Section 1 - This Act is called the "Personal Data Protection Act, B.E.2562 (2019)"Section 2 - This Act shall come into force on the day following the date of its publication in the Government Gazette, exceptSection 3 - In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any businessSection 4 - This Act shall not apply to:Section 5 - This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data ProcessorSection 6 - In this ActSection 7 - The Minister of Digital Economy and Society shall be in charge under this Act, and shall have the power to
Section 8 - There shall be a Personal Data Protection Committee, consisting of:Section 9 - There shall be a selection committee of eight members having the duty to select the appropriate persons who should beSection 10 - In selecting the Chairperson in section 8 (1) or the honorarySection 11 - The Chairperson and the honorary director shall have the qualifications, and shall not be under the following prohibited characteristics:Section 12 - The Chairperson and the honorary director shall hold office for a term of four years.Section 13 - In addition to vacating office upon the expiration of the term under section 12, the Chairperson and the honorary directorSection 14 - At a meeting of the Committee, the presence of not less than one-half of all the members is required toSection 15 - Any member who has a direct or indirect interest in the matter being considered in the meeting, shall inform theSection 16 - The Committee shall have the following duties and power:Section 17 - The Chairperson, the Vice-Chairperson, and Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribedSection 18 - The Committee shall have the power to appoint sub-committees for considering or performing any act as prescribed by the Committee.
Part 1 - General Provisions
Section 19 - The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior toSection 20 - In the event that the data subject is a minor who is not sui juris by marriage or has noSection 21 - The Data Controller shall collect, use, or disclose Personal Data according to the purpose notified to the data subject priorPart 2 - Personal Data Collection
Section 22 - The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of theSection 23 - In collecting the Personal Data, the Data Controller shall inform the data subject, prior to or at the time ofSection 24 - The Data Controller shall not collect Personal Data without the consent of the data subject, unless:Section 25 - The Data Controller shall not collect Personal Data from any other source, apart from the data subject directly, except where:Section 26 - Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminalPart 3 - Use or Disclosure of Personal Data
Section 27 - The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it isSection 28 - In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination countrySection 29 - In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has putSection 30 - The data subject is entitled to request access to and obtain copy of the Personal Data related to him orSection 31 - The data subject shall have the right to receive the Personal Data concerning him or her from the Data Controller.Section 32 - The data subject has the right to object the collection, use, or disclosure of the Personal Data concerning him orSection 33 - he data subject shall have the right to request the Data Controller to erase or destroy the Personal Data, orSection 34 - The data subject shall have the right to request the Data Controller to restrict the use of the Personal Data,Section 35 - The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.Section 36 - In the case where the data subject requests the Data Controller to act in compliance with section 35, if theSection 37 - The Data Controller shall have the following duties:Section 38 - The provisions of t h e representative designation in section 37 (5) shall not apply to the following Data Controller:Section 39 - The Data Controller shall maintain, at least, the following records in order to enable the data subject and the OfficeSection 40 - The Personal Data Processor shall have the following duties:Section 41 - The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:Section 42 - The data protection officer shall have the following duties:
Section 43 - There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage andSection 44 - In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in sectionSection 45 - In carrying out the Office’s operation, apart from those stipulated under section 44, the Office shall also have the powerSection 46 - The fund and properties used in the Office’s business operations shall consist of the following:Section 47 - The immovable properties that the Office acquires by the purchase or exchange using the Office’s revenue in section 46 (4)Section 48 - There shall be a commission supervising the Office of Personal Data Protection Committee consisting of a Chairperson, who is selectedSection 49 - There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the dutySection 50 - In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who haveSection 51 - The Chairperson and the honorary director in section 48 shall hold office for a term of four years.Section 52 - n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of theSection 53 - At a meeting of the commission supervising the Office of Personal Data Protection Committee, the presence of not less thanSection 54 - The Commission Supervising the Office of Personal Data Protection Committee shall have the following powers and duties:Section 55 - The commission supervising the Office of Personal Data Protection Committee shall have the power to appoint a sub-committee to performSection 56 - The Chairperson and members of the commission supervising the Office of Personal Data Protection Committee, advisers of the commission supervisingSection 57 - There shall be a Secretary-General who is appointed by the commission supervising the Office of Personal Data Protection Committee andSection 58 - A person to be appointed Secretary-General must have the qualifications as follows:Section 59 - Any person holding any of the following prohibiting characteristics shall not be Secretary-General:Section 60 - The Secretary-General shall hold office for each term of four years and may be reappointed. However, the Secretary-General shall notSection 61 - In each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed bySection 62 - In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:Section 63 - The Secretary-General shall have the following duties andSection 64 - In the Office’s affairs related to the third party, the Secretary-Section 65 - The commission supervising the Office of Personal Data Protection Committee shall be responsible for determining salary rate and other benefitsSection 66 - In the interests of administration of the Office, the Secretary- General may request a civil official, staff, officer, or employeeSection 67 - For the civil official or government official who is working in compensation for the scholarship granted to him or herSection 68 - Accounting of the Office shall be made in accordance with international standards according to the forms and rules prescribed bySection 69 - The Office shall prepare financial statements and accountingSection 70 - The Office shall prepare an annual operation report and submit to the commission supervising the Office of Personal Data Protection
Section 71 - The Committee shall appoint one or more expert committees based upon their field of expertise, or as the Committee deemsSection 72 - The expert committee shall have the following duties andSection 73 - The data subject has the right to file a complaint in the event that the Data Controller or the DataSection 74 - In the event that a complainant does not comply with the rules provided in section 73 paragraph two, or theSection 75 - The expert committee shall have the power to order any person to submit documents or information in connection with theSection 76 - In order to act in accordance with this Act , the Competent Officer shall have the following duties and power:
Part 1 - Criminal Liability
Section 79 - Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply withSection 80 - ny person who comes to know the Personal Data of another person as a result of performing duties under thisSection 81 - In the case where the offender who commits the offense under this Act is a juristic person and the offensePart 2 - Administrative Liability
Section 82 - Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41Section 83 - Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25 paragraph one,Section 84 - Any Data Controller who violates section 26 paragraph one or three, or section 27 paragraph one or paragraph two, orSection 85 - Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shallSection 86 - Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer theSection 87 - Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complyingSection 88 - Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph oneSection 89 - Any person who fails to act in compliance with the order given by the expert committee, or fails to provideSection 90 - The expert committee shall have the power to render the punishment a s an administrative fine prescribed in this Part.Section 91 - At the early stage, the Committee shall consist of committee members under section 8 (2) and (3), and the Secretary-GeneralSection 92 - A commission supervising the Office of the Personal Data Protection Committee shall be set up within ninety days from theSection 93 - The Office shall be set up in order to operate in accordance with this Act within one year from theSection 94 - At the early stages, the Cabinet shall allocate the initial budget for the Office as necessary.Section 95 - For Personal Data that has previously been collected by a Data Controller before the effective date o f this Act,Section 96 - The issuance of the regulations and notifications in accordance with this Act shall be completed within one year from the
In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any business or any entity, the provisions of such law shall apply, except:
(1) for the provisions with respect to the collection, use, or disclosure of Personal Data and the provisions with respect to the rights of data subjects including relevant penalties, the provisions of this Act shall apply additionally, regardless of whether they are repetitious with the above specific law;
(a) in the event that such law has no provision with respect to complaints;
(b) in the event that such law has the provisions giving the power to the competent official, who has the power to consider the complaints under such law, to issue an order to protect the data subject, but such power is not equal to the power of the expert committee under this Act; and either the competent official who has power under such law makes a request to the expert committee, or data subject files a complaint with the expert committee under this Act, as the case may be.
(6) operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.
(1) a Chairperson who is selected and appointed from persons having distinguished knowledge, skills, and experience in the field of Personal Data protection, consumer protection, information technology and communication, social science, law, health, finance, or any other field that must be relevant to, and useful for the protection of Personal Data;
(4) honorary directors as nine members, selected and appointed from the persons having distinguished knowledge, skills, and experience in the field of Personal Data protection, consumer protection, information technology and communication, social science, law, health, finance, or any other field that must be relevant to, and useful for the protection of Personal Data.
(6) not having been previously removed from office according to the law;
(1) to make the master plan on the operation for the promotion and protection of Personal Data, which are consistent with policies, national strategies and relevant national plans, in order to propose to the committee of the national digital economy and society, in accordance with the law governing development of the digital economy and society;
(7) to recommend the Cabinet on the enactment, or revision, of the existing laws or rules applicable to the protection of Personal Data;
(13) to perform any other acts as prescribed by this Act, or other laws, which state the duties and power of the Committee.
The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior to or at the time of such collection, use, or disclosure, except the case where it is permitted to do so by the provisions of this Act or any other laws.
The data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as to giving consent, unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject. However, the withdrawal of consent shall not affect the collection, use, or disclosure of personal data that the data subject has already given consent legally under this Chapter.
(2) it can be done by the provisions of this Act or in other laws.
The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of the Data Controller.
(2) notification of the case where the data subject must provide his or her Personal Data for compliance with a law, or contract, or where it is necessary to provide the Personal Data for the purpose of entering into the contract, including notification of the possible effect where the data subject does not provide such Personal Data;
(6) it is necessary for compliance with a law to which the Data Controller is
(3) the use or disclosure of the Personal Data shall be carried out on an urgent basis as required by law, and suitable measures have been implemented to protect the data subject's interest;
(4) the Data Controller is aware of or acquires such Personal Data from his or her duty or occupation or profession, and shall maintain new purposes or certain information details as prescribed in section 23 with confidentiality as required by law.
(3) it is necessary for compliance with a law to achieve the purposes with
(a) preventive medicine or occupational medicine, the assessment of working capacity of the employee, medical diagnosis, the provision of health or social care, medical treatment, the management of health or social care systems and services. In the event that it is not for compliance with the law, and such Personal Data is under the responsibility of the occupational or profession practitioner or person having the duty to keep such Personal Data as confidential under the law, it must be for compliance with the contract between the data subject and the medical practitioner;
(c) employment protection, social security, national health security, social health welfare of the entitled person by law, the road accident victims protection, or social protection in which the collection of Personal Data is necessary for exercising the rights or carrying out the obligations of the Data Controller or the data subject, by providing the suitable measures to protect the fundamental rights and interest of the data subject;
In the case of the collection of the Personal Data relating to criminal record, such collection shall be carried out under the control of authorized official authority under the law, or the data protection measure has been implemented according to rules prescribed by the Committee.
(1) where it is for compliance with the law;
The Data Controller shall perform as requested in paragraph one. The request can be rejected only where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.
The exercise of rights of the data subject in paragraph one shall not apply to the sending or transferring of Personal Data by the Data Controller which is the performance of a task carried out in the public interest, or for compliance with law, or such exercise of rights shall not violate the rights and freedoms of others. In the event that the Data Controller rejects the request by such reasons, the Data Controller shall make a record of such rejection of the request together with reasons in the record as prescribed in section 39.
(4) the Personal Data have been unlawfully collected, used, or disclosed under
Paragraph one shall not apply to the extent that such Personal Data retention is necessary for the purpose of freedom of expression, the purpose under section 24 (1) or (4) or section 26(5) (a) or (b), the purpose of establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose for compliance with the law.
(1) provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety. It shall also be in accordance with the minimum standard specified and announced by the Committee;
(2) in the circumstance where the Personal Data is to be provided to other Persons or legal persons, apart from the Data Controller, the Data Controller shall take action to prevent such person from using or disclosing such Personal Data unlawfully or without authorization;
(3) put in place the examination system for erasure or destruction of the Personal Data when the retention period ends, or when the Personal Data is irrelevant or beyond the purpose necessary for which it has been collected, or when the data subject has request to do so, or when the data subject withdraws consent, except where the retention of such Personal Data is for the purpose of freedom of expression, the purpose under section 24 (1) or (4) or section 26 (5) (a) or (b) , the purpose of the establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose of compliance with the law. The provision in section 33 paragraph five shall be used to govern the erasure or destruction of Personal Data mutatis mutandis;
(1) carry out the activities related to the collection, use, or disclosure of Personal Data only pursuant to the instruction given by the Data Controller, except where such instruction is contrary to the law or any provisions regarding Personal Data protection under this Act;
(2) provide appropriate security measures for preventing unauthorized or unlawful loss, access to, use, alteration, correction or disclosure, of Personal Data, and notify the Data Controller of the Personal Data breach that occurred;
The Office shall act as a government agency, with the status of a juristic person. The Office shall not be deemed a public sector under the law on administrative organization of the state, or a state enterprise under the law on budget procedures or other laws.
The Office’s operation shall not be governed by the laws on labor protection, labor relations, state enterprise labor relations, social security, and workmen’s compensation. However, the staff and employees of the Office shall be entitled to compensation at the rate not less than the rate stipulated by the laws on labor protection, social security, and workmen’s compensation.
The Office shall be deemed a government agency under the law on tort liability of government official.
(11) to carry out other duties as assigned by the Committee, the commission supervising the Office of Personal Data Protection Committee, the expert committee, or the sub- committee, or as specified by law.
(5) to carry out any o ther acts that the law specifies to be the duties and powers of the Office, or as assigned by the Committee, the commission supervising the Office of Personal Data Protection Committee, the expert committee, or the sub-committee.
(4) to control the administration and operation of the Office and the Secretary-General to be in accordance with this Act and other related laws;
(8) to perform any other duties prescribed by this Act or other related laws as the duties and power of the Commission Supervising the Office of Personal Data Protection Committee or as assigned by the Committee or the Cabinet.
(2) to establish regulations with respect to the operations of the Office which are not contrary to or against the laws, the Cabinet resolutions and the regulations, rules, requirements, policies, resolutions or notifications prescribed by the commission supervising the Office of Personal Data Protection Committee;
The filing, refusal of acceptance, dismissal, consideration, and timeframe for the consideration of the complaints shall be in accordance with the Committee’s rule by taking into account the refusal of acceptance of the complaints or dismissal of the matter in the event that there has been the authority to consider such matter under other laws.
In the event that the Data Controller or the Data Processor does not comply with the orders provided under paragraph three (1) or (2), the provisions in connection with administrative enforcement under the law on administrative procedure shall be applied mutatis mutandis. In the event that the properties of the Data Controller or the Data Processor are to be seized, attached, or sold by auction, as required by the law on administrative procedure, the expert committee shall have the power to order such seizure, attachment, and sale by auction for such purpose.
In order to proceed in accordance with this section, when the consideration result is issued, the expert committee shall inform the complainant of such result together with the reasons. In case that the complaint is not accepted for consideration or dismissed as such complaint has already been under consideration of an official authority under other laws, the expert committee shall inform the complainant of the same. If the complainant wishes to propose such matter to the official authority under other laws, the expert committee shall proceed to do so and shall be deemed that such official authority has received such complaint from the date when the expert committee has received such complaint.
(2) an action taken in compliance with an order of a government official exercising its duties and power under the law;
Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply with section 28, which relates to the Personal Data under section 26 in order to unlawfully benefit himself or herself, or another person, shall be punished with imprisonment for a term not exceeding one year, a fine not exceeding Baht one million, or both.
(3) where it is a disclosure to a domestic or a foreign government agency which has authority under the law;
(5) where it is in relation to a legal lawsuit, which is openly disclosed to
In cases where a person imposed with an administrative fine refuses to pay such fine, the provisions concerning the execution of administrative orders under the administrative procedure law shall apply mutatis mutandis. In cases where there is no officer to execute an administrative order, or there is such officer but such order cannot be executed otherwise, the expert committee shall entitled to file a lawsuit with the Administrative Court in order to demand payment of such fine. In such event, if the Administrative Court is of the opinion that the order that imposes an administrative fine is lawful, the Administrative Court may render judgment and order seizure or attachment of assets for sale by auctions, to pay such fine.
