are introduced. The Personal Data Protection Committee shall be established within 90 days from the adoption of the law and must start enforcing the PDPA within one year from the law promulgation.