Thailand: Implemented Personal Data Protection Act (PDPA) including data transfer provisions

On 1 June 2022, the Personal Data Protection Act (PDPA) will enter into force. The PDPA establishes the main legal bases to process personal data (consent, contract, public interest, legitimate interest of data controller). Data controllers and processors must keep records of their personal data processing activities, including key information such as the controller's details, processing purposes, collected data, access rights, retention periods, and security measures, and if a foreign entity, must designate a local representative in Thailand to perform these duties. Special categories of sensitive data require dedicated legal bases.