Section 1 - This Act is called the "Personal Data Protection Act, B.E.2562 (2019)"Section 2 - This Act shall come into force on the day following the date of its publication in the Government Gazette, exceptSection 3 - In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any businessSection 4 - This Act shall not apply to:Section 5 - This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data ProcessorSection 6 - In this ActSection 7 - The Minister of Digital Economy and Society shall be in charge under this Act, and shall have the power to
Section 8 - There shall be a Personal Data Protection Committee, consisting of:Section 9 - There shall be a selection committee of eight members having the duty to select the appropriate persons who should beSection 10 - In selecting the Chairperson in section 8 (1) or the honorarySection 11 - The Chairperson and the honorary director shall have the qualifications, and shall not be under the following prohibited characteristics:Section 12 - The Chairperson and the honorary director shall hold office for a term of four years.Section 13 - In addition to vacating office upon the expiration of the term under section 12, the Chairperson and the honorary directorSection 14 - At a meeting of the Committee, the presence of not less than one-half of all the members is required toSection 15 - Any member who has a direct or indirect interest in the matter being considered in the meeting, shall inform theSection 16 - The Committee shall have the following duties and power:Section 17 - The Chairperson, the Vice-Chairperson, and Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribedSection 18 - The Committee shall have the power to appoint sub-committees for considering or performing any act as prescribed by the Committee.
Part 1 - General Provisions
Section 19 - The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior toSection 20 - In the event that the data subject is a minor who is not sui juris by marriage or has noSection 21 - The Data Controller shall collect, use, or disclose Personal Data according to the purpose notified to the data subject priorPart 2 - Personal Data Collection
Section 22 - The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of theSection 23 - In collecting the Personal Data, the Data Controller shall inform the data subject, prior to or at the time ofSection 24 - The Data Controller shall not collect Personal Data without the consent of the data subject, unless:Section 25 - The Data Controller shall not collect Personal Data from any other source, apart from the data subject directly, except where:Section 26 - Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminalPart 3 - Use or Disclosure of Personal Data
Section 27 - The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it isSection 28 - In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination countrySection 29 - In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has putSection 30 - The data subject is entitled to request access to and obtain copy of the Personal Data related to him orSection 31 - The data subject shall have the right to receive the Personal Data concerning him or her from the Data Controller.Section 32 - The data subject has the right to object the collection, use, or disclosure of the Personal Data concerning him orSection 33 - he data subject shall have the right to request the Data Controller to erase or destroy the Personal Data, orSection 34 - The data subject shall have the right to request the Data Controller to restrict the use of the Personal Data,Section 35 - The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.Section 36 - In the case where the data subject requests the Data Controller to act in compliance with section 35, if theSection 37 - The Data Controller shall have the following duties:Section 38 - The provisions of t h e representative designation in section 37 (5) shall not apply to the following Data Controller:Section 39 - The Data Controller shall maintain, at least, the following records in order to enable the data subject and the OfficeSection 40 - The Personal Data Processor shall have the following duties:Section 41 - The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:Section 42 - The data protection officer shall have the following duties:
Section 43 - There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage andSection 44 - In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in sectionSection 45 - In carrying out the Office’s operation, apart from those stipulated under section 44, the Office shall also have the powerSection 46 - The fund and properties used in the Office’s business operations shall consist of the following:Section 47 - The immovable properties that the Office acquires by the purchase or exchange using the Office’s revenue in section 46 (4)Section 48 - There shall be a commission supervising the Office of Personal Data Protection Committee consisting of a Chairperson, who is selectedSection 49 - There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the dutySection 50 - In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who haveSection 51 - The Chairperson and the honorary director in section 48 shall hold office for a term of four years.Section 52 - n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of theSection 53 - At a meeting of the commission supervising the Office of Personal Data Protection Committee, the presence of not less thanSection 54 - The Commission Supervising the Office of Personal Data Protection Committee shall have the following powers and duties:Section 55 - The commission supervising the Office of Personal Data Protection Committee shall have the power to appoint a sub-committee to performSection 56 - The Chairperson and members of the commission supervising the Office of Personal Data Protection Committee, advisers of the commission supervisingSection 57 - There shall be a Secretary-General who is appointed by the commission supervising the Office of Personal Data Protection Committee andSection 58 - A person to be appointed Secretary-General must have the qualifications as follows:Section 59 - Any person holding any of the following prohibiting characteristics shall not be Secretary-General:Section 60 - The Secretary-General shall hold office for each term of four years and may be reappointed. However, the Secretary-General shall notSection 61 - In each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed bySection 62 - In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:Section 63 - The Secretary-General shall have the following duties andSection 64 - In the Office’s affairs related to the third party, the Secretary-Section 65 - The commission supervising the Office of Personal Data Protection Committee shall be responsible for determining salary rate and other benefitsSection 66 - In the interests of administration of the Office, the Secretary- General may request a civil official, staff, officer, or employeeSection 67 - For the civil official or government official who is working in compensation for the scholarship granted to him or herSection 68 - Accounting of the Office shall be made in accordance with international standards according to the forms and rules prescribed bySection 69 - The Office shall prepare financial statements and accountingSection 70 - The Office shall prepare an annual operation report and submit to the commission supervising the Office of Personal Data Protection
Section 71 - The Committee shall appoint one or more expert committees based upon their field of expertise, or as the Committee deemsSection 72 - The expert committee shall have the following duties andSection 73 - The data subject has the right to file a complaint in the event that the Data Controller or the DataSection 74 - In the event that a complainant does not comply with the rules provided in section 73 paragraph two, or theSection 75 - The expert committee shall have the power to order any person to submit documents or information in connection with theSection 76 - In order to act in accordance with this Act , the Competent Officer shall have the following duties and power:
Part 1 - Criminal Liability
Section 79 - Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply withSection 80 - ny person who comes to know the Personal Data of another person as a result of performing duties under thisSection 81 - In the case where the offender who commits the offense under this Act is a juristic person and the offensePart 2 - Administrative Liability
Section 82 - Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41Section 83 - Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25 paragraph one,Section 84 - Any Data Controller who violates section 26 paragraph one or three, or section 27 paragraph one or paragraph two, orSection 85 - Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shallSection 86 - Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer theSection 87 - Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complyingSection 88 - Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph oneSection 89 - Any person who fails to act in compliance with the order given by the expert committee, or fails to provideSection 90 - The expert committee shall have the power to render the punishment a s an administrative fine prescribed in this Part.Section 91 - At the early stage, the Committee shall consist of committee members under section 8 (2) and (3), and the Secretary-GeneralSection 92 - A commission supervising the Office of the Personal Data Protection Committee shall be set up within ninety days from theSection 93 - The Office shall be set up in order to operate in accordance with this Act within one year from theSection 94 - At the early stages, the Cabinet shall allocate the initial budget for the Office as necessary.Section 95 - For Personal Data that has previously been collected by a Data Controller before the effective date o f this Act,Section 96 - The issuance of the regulations and notifications in accordance with this Act shall be completed within one year from the
(2) for the provisions with respect to complaints, provisions granting power to the expert committee to issue an order to protect the data subject, and provisions with respect to the power and duties of the Competent Official, including relevant penalties, the provisions of this Act shall apply in the following circumstances:
(b) in the event that such law has the provisions giving the power to the competent official, who has the power to consider the complaints under such law, to issue an order to protect the data subject, but such power is not equal to the power of the expert committee under this Act; and either the competent official who has power under such law makes a request to the expert committee, or data subject files a complaint with the expert committee under this Act, as the case may be.
(4) The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case may be;
“Committee” means the Personal Data Protection Committee;
“Office” means the Office of the Personal Data Protection Committee; “Secretary-General” means the Secretary-General of the Personal Data Protection Committee;
There shall be a Personal Data Protection Committee, consisting of:
There shall be a selection committee of eight members having the duty to select the appropriate persons who should be appointed as the Chairperson in section 8(1) or the honorary director in section 8 (4), consisting of:
In the event that the person having the appointment power in (2), (3), or (4) is unable to appoint members of the selection committee in his part within forty- five days from the date of notice from the Office, the Office shall nominate the persons to the Prime Minister to consider and appoint the appropriate persons to be the selection committee on behalf of such person having the appointment power.
The selection committee shall select one member to act as the Chairperson of the selection committee and another one member to act as the Secretary of the selection committee and the Office shall perform the duty as the administrative unit of the selection committee.
In the event that any member of the selection committee is vacant, a new member must be selected to replace such vacancy without delay. During the time that no new member has been selected, the selection committee shall consist of the existing members.
No member of the section committee shall be entitled to be nominated as the Chairperson in section 8 (1) or the honorary director in section 8 (4).
director in section 8 (4), the selection committee shall select the persons who have qualifications in section 8 (1)or section 8 (4) as the case may be, including having the qualifications and no prohibited characteristics under section 11 and agree to be nominated for the selection in the same number as the number of Chairperson to be appointed in section 8 (1) or the number of the honorary director in to be appointed in section 8 (4).
After the Chairperson in section 8 (1) or the honorary director in section 8 (4) have been selected, the selection committee shall submit the name of Chairperson in section 8
In the case where the Chairperson or the honorary director vacates office before the expiration of the term, the Committee shall consist of all existing members until a new Chairperson or a new honorary director is appointed, according to paragraph two, and in the case where the Chairperson vacates office before the expiration of the term, the Vice-Chairperson shall temporarily perform duties of the Chairperson.
At a meeting of the Committee, the presence of not less than one-half of all the members is required to constitute a quorum.
The meetings of the Committee may be may be undertaken by electronic means, or any other means, as prescribed by the Committee.
Any member who has a direct or indirect interest in the matter being considered in the meeting, shall inform the Committee of such interest prior to the meeting, and such member shall be prohibited from attending the meeting that is considering such matter.
The Committee shall have the following duties and power:
(1) to make the master plan on the operation for the promotion and protection of Personal Data, which are consistent with policies, national strategies and relevant national plans, in order to propose to the committee of the national digital economy and society, in accordance with the law governing development of the digital economy and society;
(13) to perform any other acts as prescribed by this Act, or other laws, which state the duties and power of the Committee.
The Chairperson, the Vice-Chairperson, and Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribed by the Cabinet.
The Chairperson of the sub-committees, the sub-committees, the Chairperson of the expert committee and expert committee appointed by the Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribed by the Committee with approval of the Ministry of Finance.
The Committee shall have the power to appoint sub-committees for considering or performing any act as prescribed by the Committee.
In the meeting of the sub-committee, the substances of sections 14 and 15 shall apply mutatis mutandis.
does not deceptive or misleading to the data subject in respect to such purpose. In this regard, the Committee may require the Data Controller to request for data subject's consent in accordance with the form and statements as prescribed by the Committee.
(1) it is for the achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose relating to research or statistics, in which the suitable measures to safeguard the data subject's rights and freedoms are put in place and in accordance with the notification as prescribed by the Committee;
Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Committee, is prohibited, without the explicit consent from the data subject, except where:
(d) it is for the scientific, historical, or statistic research purposes, or other public interests which must be carried out only to the extent necessary to achieve such purposes, and the suitable measures have been provided to protect the fundamental rights and interest of the data subject as prescribed by the Committee;
In the case of the collection of the Personal Data relating to criminal record, such collection shall be carried out under the control of authorized official authority under the law, or the data protection measure has been implemented according to rules prescribed by the Committee.
In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination country or international organization that receives such Personal Data shall have adequate data protection standard, and shall be carried out in accordance with the rules for the protection of Personal Data as prescribed by the Committee in section 16(5), except in the following circumstances:
protection standards of the destination country or international organization, such problem shall be submitted to the Committee to decide. The decision made by the Committee may be reviewed when there is a new evidence convincing that the destination country or international organization that receives such Personal Data has developed adequate Personal Data protection standards.
The Personal Data protection policy, the nature of the same affiliated undertaking or affiliated business in order to jointly operate the undertaking or business, and the rules and methods for the review and certification in paragraph one shall be as prescribed and announced by the Committee.
In the absent of a decision by the Committee in accordance with section 28, or the Personal Data protection policy referred in paragraph one, the Data Controller or the Data Processor may send or transfer the Personal Data to a foreign country in exemption to compliance with section 28, if the Data Controller or the Data Processor provides suitable protection measures which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Committee.
The Committee may prescribe rules for the access to and request to obtain a copy of the Personal Data in paragraph one, including the extension of the period under paragraph four, or other rules as appropriate.
The Personal Data in paragraph one must be the Personal Data that the data subject has given consent for the collection, use, or disclosure of such Personal Data according to the rules under this Act, or the Personal Data that is exempted from consent requirements under section 24 (3), or any other Personal Data referred to under section 24 as prescribed by the Committee.
In the event that the Data Controller does not take action in accordance with paragraph one or three, the data subject shall have the right to complain to expert committee to order the Data Controller to take such action.
The Committee may announce the rules for the erasure or destruction of Personal Data, or anonymization of the Personal Data to become the anonymous data which cannot identify the data subject pursuant to paragraph one.
In the event that the Data Controller does not take action in accordance with paragraph one, the data subject shall have the right to complain to expert committee to order the Data Controller to take such action.
The Committee may prescribe and announce rules regarding the suspension of use in accordance with paragraph one.
(1) provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety. It shall also be in accordance with the minimum standard specified and announced by the Committee;
(4) notify the Office of any Personal Data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of the Persons. If the Personal Data breach is likely to result in a high risk to the rights and freedoms of the Persons, the Data Controller shall also notify the Personal Data breach and the remedial measures to the data subject without delay. The notification and the exemption to the notification shall be made in accordance with the rules and procedures set forth by the Committee;
(1) the Data Controller which is a public authority as prescribed and announced by the Committee;
(2) the Data Controller which engages in the profession or business of collecting, using, or disclosing Personal Data, that does not have the nature pursuant to section 26, and does not have a large amount of Personal Data as prescribed by the Committee in section 41 (2).
The provisions in (1), (2), (3), (4), (5), (6) and (8) may not apply to the Data Controller who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or not a business where the collection, use, or disclosure of the Personal Data is occasional, or involving in the collection, use, or disclosure of the Personal Data pursuant to section 26.
(3) prepare and maintain records of personal data processing activities in accordance with the rules and methods set forth by the Committee.
The provisions in (3) may not apply to the Data Processor who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or not a business where the collection, use, or disclosure of the Personal Data is occasional, or involving in the collection, use, or disclosure of the Personal Data pursuant to section 26.
(1) the Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee;
(2) the activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data as prescribed and announced by the Committee;
(3) the core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data according to section 26. In the event that the Data Controller or the Data Processor are in the same affiliated business or are in the same group of undertakings, in order to jointly operate the business or group of undertakings as prescribed and announced by the Committee according to section 29 paragraph two, such Data Controller or Data Processor may jointly designate a data protection officer. In this regard, each establishment of the Data Controller or the Data Processor in the same affiliated business or in the same group of undertakings must be able to easily contact the data protection officer.
The Committee may prescribe and announce the qualifications of the data protection officer by taking into account the knowledge or expertise with respect to the Personal Data protection.
There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage and support the country’s development regarding Personal Data protection.
In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in section 43 paragraph one, the Office shall have the duty to perform academic and administrative tasks for the Committee, the commission supervising the Office of Personal Data Protection Committee, the expert committee, and the sub-committee. The Office shall also have the following duties and power:
(1) to draft the master plan on the operation for the promotion and protection of Personal Data, which are consistent with policies, national strategies and relevant national plans, and to draft the master plan and corrective measures regarding the difficulties in carrying out such policies, national strategies and national plans in order to propose to the Committee;
(4) to conduct surveys, collect information, and follow the latest updates and trends on Personal Data protection, as well as to conduct analysis and research on Personal Data protection issues that affect the country’s development, to propose to the Committee.
(9) to enter into agreements and cooperate with organizations or agencies both domestic and international, in the matters relating to the Office’s operation carried out under the Office’s duties and power, upon obtaining the approval from the Committee;
(11) to carry out other duties as assigned by the Committee, the commission supervising the Office of Personal Data Protection Committee, the expert committee, or the sub- committee, or as specified by law.
(4) to impose fees, maintenance fees, compensation, or service fees for the Office’s operations according to the Office’s objectives, in accordance with the criteria and at the rate specified by the Office, with the approval of the commission supervising the Office of Personal Data Protection Committee;
(5) to carry out any o ther acts that the law specifies to be the duties and powers of the Office, or as assigned by the Committee, the commission supervising the Office of Personal Data Protection Committee, the expert committee, or the sub-committee.
There shall be a commission supervising the Office of Personal Data Protection Committee consisting of a Chairperson, who is selected and appointed from a person having distinguished knowledge, skills and experience in Personal Data protection, the Permanent Secretary of the Ministry of Digital Economy and Society, and the Secretary-General of Office of the National Digital Economy and Society Commission as directors, and six honorary directors which, at least three persons, are selected and appointed from persons having distinguished knowledge, skills and experience in Personal Data protection, and other related areas which will be useful for the operation of the Office.
There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the duty to select the appropriate persons who should be appointed as the Chairperson and the honorary director in section 48.
The selection committee shall select one member to act as the Chairperson of the selection committee and another one member to act as the Secretary of the selection committee and the Office shall perform the duty as the administrative unit of the selection committee.
In the event that any member of the selection committee is vacant, a new member must be selected to replace such vacancy without delay. During the time that no new member has been selected, the selection committee shall consist of the existing members.
No member of the Section Committee shall be entitled to be nominated as the Chairperson and the honorary director in section 48.
The rules and procedures of selection shall be as prescribed by the Committee by taking into account the transparency and fairness in the selection.
In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who have qualifications in section 48 paragraph one, including having the qualifications and no prohibited characteristics under section 48 paragraph three and agree to be nominated for the selection in the same number as the number of Chairperson and the honorary director to be appointed in section 48.
After the total number of Chairperson and the honorary director in section 48 have been selected, the selection committee shall submit the name of Chairperson and the honorary director in section 48 together with the evidence of qualifications and no prohibited characteristics as well as the consent of such persons to the Committee for the appointment as the Chairperson and the honorary director according to section 48.
The Committee shall publish names of the appointed Chairperson and the honorary directors in section 48 in the Government Gazette.
n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of the term, the commission supervising the Office of Personal Data Protection Committee shall consist of all the existing members until the new Chairperson or the new honorary director is appointed. In the case where the Chairperson vacates office before the expiration of the term, the Permanent Secretary of the Ministry of Digital Economy and Society shall temporarily perform the duties of the Chairperson.
At a meeting of the commission supervising the Office of Personal Data Protection Committee, the presence of not less than one-half of all the members is required to constitute a quorum.
The meeting of the commission supervising the Office of Personal Data Protection Committee may be undertaken by electronic means, as prescribed by the Committee.
The Commission Supervising the Office of Personal Data Protection Committee shall have the following powers and duties:
(5) to appoint a selection committee for the selection of the Secretary-General;
(8) to perform any other duties prescribed by this Act or other related laws as the duties and power of the Commission Supervising the Office of Personal Data Protection Committee or as assigned by the Committee or the Cabinet.
The commission supervising the Office of Personal Data Protection Committee shall have the power to appoint a sub-committee to perform any duties or act as assigned by the commission supervising the Office of Personal Data Protection Committee.
The commission supervising the Office of Personal Data Protection Committee may appoint persons having skills or experience that will be useful for the duties performed by the commission supervising the Office of Personal Data Protection Committee as its advisers.
The performance of duties and numbers of the sub-committee in paragraph one or persons in paragraph two shall be in accordance with those prescribed by the commission supervising the Office of Personal Data Protection Committee.
For a meeting of the sub-committee, the substances of section 53 shall apply mutatis mutandis.
The Chairperson and members of the commission supervising the Office of Personal Data Protection Committee, advisers of the commission supervising the Office of Personal Data Protection Committee, Chairperson and members of the sub- committee appointed by the commission supervising the Office of Personal Data Protection Committee shall receive a meeting allowance or other benefits according to the rules prescribed by the Committee with the approval of the Ministry of Finance.
There shall be a Secretary-General who is appointed by the commission supervising the Office of Personal Data Protection Committee and the Secretary- General has the duty to administer the affairs of the Office.
The appointment of the Secretary-General in paragraph one shall be made in accordance with the rules and methods of recruitment, as prescribed by the commission supervising the Office of Personal Data Protection Committee.
Not less than thirty days but not over sixty days before the end of the office term of the Secretary-General or within sixty days from the date that the Secretary-General vacates office before the end of the office term, the commission supervising the Office of Personal Data Protection Committee shall appoint a selection committee to select a new Secretary- General. The selection committee shall nominate not more than three appropriate persons to the commission supervising the Office of Personal Data Protection Committee.
In each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed by the commission supervising the Office of Personal Data Protection Committee.
(4) being dismissed by the commission supervising the Office of Personal Data Protection Committee due to failure to pass the performance evaluation, disgraceful behavior, negligence or dishonesty in the performance of duties, or incapability.
(1) to manage the works of the Office for the achievements according to the Office’s missions and in accordance with the national policies and plans, strategic plans, policy of the Cabinet, o f the Committee and o f the commission supervising the Office of Personal Data Protection Committee and according to the rules, regulations or resolutions of the commission supervising the Office of Personal Data Protection Committee;
(2) to establish regulations with respect to the operations of the Office which are not contrary to or against the laws, the Cabinet resolutions and the regulations, rules, requirements, policies, resolutions or notifications prescribed by the commission supervising the Office of Personal Data Protection Committee;
(4) to appoint the Deputy Secretary-General and the Assistant Secretary- General by the approval of the commission supervising the Office of Personal Data Protection Committee in order to act as the Secretary-General’s assistant as assigned by the Secretary- General;
(5) to recruit, appoint, promote, decrease or deduct the salary of, and to take disciplinary action against the staffs and employees of the Office, as well as to dismiss the staffs and employees of the Office according to the rules or regulations of the commission supervising the Office of Personal Data Protection Committee;
(6) to perform any act according to the regulations, rules, requirements, policies, resolutions or notifications prescribed by the Commission Supervising the Office of Personal Data Protection Committee.
The Secretary-General shall be responsible for the administration of the Office and shall directly report to the commission supervising the Office of Personal Data Protection Committee.
General shall act as the Office’s representative. In this connection, the Secretary-General may grant the power to any person to perform any specific work on his or her behalf according to the rules prescribed by the commission supervising the Office of Personal Data Protection Committee.
The commission supervising the Office of Personal Data Protection Committee shall be responsible for determining salary rate and other benefits of the Secretary-General according to the rules prescribed by the Cabinet.
Accounting of the Office shall be made in accordance with international standards according to the forms and rules prescribed by the commission supervising the Office of Personal Data Protection Committee.
The Government Audit Office or a certified public accountant approved by the Government Audit Office shall be the Office’s auditor and shall evaluate the Office’s expenditures and property on an annual basis and report the auditing results to the commission supervising the Office of Personal Data Protection Committee for certification.
The Office shall prepare an annual operation report and submit to the commission supervising the Office of Personal Data Protection Committee and the Minister within one hundred and eighty days from the date of the fiscal year-end and shall disseminate this report to the public.
The evaluation of the Office’s performance under paragraph two must be undertaken by a third party approved by the commission supervising the Office of Personal Data Protection Committee.
The Committee shall appoint one or more expert committees based upon their field of expertise, or as the Committee deems fit.
The qualifications and prohibitions, term of office, vacation from office, and other operations of the expert committee shall be in accordance with the Committee’s notification.
The expert committee shall have the following duties and
(4) carry out any other acts which are stipulated as the expert committee’s duty and power under this Act or as assigned by the Committee.
The filing, refusal of acceptance, dismissal, consideration, and timeframe for the consideration of the complaints shall be in accordance with the Committee’s rule by taking into account the refusal of acceptance of the complaints or dismissal of the matter in the event that there has been the authority to consider such matter under other laws.
In the event that a complainant does not comply with the rules provided in section 73 paragraph two, or the complaint filed is prohibited from being accepted for consideration under such rules, the expert committee shall not accept such complaint for consideration.
If, after the expert committee’s consideration of the complaint pursuant to section 72 (1), or the investigation of any act pursuant to section 72 (2), it is found that such complaint or act has no ground, the expert committee shall issue an order to dismiss such complaint or investigation.
If, after the expert committee’s consideration or investigation under paragraph two, it is found that such complaint or act can be settled, and the concerned parties are willing to settle the dispute, the expert committee shall proceed with the dispute settlement. However, if such complaint or act cannot be settled, or the dispute settlement fails, the expert committee shall have the power to issue the following orders:
In the event that the Data Controller or the Data Processor does not comply with the orders provided under paragraph three (1) or (2), the provisions in connection with administrative enforcement under the law on administrative procedure shall be applied mutatis mutandis. In the event that the properties of the Data Controller or the Data Processor are to be seized, attached, or sold by auction, as required by the law on administrative procedure, the expert committee shall have the power to order such seizure, attachment, and sale by auction for such purpose.
The issuance of the order under paragraph one, two, or three (1) or (2) shall be in accordance with the criteria and methods under the Committee’s notification.
The orders of the expert committee shall be signed by the Chairperson of the expert committee.
The order of the expert committee in this Section shall be final.
In order to proceed in accordance with this section, when the consideration result is issued, the expert committee shall inform the complainant of such result together with the reasons. In case that the complaint is not accepted for consideration or dismissed as such complaint has already been under consideration of an official authority under other laws, the expert committee shall inform the complainant of the same. If the complainant wishes to propose such matter to the official authority under other laws, the expert committee shall proceed to do so and shall be deemed that such official authority has received such complaint from the date when the expert committee has received such complaint.
The expert committee shall have the power to order any person to submit documents or information in connection with the subject matter of a complaint, or any other matter related to the protection of the Personal Data under this Act. The expert committee shall also have the power to request any person to make a statement of facts.
(2) investigate and collect facts, and report to the expert committee in the event that the Data Controller, the Data Processor, or any person, has committed an offense or caused damage due to their violation of or non-compliance with this Act or notifications issued in accordance with this Act.
In order to appoint the Competent Officer, the Minister shall consider appointing such person from the civil officials or other government officials whose position is not lower than a civil official at the operational level or equivalent, and having the qualifications in accordance with the notification issued by the Committee.
The identification card of the Competent Officer shall be in accordance with the form required by the notification of the Committee.
Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41 paragraph one, or section 42 paragraph two or paragraph three, or fails to obtain consent using a form or statement set forth by the Committee under section 19 paragraph three, or fails to notify the impact of the withdrawal of consent under section 19 paragraph six, or fails to comply with section 23 which applies mutatis mutandis according to section 25 paragraph two, shall be punished with an administrative fine not exceeding Baht one million.
Any person who fails to act in compliance with the order given by the expert committee, or fails to provide statement of facts under section 75, or fails to comply with section 76(1), or fails to facilitate government officials under section 76 paragraph four, shall be punished with an administrative fine not exceeding Baht five hundred thousand.
The expert committee shall have the power to render the punishment a s an administrative fine prescribed in this Part. In the event that it deems fit, the expert committee may issue an order for rectification or a warning first.
In determining whether to issue an order to impose an administrative fine, the expert committee shall take into consideration the severity of the circumstances of the act of offense, size of the business of the Data Controller or the Data Processor, or other circumstances according to the rules prescribed by the Committee.
In cases where a person imposed with an administrative fine refuses to pay such fine, the provisions concerning the execution of administrative orders under the administrative procedure law shall apply mutatis mutandis. In cases where there is no officer to execute an administrative order, or there is such officer but such order cannot be executed otherwise, the expert committee shall entitled to file a lawsuit with the Administrative Court in order to demand payment of such fine. In such event, if the Administrative Court is of the opinion that the order that imposes an administrative fine is lawful, the Administrative Court may render judgment and order seizure or attachment of assets for sale by auctions, to pay such fine.
At the early stage, the Committee shall consist of committee members under section 8 (2) and (3), and the Secretary-General shall be the committee member and secretary, who shall perform duties as necessary for the time being, but for not more than ninety days from the effective date of this Act. A Vice-Chairperson shall temporarily act as a Chairperson.
A commission supervising the Office of the Personal Data Protection Committee shall be set up within ninety days from the date when the Chairperson and the honorary director are appointed in accordance with section 91.
It shall be deemed that the civil official, official, staff, or any other operating officer in other government organizations who temporarily act as an official of the Office in accordance with paragraph two remains in his or her own position, and still receive salary or wages, as the case may be, from his or her original department. The Committee may also determine a special remuneration for the civil official, staff, official, or any other operating officer in other government organizations in accordance with paragraph two during his or her operation in the Office.