Section 19 - The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior toSection 20 - In the event that the data subject is a minor who is not sui juris by marriage or has noSection 21 - The Data Controller shall collect, use, or disclose Personal Data according to the purpose notified to the data subject priorSection 22 - The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of theSection 23 - In collecting the Personal Data, the Data Controller shall inform the data subject, prior to or at the time ofSection 24 - The Data Controller shall not collect Personal Data without the consent of the data subject, unless:Section 25 - The Data Controller shall not collect Personal Data from any other source, apart from the data subject directly, except where:Section 26 - Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminalSection 27 - The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it isSection 28 - In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination countrySection 29 - In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has put
Section 43 - There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage andSection 44 - In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in sectionSection 45 - In carrying out the Office’s operation, apart from those stipulated under section 44, the Office shall also have the powerSection 46 - The fund and properties used in the Office’s business operations shall consist of the following:Section 47 - The immovable properties that the Office acquires by the purchase or exchange using the Office’s revenue in section 46 (4)Section 48 - There shall be a commission supervising the Office of Personal Data Protection Committee consisting of a Chairperson, who is selectedSection 49 - There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the dutySection 50 - In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who haveSection 51 - The Chairperson and the honorary director in section 48 shall hold office for a term of four years.Section 52 - n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of theSection 53 - At a meeting of the commission supervising the Office of Personal Data Protection Committee, the presence of not less thanSection 54 - The Commission Supervising the Office of Personal Data Protection Committee shall have the following powers and duties:Section 55 - The commission supervising the Office of Personal Data Protection Committee shall have the power to appoint a sub-committee to performSection 56 - The Chairperson and members of the commission supervising the Office of Personal Data Protection Committee, advisers of the commission supervisingSection 57 - There shall be a Secretary-General who is appointed by the commission supervising the Office of Personal Data Protection Committee andSection 58 - A person to be appointed Secretary-General must have the qualifications as follows:Section 59 - Any person holding any of the following prohibiting characteristics shall not be Secretary-General:Section 60 - The Secretary-General shall hold office for each term of four years and may be reappointed. However, the Secretary-General shall notSection 61 - In each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed bySection 62 - In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:Section 63 - The Secretary-General shall have the following duties andSection 64 - In the Office’s affairs related to the third party, the Secretary-Section 65 - The commission supervising the Office of Personal Data Protection Committee shall be responsible for determining salary rate and other benefitsSection 66 - In the interests of administration of the Office, the Secretary- General may request a civil official, staff, officer, or employeeSection 67 - For the civil official or government official who is working in compensation for the scholarship granted to him or herSection 68 - Accounting of the Office shall be made in accordance with international standards according to the forms and rules prescribed bySection 69 - The Office shall prepare financial statements and accountingSection 70 - The Office shall prepare an annual operation report and submit to the commission supervising the Office of Personal Data Protection
Section 79 - Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply withSection 80 - ny person who comes to know the Personal Data of another person as a result of performing duties under thisSection 81 - In the case where the offender who commits the offense under this Act is a juristic person and the offenseSection 82 - Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41Section 83 - Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25 paragraph one,Section 84 - Any Data Controller who violates section 26 paragraph one or three, or section 27 paragraph one or paragraph two, orSection 85 - Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shallSection 86 - Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer theSection 87 - Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complyingSection 88 - Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph oneSection 89 - Any person who fails to act in compliance with the order given by the expert committee, or fails to provideSection 90 - The expert committee shall have the power to render the punishment a s an administrative fine prescribed in this Part.
This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not.
In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities:
(1) the offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject;
(2) the monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.
In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has put in place a Personal Data protection policy regarding the sending or transferring of Personal Data to another Data Controller or Data Processor who is in a foreign country, and is in the same affiliated business, or is in the same group of undertakings, in order to jointly operate the business or group of undertakings. If such Personal Data protection policy has been reviewed and certified by the Office, the sending or transferring of Personal Data to a foreign country, which is in accordance with such reviewed and certified Personal Data protection policy, can be carried out and shall be exempt from compliance with section 28.
(5) in the event of being the Data Controller pursuant to section 5 paragraph two, the Data Controller shall designate in writing a representative of the Data Controller who must be in the Kingdom of Thailand and be authorized to act on behalf of the Data Controller without any limitation of liability with respect to the collection, use or disclosure of the Personal Data according to the purposes of the Data Controller.