Section 19 - The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior toSection 20 - In the event that the data subject is a minor who is not sui juris by marriage or has noSection 21 - The Data Controller shall collect, use, or disclose Personal Data according to the purpose notified to the data subject priorSection 22 - The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of theSection 23 - In collecting the Personal Data, the Data Controller shall inform the data subject, prior to or at the time ofSection 24 - The Data Controller shall not collect Personal Data without the consent of the data subject, unless:Section 25 - The Data Controller shall not collect Personal Data from any other source, apart from the data subject directly, except where:Section 26 - Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminalSection 27 - The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it isSection 28 - In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination countrySection 29 - In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has put
Section 43 - There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage andSection 44 - In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in sectionSection 45 - In carrying out the Office’s operation, apart from those stipulated under section 44, the Office shall also have the powerSection 46 - The fund and properties used in the Office’s business operations shall consist of the following:Section 47 - The immovable properties that the Office acquires by the purchase or exchange using the Office’s revenue in section 46 (4)Section 48 - There shall be a commission supervising the Office of Personal Data Protection Committee consisting of a Chairperson, who is selectedSection 49 - There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the dutySection 50 - In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who haveSection 51 - The Chairperson and the honorary director in section 48 shall hold office for a term of four years.Section 52 - n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of theSection 53 - At a meeting of the commission supervising the Office of Personal Data Protection Committee, the presence of not less thanSection 54 - The Commission Supervising the Office of Personal Data Protection Committee shall have the following powers and duties:Section 55 - The commission supervising the Office of Personal Data Protection Committee shall have the power to appoint a sub-committee to performSection 56 - The Chairperson and members of the commission supervising the Office of Personal Data Protection Committee, advisers of the commission supervisingSection 57 - There shall be a Secretary-General who is appointed by the commission supervising the Office of Personal Data Protection Committee andSection 58 - A person to be appointed Secretary-General must have the qualifications as follows:Section 59 - Any person holding any of the following prohibiting characteristics shall not be Secretary-General:Section 60 - The Secretary-General shall hold office for each term of four years and may be reappointed. However, the Secretary-General shall notSection 61 - In each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed bySection 62 - In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:Section 63 - The Secretary-General shall have the following duties andSection 64 - In the Office’s affairs related to the third party, the Secretary-Section 65 - The commission supervising the Office of Personal Data Protection Committee shall be responsible for determining salary rate and other benefitsSection 66 - In the interests of administration of the Office, the Secretary- General may request a civil official, staff, officer, or employeeSection 67 - For the civil official or government official who is working in compensation for the scholarship granted to him or herSection 68 - Accounting of the Office shall be made in accordance with international standards according to the forms and rules prescribed bySection 69 - The Office shall prepare financial statements and accountingSection 70 - The Office shall prepare an annual operation report and submit to the commission supervising the Office of Personal Data Protection
Section 79 - Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply withSection 80 - ny person who comes to know the Personal Data of another person as a result of performing duties under thisSection 81 - In the case where the offender who commits the offense under this Act is a juristic person and the offenseSection 82 - Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41Section 83 - Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25 paragraph one,Section 84 - Any Data Controller who violates section 26 paragraph one or three, or section 27 paragraph one or paragraph two, orSection 85 - Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shallSection 86 - Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer theSection 87 - Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complyingSection 88 - Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph oneSection 89 - Any person who fails to act in compliance with the order given by the expert committee, or fails to provideSection 90 - The expert committee shall have the power to render the punishment a s an administrative fine prescribed in this Part.
This Act shall come into force on the day following the date of its publication in the Government Gazette, except for the provisions of Chapter II, Chapter III, Chapter V, Chapter VI, Chapter VII, and section 95, and section 96, which shall come into effect after the lapse of a period of one year from the date of its publication in the Government Gazette.
The rules and procedures on the selection of persons to be appointed as the Chairperson and honorary directors, including the selection of the Chairperson and honorary director to replace the Chairperson and the honorary director who vacates office before the expiration of the term under section 13, shall be as prescribed by the notification issued by the Cabinet by taking into account the transparency and fairness in the selection.
There shall be a selection committee of eight members having the duty to select the appropriate persons who should be appointed as the Chairperson in section 8(1) or the honorary director in section 8 (4), consisting of:
No member of the section committee shall be entitled to be nominated as the Chairperson in section 8 (1) or the honorary director in section 8 (4).
In selecting the Chairperson in section 8 (1) or the honorary
director in section 8 (4), the selection committee shall select the persons who have qualifications in section 8 (1)or section 8 (4) as the case may be, including having the qualifications and no prohibited characteristics under section 11 and agree to be nominated for the selection in the same number as the number of Chairperson to be appointed in section 8 (1) or the number of the honorary director in to be appointed in section 8 (4).
After the Chairperson in section 8 (1) or the honorary director in section 8 (4) have been selected, the selection committee shall submit the name of Chairperson in section 8
(1) or the honorary director in section 8 (4) together with the evidence of qualifications and no prohibited characteristics as well as the consent of such persons to the Cabinet for the appointment as the Chairperson in section 8 (1) or the honorary director in section 8 (4).
The Prime Minister shall publish names of the Chairperson in section 8 (1) or honorary directors in section 8 (4) who are appointed by the Cabinet in the Government Gazette.
In addition to vacating office upon the expiration of the term under section 12, the Chairperson and the honorary director vacates office upon:
section 11 In the case where the Chairperson or the honorary director vacates office before
In the meeting of the sub-committee, the substances of sections 14 and 15 shall apply mutatis mutandis.
In the event that the data subject is a minor who is not sui juris by marriage or has no capacity as a sui juris person under section 27 of the Civil and Commercial Code, the request for the consent from such data subject shall be made as follows:
(1) In the event that the minor’s giving of consent is not any act which the minor may be entitled to act alone as prescribed under section 22, section 23, or section 24 of the Civil and Commercial Code, such act also requires consent of the holder of parental responsibility over the child;
(1) the purpose of the collection for use or disclosure of the Personal Data, including the purpose which is permitted under section 24 for the collection of Personal Data without the data subject's consent;
(6) the rights of the data subject under section 19 paragraph five, section 30 paragraph one, section 31 paragraph one, section 32 paragraph one, section 33 paragraph one, section 34 paragraph one, section 36 paragraph one, and section 73 paragraph one.
(2) it is a collection of Personal Data which falls within the exceptions to request consent under section 24 or section 26.
The provisions with respect to notice of the new purpose in section 21, and the notice of information details in section 23 shall apply mutatis mutandis to the collection of the Personal Data which requires consent in paragraph one, except for the following circumstances:
(4) the Data Controller is aware of or acquires such Personal Data from his or her duty or occupation or profession, and shall maintain new purposes or certain information details as prescribed in section 23 with confidentiality as required by law.
The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it is the Personal Data which is collected without requirement of consent under section 24 or section 26.
In the event that the Data Controller uses or discloses the Personal Data which is exempted from consent requirement in paragraph one, the Data Controller shall maintain a record of such use or disclosure in the record under section 39.
In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination country or international organization that receives such Personal Data shall have adequate data protection standard, and shall be carried out in accordance with the rules for the protection of Personal Data as prescribed by the Committee in section 16(5), except in the following circumstances:
In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has put in place a Personal Data protection policy regarding the sending or transferring of Personal Data to another Data Controller or Data Processor who is in a foreign country, and is in the same affiliated business, or is in the same group of undertakings, in order to jointly operate the business or group of undertakings. If such Personal Data protection policy has been reviewed and certified by the Office, the sending or transferring of Personal Data to a foreign country, which is in accordance with such reviewed and certified Personal Data protection policy, can be carried out and shall be exempt from compliance with section 28.
In the absent of a decision by the Committee in accordance with section 28, or the Personal Data protection policy referred in paragraph one, the Data Controller or the Data Processor may send or transfer the Personal Data to a foreign country in exemption to compliance with section 28, if the Data Controller or the Data Processor provides suitable protection measures which enable the enforcement of the data subject’s rights, including effective legal remedial measures according to the rules and methods as prescribed and announced by the Committee.
In the case that the Data Controller rejects the requests in paragraph one, the Data Controller shall record its rejection together with supporting reasons in the record as prescribed in section 39.
The Personal Data in paragraph one must be the Personal Data that the data subject has given consent for the collection, use, or disclosure of such Personal Data according to the rules under this Act, or the Personal Data that is exempted from consent requirements under section 24 (3), or any other Personal Data referred to under section 24 as prescribed by the Committee.
The exercise of rights of the data subject in paragraph one shall not apply to the sending or transferring of Personal Data by the Data Controller which is the performance of a task carried out in the public interest, or for compliance with law, or such exercise of rights shall not violate the rights and freedoms of others. In the event that the Data Controller rejects the request by such reasons, the Data Controller shall make a record of such rejection of the request together with reasons in the record as prescribed in section 39.
(1) Where the Personal Data is collected with the exemption to consent requirements under section 24 (4) or (5), unless the Data Controller can prove that:
(b) or (3), the Data Controller shall record such rejection of objection request together with reasons in the record as prescribed in section 39.
(3) the data subject objects to the collection, use, or disclosure of the Personal Data referred in Section 32 (1), and the Data Controller cannot reject to such request as referred in section 32 (1) (a) or (b), or where the data subject exercise his or her right to object as referred in section 32 (2);
Paragraph one shall not apply to the extent that such Personal Data retention is necessary for the purpose of freedom of expression, the purpose under section 24 (1) or (4) or section 26(5) (a) or (b), the purpose of establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose for compliance with the law.
(1) when the Data Controller is pending examination process in accordance with the data subject's request pursuant to section 36;
(2) when it is the Personal Data which shall be erased or destroyed pursuant to section 33 (4), but the data subject requests the restriction of the use of such Personal Data instead;
(4) when the Data Controller is pending verification with regard to section 32 (1), or pending examination with regard to
section 32 (3) in order to reject the objection request made by the data subject in accordance to section 32 paragraph three.
In the case where the data subject requests the Data Controller to act in compliance with section 35, if the Data Controller does not take action regarding the request of the data subject, the Data Controller shall record such request of the data subject together with reasons, in the record as prescribed in section 39.
The provisions of section 34 paragraph two shall apply mutatis mutandis.
(3) put in place the examination system for erasure or destruction of the Personal Data when the retention period ends, or when the Personal Data is irrelevant or beyond the purpose necessary for which it has been collected, or when the data subject has request to do so, or when the data subject withdraws consent, except where the retention of such Personal Data is for the purpose of freedom of expression, the purpose under section 24 (1) or (4) or section 26 (5) (a) or (b) , the purpose of the establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose of compliance with the law. The provision in section 33 paragraph five shall be used to govern the erasure or destruction of Personal Data mutatis mutandis;
(5) in the event of being the Data Controller pursuant to section 5 paragraph two, the Data Controller shall designate in writing a representative of the Data Controller who must be in the Kingdom of Thailand and be authorized to act on behalf of the Data Controller without any limitation of liability with respect to the collection, use or disclosure of the Personal Data according to the purposes of the Data Controller.
The provisions of t h e representative designation in section 37 (5) shall not apply to the following Data Controller:
(2) the Data Controller which engages in the profession or business of collecting, using, or disclosing Personal Data, that does not have the nature pursuant to section 26, and does not have a large amount of Personal Data as prescribed by the Committee in section 41 (2).
In the event that the Data Controller in section 5 paragraph two has a Data Processor, the provisions of section 37 (5) and the provisions in paragraph one shall apply to such Data Processor mutatis mutandis.
(6) the use or disclosure under section 27 paragraph three;
(7) the rejection of request or objection according to section 30 paragraph three, section 31 paragraph three, section 32 paragraph three, and section 36 paragraph one;
(8) explanation of the appropriate security measures pursuant to section 37
Controller under section 5 paragraph two mutatis mutandis.
The provisions in (1), (2), (3), (4), (5), (6) and (8) may not apply to the Data Controller who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or not a business where the collection, use, or disclosure of the Personal Data is occasional, or involving in the collection, use, or disclosure of the Personal Data pursuant to section 26.
The provisions in (3) may not apply to the Data Processor who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or not a business where the collection, use, or disclosure of the Personal Data is occasional, or involving in the collection, use, or disclosure of the Personal Data pursuant to section 26.
(3) the core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data according to section 26. In the event that the Data Controller or the Data Processor are in the same affiliated business or are in the same group of undertakings, in order to jointly operate the business or group of undertakings as prescribed and announced by the Committee according to section 29 paragraph two, such Data Controller or Data Processor may jointly designate a data protection officer. In this regard, each establishment of the Data Controller or the Data Processor in the same affiliated business or in the same group of undertakings must be able to easily contact the data protection officer.
In the event that the Data Controller or the Data Processor in paragraph one has to designate the representative according to section 37 (5), the provisions in paragraph one shall apply to the representative mutatis mutandis.
In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in section 43 paragraph one, the Office shall have the duty to perform academic and administrative tasks for the Committee, the commission supervising the Office of Personal Data Protection Committee, the expert committee, and the sub-committee. The Office shall also have the following duties and power:
(3) to analyze and certify the compliance with and accuracy of the standards or measures, or the supervision mechanism in connection with Personal Data protection, as well as to review and certify the Personal Data protection policy according to section 29;
In carrying out the Office’s operation, apart from those stipulated under section 44, the Office shall also have the power and duties to carry out the following:
(1) initial budget provided by the government under section 94 paragraph one;
The immovable properties that the Office acquires by the purchase or exchange using the Office’s revenue in section 46 (4) or (5) shall be under the Office’s ownership.
The substances of section 11 and section 13 shall apply to the Chairperson and the honorary director of the Commission mutatis mutandis.
There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the duty to select the appropriate persons who should be appointed as the Chairperson and the honorary director in section 48.
No member of the Section Committee shall be entitled to be nominated as the Chairperson and the honorary director in section 48.
In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who have qualifications in section 48 paragraph one, including having the qualifications and no prohibited characteristics under section 48 paragraph three and agree to be nominated for the selection in the same number as the number of Chairperson and the honorary director to be appointed in section 48.
After the total number of Chairperson and the honorary director in section 48 have been selected, the selection committee shall submit the name of Chairperson and the honorary director in section 48 together with the evidence of qualifications and no prohibited characteristics as well as the consent of such persons to the Committee for the appointment as the Chairperson and the honorary director according to section 48.
The Committee shall publish names of the appointed Chairperson and the honorary directors in section 48 in the Government Gazette.
The Chairperson and the honorary director in section 48 shall hold office for a term of four years.
n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of the term, the commission supervising the Office of Personal Data Protection Committee shall consist of all the existing members until the new Chairperson or the new honorary director is appointed. In the case where the Chairperson vacates office before the expiration of the term, the Permanent Secretary of the Ministry of Digital Economy and Society shall temporarily perform the duties of the Chairperson.
For a meeting of the sub-committee, the substances of section 53 shall apply mutatis mutandis.
(8) having been discharged on grounds of not passing the performance evaluation in accordance with section 62(4);
In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:
(3) being disqualified under section 58, or under any of the prohibited characteristics under section 59;
In the event that a complainant does not comply with the rules provided in section 73 paragraph two, or the complaint filed is prohibited from being accepted for consideration under such rules, the expert committee shall not accept such complaint for consideration.
If, after the expert committee’s consideration of the complaint pursuant to section 72 (1), or the investigation of any act pursuant to section 72 (2), it is found that such complaint or act has no ground, the expert committee shall issue an order to dismiss such complaint or investigation.
The order of the expert committee in this Section shall be final.
In order to proceed in accordance with this section, when the consideration result is issued, the expert committee shall inform the complainant of such result together with the reasons. In case that the complaint is not accepted for consideration or dismissed as such complaint has already been under consideration of an official authority under other laws, the expert committee shall inform the complainant of the same. If the complainant wishes to propose such matter to the official authority under other laws, the expert committee shall proceed to do so and shall be deemed that such official authority has received such complaint from the date when the expert committee has received such complaint.
During the performance of his or her duties under this Section, the Competent Officer shall present his or her identification card to the relevant persons and be provided with reasonable facilitation by the relevant persons.
Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply with section 28, which relates to the Personal Data under section 26 in a manner that is likely to cause other person to suffer any damage, impair his or her reputation, or expose such other person to be scorned, hated, or humiliated, shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply with section 28, which relates to the Personal Data under section 26 in order to unlawfully benefit himself or herself, or another person, shall be punished with imprisonment for a term not exceeding one year, a fine not exceeding Baht one million, or both.
The offenses under this section are compoundable offenses.
Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41 paragraph one, or section 42 paragraph two or paragraph three, or fails to obtain consent using a form or statement set forth by the Committee under section 19 paragraph three, or fails to notify the impact of the withdrawal of consent under section 19 paragraph six, or fails to comply with section 23 which applies mutatis mutandis according to section 25 paragraph two, shall be punished with an administrative fine not exceeding Baht one million.
Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25 paragraph one, section 27 paragraph one or two, section 28, section 32 paragraph two, or section 37, or who obtains consent by deceiving or misleading the d ata subject about the purposes, or fails to comply with section 21 which applies mutatis mutandis according to section 25 paragraph two, or fails to send or transfer the Personal Data in accordance with section 29 paragraph one or paragraph three, shall be punished with an administrative fine not exceeding Baht three million.
Any Data Controller who violates section 26 paragraph one or three, or section 27 paragraph one or paragraph two, or section 28 in relation to the Personal Data under section 26, or fails to send or transfer the Personal Data under section 26 to be in accordance with section 29 paragraph one or paragraph three, shall be punished with an administrative fine not exceeding Baht five million.
Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shall be punished with an administrative fine not exceeding Baht one million.
Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer the Personal Data in accordance with section 29 paragraph one or three, or fails to comply with section 37 (5) which applies mutatis mutandis according to section 38 paragraph two, shall be punished with an administrative fine not exceeding Baht three million.
Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complying with section 29 paragraph one or three, shall be punished with an administrative fine not exceeding Baht five million.
Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph one which applies mutatis mutandis according to section 39 paragraph two, and section 41 paragraph one which applies mutatis mutandis according to section 41 paragraph four, shall be punished with an administrative fine not exceeding Baht one million.
Any person who fails to act in compliance with the order given by the expert committee, or fails to provide statement of facts under section 75, or fails to comply with section 76(1), or fails to facilitate government officials under section 76 paragraph four, shall be punished with an administrative fine not exceeding Baht five hundred thousand.
The order to impose the administrative fine and the administrative execution shall apply mutatis mutandis according to section 74 paragraph six, and the administrative execution per paragraph three shall apply mutatis mutandis according to section 74 paragraph four.
At the early stage, the Committee shall consist of committee members under section 8 (2) and (3), and the Secretary-General shall be the committee member and secretary, who shall perform duties as necessary for the time being, but for not more than ninety days from the effective date of this Act. A Vice-Chairperson shall temporarily act as a Chairperson.
The Office shall manage to appoint a Chairperson under section 8 (1), and the honorary director under section 8 (4), within ninety days from the effective date of this Act.
A commission supervising the Office of the Personal Data Protection Committee shall be set up within ninety days from the date when the Chairperson and the honorary director are appointed in accordance with section 91.
The Secretary-General shall be appointed within ninety days from the date when the Office has been set up in accordance with section 93.
During the period when the Office has not yet been duly set up, the Office of the Permanent Secretary of the Ministry of Digital Economy and Society shall perform the duties in accordance with this Act, and the Minister shall appoint a Deputy Permanent Secretary of the Ministry of Digital Economy and Society to perform the Secretary-General's duties until there is an appointment of the Secretary-General in accordance with section 92 paragraph two.