Section 1 - This Act is called the "Personal Data Protection Act, B.E.2562 (2019)"Section 2 - This Act shall come into force on the day following the date of its publication in the Government Gazette, exceptSection 3 - In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any businessSection 4 - This Act shall not apply to:Section 5 - This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data ProcessorSection 6 - In this ActSection 7 - The Minister of Digital Economy and Society shall be in charge under this Act, and shall have the power to
Section 8 - There shall be a Personal Data Protection Committee, consisting of:Section 9 - There shall be a selection committee of eight members having the duty to select the appropriate persons who should beSection 10 - In selecting the Chairperson in section 8 (1) or the honorarySection 11 - The Chairperson and the honorary director shall have the qualifications, and shall not be under the following prohibited characteristics:Section 12 - The Chairperson and the honorary director shall hold office for a term of four years.Section 13 - In addition to vacating office upon the expiration of the term under section 12, the Chairperson and the honorary directorSection 14 - At a meeting of the Committee, the presence of not less than one-half of all the members is required toSection 15 - Any member who has a direct or indirect interest in the matter being considered in the meeting, shall inform theSection 16 - The Committee shall have the following duties and power:Section 17 - The Chairperson, the Vice-Chairperson, and Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribedSection 18 - The Committee shall have the power to appoint sub-committees for considering or performing any act as prescribed by the Committee.
Part 1 - General Provisions
Section 19 - The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior toSection 20 - In the event that the data subject is a minor who is not sui juris by marriage or has noSection 21 - The Data Controller shall collect, use, or disclose Personal Data according to the purpose notified to the data subject priorPart 2 - Personal Data Collection
Section 22 - The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of theSection 23 - In collecting the Personal Data, the Data Controller shall inform the data subject, prior to or at the time ofSection 24 - The Data Controller shall not collect Personal Data without the consent of the data subject, unless:Section 25 - The Data Controller shall not collect Personal Data from any other source, apart from the data subject directly, except where:Section 26 - Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminalPart 3 - Use or Disclosure of Personal Data
Section 27 - The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it isSection 28 - In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination countrySection 29 - In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has putSection 30 - The data subject is entitled to request access to and obtain copy of the Personal Data related to him orSection 31 - The data subject shall have the right to receive the Personal Data concerning him or her from the Data Controller.Section 32 - The data subject has the right to object the collection, use, or disclosure of the Personal Data concerning him orSection 33 - he data subject shall have the right to request the Data Controller to erase or destroy the Personal Data, orSection 34 - The data subject shall have the right to request the Data Controller to restrict the use of the Personal Data,Section 35 - The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.Section 36 - In the case where the data subject requests the Data Controller to act in compliance with section 35, if theSection 37 - The Data Controller shall have the following duties:Section 38 - The provisions of t h e representative designation in section 37 (5) shall not apply to the following Data Controller:Section 39 - The Data Controller shall maintain, at least, the following records in order to enable the data subject and the OfficeSection 40 - The Personal Data Processor shall have the following duties:Section 41 - The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:Section 42 - The data protection officer shall have the following duties:
Section 43 - There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage andSection 44 - In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in sectionSection 45 - In carrying out the Office’s operation, apart from those stipulated under section 44, the Office shall also have the powerSection 46 - The fund and properties used in the Office’s business operations shall consist of the following:Section 47 - The immovable properties that the Office acquires by the purchase or exchange using the Office’s revenue in section 46 (4)Section 48 - There shall be a commission supervising the Office of Personal Data Protection Committee consisting of a Chairperson, who is selectedSection 49 - There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the dutySection 50 - In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who haveSection 51 - The Chairperson and the honorary director in section 48 shall hold office for a term of four years.Section 52 - n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of theSection 53 - At a meeting of the commission supervising the Office of Personal Data Protection Committee, the presence of not less thanSection 54 - The Commission Supervising the Office of Personal Data Protection Committee shall have the following powers and duties:Section 55 - The commission supervising the Office of Personal Data Protection Committee shall have the power to appoint a sub-committee to performSection 56 - The Chairperson and members of the commission supervising the Office of Personal Data Protection Committee, advisers of the commission supervisingSection 57 - There shall be a Secretary-General who is appointed by the commission supervising the Office of Personal Data Protection Committee andSection 58 - A person to be appointed Secretary-General must have the qualifications as follows:Section 59 - Any person holding any of the following prohibiting characteristics shall not be Secretary-General:Section 60 - The Secretary-General shall hold office for each term of four years and may be reappointed. However, the Secretary-General shall notSection 61 - In each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed bySection 62 - In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:Section 63 - The Secretary-General shall have the following duties andSection 64 - In the Office’s affairs related to the third party, the Secretary-Section 65 - The commission supervising the Office of Personal Data Protection Committee shall be responsible for determining salary rate and other benefitsSection 66 - In the interests of administration of the Office, the Secretary- General may request a civil official, staff, officer, or employeeSection 67 - For the civil official or government official who is working in compensation for the scholarship granted to him or herSection 68 - Accounting of the Office shall be made in accordance with international standards according to the forms and rules prescribed bySection 69 - The Office shall prepare financial statements and accountingSection 70 - The Office shall prepare an annual operation report and submit to the commission supervising the Office of Personal Data Protection
Section 71 - The Committee shall appoint one or more expert committees based upon their field of expertise, or as the Committee deemsSection 72 - The expert committee shall have the following duties andSection 73 - The data subject has the right to file a complaint in the event that the Data Controller or the DataSection 74 - In the event that a complainant does not comply with the rules provided in section 73 paragraph two, or theSection 75 - The expert committee shall have the power to order any person to submit documents or information in connection with theSection 76 - In order to act in accordance with this Act , the Competent Officer shall have the following duties and power:
Part 1 - Criminal Liability
Section 79 - Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply withSection 80 - ny person who comes to know the Personal Data of another person as a result of performing duties under thisSection 81 - In the case where the offender who commits the offense under this Act is a juristic person and the offensePart 2 - Administrative Liability
Section 82 - Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41Section 83 - Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25 paragraph one,Section 84 - Any Data Controller who violates section 26 paragraph one or three, or section 27 paragraph one or paragraph two, orSection 85 - Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shallSection 86 - Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer theSection 87 - Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complyingSection 88 - Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph oneSection 89 - Any person who fails to act in compliance with the order given by the expert committee, or fails to provideSection 90 - The expert committee shall have the power to render the punishment a s an administrative fine prescribed in this Part.Section 91 - At the early stage, the Committee shall consist of committee members under section 8 (2) and (3), and the Secretary-GeneralSection 92 - A commission supervising the Office of the Personal Data Protection Committee shall be set up within ninety days from theSection 93 - The Office shall be set up in order to operate in accordance with this Act within one year from theSection 94 - At the early stages, the Cabinet shall allocate the initial budget for the Office as necessary.Section 95 - For Personal Data that has previously been collected by a Data Controller before the effective date o f this Act,Section 96 - The issuance of the regulations and notifications in accordance with this Act shall be completed within one year from the
This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not.
In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities:
“Data Processor” means a Person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of a Data Controller, whereby such Person or juristic person is not the Data Controller;
(6) to announce and establish guidance for the protection of Personal Data as guidelines which the Data Controller and the Data Processor shall comply;
In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has put in place a Personal Data protection policy regarding the sending or transferring of Personal Data to another Data Controller or Data Processor who is in a foreign country, and is in the same affiliated business, or is in the same group of undertakings, in order to jointly operate the business or group of undertakings. If such Personal Data protection policy has been reviewed and certified by the Office, the sending or transferring of Personal Data to a foreign country, which is in accordance with such reviewed and certified Personal Data protection policy, can be carried out and shall be exempt from compliance with section 28.
In the absent of a decision by the Committee in accordance with section 28, or the Personal Data protection policy referred in paragraph one, the Data Controller or the Data Processor may send or transfer the Personal Data to a foreign country in exemption to compliance with section 28, if the Data Controller or the Data Processor provides suitable protection measures which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Committee.
In the event that the Data Controller in section 5 paragraph two has a Data Processor, the provisions of section 37 (5) and the provisions in paragraph one shall apply to such Data Processor mutatis mutandis.
The Personal Data Processor shall have the following duties:
The Data Processor, who fails to comply with (1) for the collection, use, or disclosure of the Personal Data, shall be regarded as the Data Controller for the collection, use, or disclosure of such Personal Data.
In carrying out the activities in accordance with the Data Processor's obligations as assigned by the Data Controller under paragraph one, the Data Controller shall prepare an agreement between the parties to control the activities carried out by the Data Processor to be in accordance with the Data Processor's obligations for compliance with this Act.
The provisions in (3) may not apply to the Data Processor who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or not a business where the collection, use, or disclosure of the Personal Data is occasional, or involving in the collection, use, or disclosure of the Personal Data pursuant to section 26.
The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:
(1) the Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee;
(2) the activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data as prescribed and announced by the Committee;
(3) the core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data according to section 26. In the event that the Data Controller or the Data Processor are in the same affiliated business or are in the same group of undertakings, in order to jointly operate the business or group of undertakings as prescribed and announced by the Committee according to section 29 paragraph two, such Data Controller or Data Processor may jointly designate a data protection officer. In this regard, each establishment of the Data Controller or the Data Processor in the same affiliated business or in the same group of undertakings must be able to easily contact the data protection officer.
The provisions in paragraph two shall apply to the Data Controller or the Data Processor who is a public authority in (1) that is large in size or has several establishments mutatis mutandis.
In the event that the Data Controller or the Data Processor in paragraph one has to designate the representative according to section 37 (5), the provisions in paragraph one shall apply to the representative mutatis mutandis.
The Data Controller and the Data Processor shall have an obligation to provide the information of the data protection officer, contact address, and contact channels to the data subject and the Office. The data subject shall be able to contact the data protection officer with respect to the collection, use, or disclosure of the Personal Data and the exercise of rights of the data subject under this Act.
The personal data protection officer may be a staff of the Data Controller or the Data Processor, or a service provider under the contract with the Data Controller or the Data Processor.
(1) give advices to the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or of the Data Processor with respect to compliance with this Act;
(2) investigate the performance of the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or of the Data Processor with respect to the collection, use, or disclosure of the Personal Data for compliance with this Act;
(3) coordinate and cooperate with the Office in the circumstance where there are problems with respect to the collection, use, or disclosure of the Personal Data undertaken by the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or of the Data Processor with respect to the compliance with this Act;
The Data Controller or the Data Processor shall support the data protection officer in performing the tasks by providing adequate tools or equipment as well as facilitate the access to the Personal Data in order to perform the duties.
The Data Controller or the Data Processor shall not dismiss or terminate the data protection officer’s employment by the reason that the data protection officer performs his or her duties under this Act. In the event that there is any problem when performing the duties, the data protection officer must be able to directly report to the chief executive of the Data Controller or the Data Processor.
The data protection officer may be able to perform other duties or tasks but the Data Controller or the Data Processor must warrant to the Office that such duties or tasks are not against or contrary to the performance of the duties under this Act.
(8) to establish course outlines and provide training of the performance of the Data Controller, Data Processor, data protection officer, employees, service providers, or the people in general;
(2) investigate any act of the Data Controller or the Data Processor, including the employees or the contractors of the Data Controller or the Data Processor in connection with the Personal Data that causes damage to the data subject;
The data subject has the right to file a complaint in the event that the Data Controller or the Data Processor, including the employees or the service providers of the Data Controller or the Data Processor violates or does not comply with this Act, or notifications issued in accordance with this Act.
(1) for the Data Controller or the Data Processor to perform, or rectify their act within the specified period of time;
(2) to prohibit the Data Controller or the Data Processor from carrying out an act which causes damage to the data subject, or for the Data Controller to carry out any act to cease the damage within the specified period of time;
In the event that the Data Controller or the Data Processor does not comply with the orders provided under paragraph three (1) or (2), the provisions in connection with administrative enforcement under the law on administrative procedure shall be applied mutatis mutandis. In the event that the properties of the Data Controller or the Data Processor are to be seized, attached, or sold by auction, as required by the law on administrative procedure, the expert committee shall have the power to order such seizure, attachment, and sale by auction for such purpose.
(1) request the Data Controller, the Data Processor, or any person in writing, to provide information or submit any documents or evidence in connection with the actions or offenses under this Act;
(2) investigate and collect facts, and report to the expert committee in the event that the Data Controller, the Data Processor, or any person, has committed an offense or caused damage due to their violation of or non-compliance with this Act or notifications issued in accordance with this Act.
The Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provisions of this Act which causes damages to the data subject, shall compensate the data subject for such damages, regardless of whether such operation is performed intentionally or negligently, except where the Data Controller or the Data Processor can prove that such operation was a result of:
The court shall have the power to order the Data Controller or the Data Processor to pay punitive damages in addition to the actual compensation rendered
by the court as deems fit, but shall not exceeding two times of such actual compensation amount, by taking into account the relating circumstances such as the severity of damages incurred by the data subject, the interest obtained by the Data Controller or the Data Processor, the financial status of the Data Controller or the Data Processor, remedy provided by the Data Controller or the Data Processor, or the data subject’s act in contributing to cause the damages.
The claim for compensation from the wrongful act against the Personal Data under this Act shall be barred by prescription after the lapse of three years from the date that the injured person know of the damages and the identity of the Data Controller or the Data Processor who is to be liable, or after ten years from the date of which the wrongful act against the Personal Data took place.
Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shall be punished with an administrative fine not exceeding Baht one million.
Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer the Personal Data in accordance with section 29 paragraph one or three, or fails to comply with section 37 (5) which applies mutatis mutandis according to section 38 paragraph two, shall be punished with an administrative fine not exceeding Baht three million.
Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complying with section 29 paragraph one or three, shall be punished with an administrative fine not exceeding Baht five million.
Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph one which applies mutatis mutandis according to section 39 paragraph two, and section 41 paragraph one which applies mutatis mutandis according to section 41 paragraph four, shall be punished with an administrative fine not exceeding Baht one million.
In determining whether to issue an order to impose an administrative fine, the expert committee shall take into consideration the severity of the circumstances of the act of offense, size of the business of the Data Controller or the Data Processor, or other circumstances according to the rules prescribed by the Committee.
