Thailand: Entry into force with grace period of Personal Data Protection Act (PDPA) including data protection authority governance

On 27 May 2019, the Personal Data Protection Act (PDPA) is published in the Thai Official Gazette. The PDPA introduces the "Personal Data Protection Committee" as the main regulator for data protection, and is delegated to determine measures and sanctions concerning PDPA compliance and establish guidelines for personal data controllers and processors. The PDPA establishes the main legal bases to process personal data (consent, contract, public interest, legitimate interest of data controller). The Personal Data Protection Committee shall be established within 90 days from the adoption of the law and must start enforcing the PDPA within one year from the law promulgation.