Section 1 - This Act is called the "Personal Data Protection Act, B.E.2562 (2019)"Section 2 - This Act shall come into force on the day following the date of its publication in the Government Gazette, exceptSection 3 - In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any businessSection 4 - This Act shall not apply to:Section 5 - This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data ProcessorSection 6 - In this ActSection 7 - The Minister of Digital Economy and Society shall be in charge under this Act, and shall have the power to
Section 8 - There shall be a Personal Data Protection Committee, consisting of:Section 9 - There shall be a selection committee of eight members having the duty to select the appropriate persons who should beSection 10 - In selecting the Chairperson in section 8 (1) or the honorarySection 11 - The Chairperson and the honorary director shall have the qualifications, and shall not be under the following prohibited characteristics:Section 12 - The Chairperson and the honorary director shall hold office for a term of four years.Section 13 - In addition to vacating office upon the expiration of the term under section 12, the Chairperson and the honorary directorSection 14 - At a meeting of the Committee, the presence of not less than one-half of all the members is required toSection 15 - Any member who has a direct or indirect interest in the matter being considered in the meeting, shall inform theSection 16 - The Committee shall have the following duties and power:Section 17 - The Chairperson, the Vice-Chairperson, and Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribedSection 18 - The Committee shall have the power to appoint sub-committees for considering or performing any act as prescribed by the Committee.
Part 1 - General Provisions
Section 19 - The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior toSection 20 - In the event that the data subject is a minor who is not sui juris by marriage or has noSection 21 - The Data Controller shall collect, use, or disclose Personal Data according to the purpose notified to the data subject priorPart 2 - Personal Data Collection
Section 22 - The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of theSection 23 - In collecting the Personal Data, the Data Controller shall inform the data subject, prior to or at the time ofSection 24 - The Data Controller shall not collect Personal Data without the consent of the data subject, unless:Section 25 - The Data Controller shall not collect Personal Data from any other source, apart from the data subject directly, except where:Section 26 - Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminalPart 3 - Use or Disclosure of Personal Data
Section 27 - The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it isSection 28 - In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination countrySection 29 - In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has putSection 30 - The data subject is entitled to request access to and obtain copy of the Personal Data related to him orSection 31 - The data subject shall have the right to receive the Personal Data concerning him or her from the Data Controller.Section 32 - The data subject has the right to object the collection, use, or disclosure of the Personal Data concerning him orSection 33 - he data subject shall have the right to request the Data Controller to erase or destroy the Personal Data, orSection 34 - The data subject shall have the right to request the Data Controller to restrict the use of the Personal Data,Section 35 - The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.Section 36 - In the case where the data subject requests the Data Controller to act in compliance with section 35, if theSection 37 - The Data Controller shall have the following duties:Section 38 - The provisions of t h e representative designation in section 37 (5) shall not apply to the following Data Controller:Section 39 - The Data Controller shall maintain, at least, the following records in order to enable the data subject and the OfficeSection 40 - The Personal Data Processor shall have the following duties:Section 41 - The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:Section 42 - The data protection officer shall have the following duties:
Section 43 - There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage andSection 44 - In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in sectionSection 45 - In carrying out the Office’s operation, apart from those stipulated under section 44, the Office shall also have the powerSection 46 - The fund and properties used in the Office’s business operations shall consist of the following:Section 47 - The immovable properties that the Office acquires by the purchase or exchange using the Office’s revenue in section 46 (4)Section 48 - There shall be a commission supervising the Office of Personal Data Protection Committee consisting of a Chairperson, who is selectedSection 49 - There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the dutySection 50 - In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who haveSection 51 - The Chairperson and the honorary director in section 48 shall hold office for a term of four years.Section 52 - n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of theSection 53 - At a meeting of the commission supervising the Office of Personal Data Protection Committee, the presence of not less thanSection 54 - The Commission Supervising the Office of Personal Data Protection Committee shall have the following powers and duties:Section 55 - The commission supervising the Office of Personal Data Protection Committee shall have the power to appoint a sub-committee to performSection 56 - The Chairperson and members of the commission supervising the Office of Personal Data Protection Committee, advisers of the commission supervisingSection 57 - There shall be a Secretary-General who is appointed by the commission supervising the Office of Personal Data Protection Committee andSection 58 - A person to be appointed Secretary-General must have the qualifications as follows:Section 59 - Any person holding any of the following prohibiting characteristics shall not be Secretary-General:Section 60 - The Secretary-General shall hold office for each term of four years and may be reappointed. However, the Secretary-General shall notSection 61 - In each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed bySection 62 - In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:Section 63 - The Secretary-General shall have the following duties andSection 64 - In the Office’s affairs related to the third party, the Secretary-Section 65 - The commission supervising the Office of Personal Data Protection Committee shall be responsible for determining salary rate and other benefitsSection 66 - In the interests of administration of the Office, the Secretary- General may request a civil official, staff, officer, or employeeSection 67 - For the civil official or government official who is working in compensation for the scholarship granted to him or herSection 68 - Accounting of the Office shall be made in accordance with international standards according to the forms and rules prescribed bySection 69 - The Office shall prepare financial statements and accountingSection 70 - The Office shall prepare an annual operation report and submit to the commission supervising the Office of Personal Data Protection
Section 71 - The Committee shall appoint one or more expert committees based upon their field of expertise, or as the Committee deemsSection 72 - The expert committee shall have the following duties andSection 73 - The data subject has the right to file a complaint in the event that the Data Controller or the DataSection 74 - In the event that a complainant does not comply with the rules provided in section 73 paragraph two, or theSection 75 - The expert committee shall have the power to order any person to submit documents or information in connection with theSection 76 - In order to act in accordance with this Act , the Competent Officer shall have the following duties and power:
Part 1 - Criminal Liability
Section 79 - Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply withSection 80 - ny person who comes to know the Personal Data of another person as a result of performing duties under thisSection 81 - In the case where the offender who commits the offense under this Act is a juristic person and the offensePart 2 - Administrative Liability
Section 82 - Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41Section 83 - Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25 paragraph one,Section 84 - Any Data Controller who violates section 26 paragraph one or three, or section 27 paragraph one or paragraph two, orSection 85 - Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shallSection 86 - Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer theSection 87 - Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complyingSection 88 - Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph oneSection 89 - Any person who fails to act in compliance with the order given by the expert committee, or fails to provideSection 90 - The expert committee shall have the power to render the punishment a s an administrative fine prescribed in this Part.Section 91 - At the early stage, the Committee shall consist of committee members under section 8 (2) and (3), and the Secretary-GeneralSection 92 - A commission supervising the Office of the Personal Data Protection Committee shall be set up within ninety days from theSection 93 - The Office shall be set up in order to operate in accordance with this Act within one year from theSection 94 - At the early stages, the Cabinet shall allocate the initial budget for the Office as necessary.Section 95 - For Personal Data that has previously been collected by a Data Controller before the effective date o f this Act,Section 96 - The issuance of the regulations and notifications in accordance with this Act shall be completed within one year from the
This Act shall come into force on the day following the date of its publication in the Government Gazette, except for the provisions of Chapter II, Chapter III, Chapter V, Chapter VI, Chapter VII, and section 95, and section 96, which shall come into effect after the lapse of a period of one year from the date of its publication in the Government Gazette.
In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any business or any entity, the provisions of such law shall apply, except:
(1) for the provisions with respect to the collection, use, or disclosure of Personal Data and the provisions with respect to the rights of data subjects including relevant penalties, the provisions of this Act shall apply additionally, regardless of whether they are repetitious with the above specific law;
(2) for the provisions with respect to complaints, provisions granting power to the expert committee to issue an order to protect the data subject, and provisions with respect to the power and duties of the Competent Official, including relevant penalties, the provisions of this Act shall apply in the following circumstances:
This Act shall not apply to:
The exceptions to apply all or parts of the provisions of this Act to any Data Controller in any manner, business or entity, in a similar manner to the Data Controller in paragraph one, or for any other public interest purpose, shall be promulgated in the form of the Royal Decree.
The Data Controller under paragraph one (2), (3), (4), (5), and (6) and the Data Controller of the entities that are exempted under the Royal Decree in accordance with paragraph two shall also put in place a security protection of Personal Data in accordance with the standard.
In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities:
The Minister of Digital Economy and Society shall be in charge under this Act, and shall have the power to appoint the Competent Official to perform acts under this Act.
There shall be a Personal Data Protection Committee, consisting of:
shall be a Vice-Chairperson;
The Secretary-General shall be a director and secretary, and the Secretary- General shall appoint assistant secretaries from the officials of the Office not exceeding two persons.
The rules and procedures on the selection of persons to be appointed as the Chairperson and honorary directors, including the selection of the Chairperson and honorary director to replace the Chairperson and the honorary director who vacates office before the expiration of the term under section 13, shall be as prescribed by the notification issued by the Cabinet by taking into account the transparency and fairness in the selection.
There shall be a selection committee of eight members having the duty to select the appropriate persons who should be appointed as the Chairperson in section 8(1) or the honorary director in section 8 (4), consisting of:
In the event that the person having the appointment power in (2), (3), or (4) is unable to appoint members of the selection committee in his part within forty- five days from the date of notice from the Office, the Office shall nominate the persons to the Prime Minister to consider and appoint the appropriate persons to be the selection committee on behalf of such person having the appointment power.
The selection committee shall select one member to act as the Chairperson of the selection committee and another one member to act as the Secretary of the selection committee and the Office shall perform the duty as the administrative unit of the selection committee.
In the event that any member of the selection committee is vacant, a new member must be selected to replace such vacancy without delay. During the time that no new member has been selected, the selection committee shall consist of the existing members.
No member of the section committee shall be entitled to be nominated as the Chairperson in section 8 (1) or the honorary director in section 8 (4).
director in section 8 (4), the selection committee shall select the persons who have qualifications in section 8 (1)or section 8 (4) as the case may be, including having the qualifications and no prohibited characteristics under section 11 and agree to be nominated for the selection in the same number as the number of Chairperson to be appointed in section 8 (1) or the number of the honorary director in to be appointed in section 8 (4).
After the Chairperson in section 8 (1) or the honorary director in section 8 (4) have been selected, the selection committee shall submit the name of Chairperson in section 8
The Prime Minister shall publish names of the Chairperson in section 8 (1) or honorary directors in section 8 (4) who are appointed by the Cabinet in the Government Gazette.
The Chairperson and the honorary director shall have the qualifications, and shall not be under the following prohibited characteristics:
The Chairperson and the honorary director shall hold office for a term of four years.
Upon the expiration of the term of office under paragraph one, if a new Chairperson or the honorary director has not yet been appointed, the Chairperson or the honorary director whose term of office has expired, shall be in office to continue to perform his or her duties until a new Chairperson or honorary director assumes his or her duties.
The Chairperson, or the honorary director, who vacates office upon the expiration of the term, may be reappointed, but shall not seat in his or her office for more than two terms.
the expiration of the term, the person appointed to replace the vacant office shall be in office for the remaining term of office of such vacated Chairperson or honorary director, except where the remaining term of office is less than ninety days, in which case the appointment of a new Chairperson or a new honorary director may not have to be made.
In the case where the Chairperson or the honorary director vacates office before the expiration of the term, the Committee shall consist of all existing members until a new Chairperson or a new honorary director is appointed, according to paragraph two, and in the case where the Chairperson vacates office before the expiration of the term, the Vice-Chairperson shall temporarily perform duties of the Chairperson.
The Chairperson shall preside over the meeting. In the case where the Chairperson does not attend the meeting, or is unable to perform the duties, the Vice-Chairperson shall act as a chairperson of the meeting. In the case where the Chairperson and the Vice- Chairperson do not attend the meeting, or are unable to perform the duties, the attending members shall elect one member among themselves to be the chairperson of the meeting.
A decision of the meeting shall be made by a majority of votes. Each member shall have one vote. In case of equal votes, the chairperson of the meeting shall have an additional vote as the decisive vote.
Any member who has a direct or indirect interest in the matter being considered in the meeting, shall inform the Committee of such interest prior to the meeting, and such member shall be prohibited from attending the meeting that is considering such matter.
The Committee shall have the following duties and power:
(6) to announce and establish guidance for the protection of Personal Data as guidelines which the Data Controller and the Data Processor shall comply;
The Chairperson, the Vice-Chairperson, and Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribed by the Cabinet.
The Chairperson of the sub-committees, the sub-committees, the Chairperson of the expert committee and expert committee appointed by the Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribed by the Committee with approval of the Ministry of Finance.
The Committee shall have the power to appoint sub-committees for considering or performing any act as prescribed by the Committee.
In the meeting of the sub-committee, the substances of sections 14 and 15 shall apply mutatis mutandis.
The Data Controller shall not collect, use, or disclose Personal Data, unless the data subject has given consent prior to or at the time of such collection, use, or disclosure, except the case where it is permitted to do so by the provisions of this Act or any other laws.
A request for consent shall be explicitly made in a written statement, or via electronic means, unless it cannot be done by its nature.
In requesting consent from the data subject, the Personal Data Controller shall also inform the purpose of the collection, use, or disclosure of the Personal Data. Such request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an easily accessible and intelligible form and statements, using clear and plain language, and
In requesting consent from the data subject, the Data Controller shall utmost take into account that the data subject's consent is freely given. Also, the entering into the contract, including any provisions of the service shall not be a condition to obtaining consent for the collection, use, or disclosure of Personal Data that is not necessary or not related to such contract entering, including the provisions of the service.
The data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as to giving consent, unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject. However, the withdrawal of consent shall not affect the collection, use, or disclosure of personal data that the data subject has already given consent legally under this Chapter.
In the event that the withdrawal of consent will affect the data subject in any manner, the Data Controller shall inform the data subject of such consequences of consent's withdrawal.
The request for the data subject’s consent which is not in accordance with those prescribed in this Chapter shall have no binding effect on the data subject and shall no longer enable the Data Controller to collect, use, or disclose the Personal Data.
In the event that the data subject is a minor who is not sui juris by marriage or has no capacity as a sui juris person under section 27 of the Civil and Commercial Code, the request for the consent from such data subject shall be made as follows:
(2) Where the minor is below the age of ten years, the consent shall be obtained from the holder of parental responsibility over the child.
The provisions of paragraphs one, two, and three shall apply mutatis mutandis to the withdrawal of consent of the data subject, the notice given to the data subject, the exercise of rights of the data subject, the complaint of the data subject, and any other acts under this Act for the data subject who is a minor, an incompetent or quasi-incompetent person.
The Data Controller shall collect, use, or disclose Personal Data according to the purpose notified to the data subject prior to or at the time of such collection.
The collection, use, or disclosure of Personal Data shall not be conducted in a manner that is different from the purpose previously notified to the data subject in accordance with paragraph one, unless:
The collection of Personal Data shall be limited to the extent necessary in relation to the lawful purpose of the Data Controller.
In collecting the Personal Data, the Data Controller shall inform the data subject, prior to or at the time of such collection, of the following details, except the case where the data subject already knows of such details:
(3) the Personal Data to be collected and the period for which the Personal Data will be retained. If it is not possible to specify the retention period, the expected data retention period according the data retention standard shall be specified;
The Data Controller shall not collect Personal Data without the consent of the data subject, unless:
The Data Controller shall not collect Personal Data from any other source, apart from the data subject directly, except where:
(1) the Data Controller has informed the data subject of the collection of Personal Data from other source without delay, but shall not exceed thirty days upon the date of such collection, and has obtained the consent from the data subject;
The provisions with respect to notice of the new purpose in section 21, and the notice of information details in section 23 shall apply mutatis mutandis to the collection of the Personal Data which requires consent in paragraph one, except for the following circumstances:
(2) the Data Controller can prove that the notice of such new purposes or information details is impossible or will obstruct the use or disclosure of the Personal Data, in particular for achieving the purposes in relation to scientific, historical, or statistical research purposes. In such cases, the Data Controller shall take suitable measures to protect the data subject 's rights, freedoms and interests;
(3) the use or disclosure of the Personal Data shall be carried out on an urgent basis as required by law, and suitable measures have been implemented to protect the data subject's interest;
(4) the Data Controller is aware of or acquires such Personal Data from his or her duty or occupation or profession, and shall maintain new purposes or certain information details as prescribed in section 23 with confidentiality as required by law.
To notify the information detailed in paragraph two, the Data Controller shall provide such information to the data subject within thirty days after the date of collection such of Personal Data, unless the Personal Data are to be used for communication with the data subject, the notice of information details shall be provided at the time of the first communication to that data subject. If a disclosure to another Person is envisaged, the notice of information details shall be provided prior to the time of the first disclosure.
The biometric data in paragraph one shall mean the Personal Data arising from the use of technics or technology related to the physical or behavioral dominance of Person, which can be used to identify such Person apart from other Persons, such as the facial recognition data, iris recognition data or fingerprint recognition data.
In the case of the collection of the Personal Data relating to criminal record, such collection shall be carried out under the control of authorized official authority under the law, or the data protection measure has been implemented according to rules prescribed by the Committee.
The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it is the Personal Data which is collected without requirement of consent under section 24 or section 26.
The Person or juristic person who obtains Personal Data as a result of the disclosure under paragraph one shall not use or disclose such Personal Data for any purpose other than the purpose previously notified to the Data Controller in the request to obtain such Personal Data.
In the event that the Data Controller uses or discloses the Personal Data which is exempted from consent requirement in paragraph one, the Data Controller shall maintain a record of such use or disclosure in the record under section 39.
In the event that the Data Controller sends or transfers the Personal Data to a foreign country, the destination country or international organization that receives such Personal Data shall have adequate data protection standard, and shall be carried out in accordance with the rules for the protection of Personal Data as prescribed by the Committee in section 16(5), except in the following circumstances:
protection standards of the destination country or international organization, such problem shall be submitted to the Committee to decide. The decision made by the Committee may be reviewed when there is a new evidence convincing that the destination country or international organization that receives such Personal Data has developed adequate Personal Data protection standards.
In the event that the Data Controller or the Data Processor who is in the Kingdom of Thailand has put in place a Personal Data protection policy regarding the sending or transferring of Personal Data to another Data Controller or Data Processor who is in a foreign country, and is in the same affiliated business, or is in the same group of undertakings, in order to jointly operate the business or group of undertakings. If such Personal Data protection policy has been reviewed and certified by the Office, the sending or transferring of Personal Data to a foreign country, which is in accordance with such reviewed and certified Personal Data protection policy, can be carried out and shall be exempt from compliance with section 28.
The Personal Data protection policy, the nature of the same affiliated undertaking or affiliated business in order to jointly operate the undertaking or business, and the rules and methods for the review and certification in paragraph one shall be as prescribed and announced by the Committee.
The Data Controller shall perform as requested in paragraph one. The request can be rejected only where it is permitted by law or pursuant to a court order, and such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.
In the case that the Data Controller rejects the requests in paragraph one, the Data Controller shall record its rejection together with supporting reasons in the record as prescribed in section 39.
When the data subject makes a request as in paragraph one, and such request cannot be rejected based on the reasons in paragraph two, the Data Controller shall fulfill the request without delay, but shall not exceed thirty days from the date of receiving such request.
The data subject shall have the right to receive the Personal Data concerning him or her from the Data Controller. The Data Controller shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means. The data subject is also entitled to:
The exercise of rights of the data subject in paragraph one shall not apply to the sending or transferring of Personal Data by the Data Controller which is the performance of a task carried out in the public interest, or for compliance with law, or such exercise of rights shall not violate the rights and freedoms of others. In the event that the Data Controller rejects the request by such reasons, the Data Controller shall make a record of such rejection of the request together with reasons in the record as prescribed in section 39.
In the event that the data subject exercises his or her right to object in paragraph one, the Data Controller shall no longer be able to collect, use, or disclose such Personal Data, and the Data Controller shall immediately distinguish such personal data clearly from the other matters at the time when the data subject gives the notice of objection to the Data Controller.
(b) or (3), the Data Controller shall record such rejection of objection request together with reasons in the record as prescribed in section 39.
he data subject shall have the right to request the Data Controller to erase or destroy the Personal Data, or anonymize the Personal Data to become the anonymous data which cannot identify the data subject, where the following ground applies:
Paragraph one shall not apply to the extent that such Personal Data retention is necessary for the purpose of freedom of expression, the purpose under section 24 (1) or (4) or section 26(5) (a) or (b), the purpose of establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose for compliance with the law.
Where the Data Controller has made the Personal Data disclose to public and is requested to erase or destroy the Personal Data, or make the Personal Data become the anonymous data which cannot identify the data subject pursuant to paragraph one, the Data Controller shall be responsible for the course of action, both the implementation of technology and the expenses to fulfil the request, and inform other Data Controllers in order to obtain their responses regarding the action to be taken to fulfil such request.
In the event that the Data Controller does not take action in accordance with paragraph one or three, the data subject shall have the right to complain to expert committee to order the Data Controller to take such action.
The data subject shall have the right to request the Data Controller to restrict the use of the Personal Data, where the following applies:
(2) when it is the Personal Data which shall be erased or destroyed pursuant to section 33 (4), but the data subject requests the restriction of the use of such Personal Data instead;
In the event that the Data Controller does not take action in accordance with paragraph one, the data subject shall have the right to complain to expert committee to order the Data Controller to take such action.
The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.
In the case where the data subject requests the Data Controller to act in compliance with section 35, if the Data Controller does not take action regarding the request of the data subject, the Data Controller shall record such request of the data subject together with reasons, in the record as prescribed in section 39.
The provisions of section 34 paragraph two shall apply mutatis mutandis.
The Data Controller shall have the following duties:
(1) provide appropriate security measures for preventing the unauthorized or unlawful loss, access to, use, alteration, correction or disclosure of Personal Data, and such measures must be reviewed when it is necessary, or when the technology has changed in order to efficiently maintain the appropriate security and safety. It shall also be in accordance with the minimum standard specified and announced by the Committee;
(2) in the circumstance where the Personal Data is to be provided to other Persons or legal persons, apart from the Data Controller, the Data Controller shall take action to prevent such person from using or disclosing such Personal Data unlawfully or without authorization;
(3) put in place the examination system for erasure or destruction of the Personal Data when the retention period ends, or when the Personal Data is irrelevant or beyond the purpose necessary for which it has been collected, or when the data subject has request to do so, or when the data subject withdraws consent, except where the retention of such Personal Data is for the purpose of freedom of expression, the purpose under section 24 (1) or (4) or section 26 (5) (a) or (b) , the purpose of the establishment, compliance or exercise of legal claims, or defense of legal claims, or the purpose of compliance with the law. The provision in section 33 paragraph five shall be used to govern the erasure or destruction of Personal Data mutatis mutandis;
(4) notify the Office of any Personal Data breach without delay and, where feasible, within 72 hours after having become aware of it, unless such Personal Data breach is unlikely to result in a risk to the rights and freedoms of the Persons. If the Personal Data breach is likely to result in a high risk to the rights and freedoms of the Persons, the Data Controller shall also notify the Personal Data breach and the remedial measures to the data subject without delay. The notification and the exemption to the notification shall be made in accordance with the rules and procedures set forth by the Committee;
(5) in the event of being the Data Controller pursuant to section 5 paragraph two, the Data Controller shall designate in writing a representative of the Data Controller who must be in the Kingdom of Thailand and be authorized to act on behalf of the Data Controller without any limitation of liability with respect to the collection, use or disclosure of the Personal Data according to the purposes of the Data Controller.
The provisions of t h e representative designation in section 37 (5) shall not apply to the following Data Controller:
In the event that the Data Controller in section 5 paragraph two has a Data Processor, the provisions of section 37 (5) and the provisions in paragraph one shall apply to such Data Processor mutatis mutandis.
The Data Controller shall maintain, at least, the following records in order to enable the data subject and the Office to check upon, which can be either in a written or electronic form:
The provisions in paragraph one shall apply to the representative of the Data
The Personal Data Processor shall have the following duties:
The Data Processor, who fails to comply with (1) for the collection, use, or disclosure of the Personal Data, shall be regarded as the Data Controller for the collection, use, or disclosure of such Personal Data.
In carrying out the activities in accordance with the Data Processor's obligations as assigned by the Data Controller under paragraph one, the Data Controller shall prepare an agreement between the parties to control the activities carried out by the Data Processor to be in accordance with the Data Processor's obligations for compliance with this Act.
The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:
The provisions in paragraph two shall apply to the Data Controller or the Data Processor who is a public authority in (1) that is large in size or has several establishments mutatis mutandis.
In the event that the Data Controller or the Data Processor in paragraph one has to designate the representative according to section 37 (5), the provisions in paragraph one shall apply to the representative mutatis mutandis.
The Data Controller and the Data Processor shall have an obligation to provide the information of the data protection officer, contact address, and contact channels to the data subject and the Office. The data subject shall be able to contact the data protection officer with respect to the collection, use, or disclosure of the Personal Data and the exercise of rights of the data subject under this Act.
The data protection officer shall have the following duties:
The Data Controller or the Data Processor shall support the data protection officer in performing the tasks by providing adequate tools or equipment as well as facilitate the access to the Personal Data in order to perform the duties.
The Data Controller or the Data Processor shall not dismiss or terminate the data protection officer’s employment by the reason that the data protection officer performs his or her duties under this Act. In the event that there is any problem when performing the duties, the data protection officer must be able to directly report to the chief executive of the Data Controller or the Data Processor.
There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage and support the country’s development regarding Personal Data protection.
The Office shall act as a government agency, with the status of a juristic person. The Office shall not be deemed a public sector under the law on administrative organization of the state, or a state enterprise under the law on budget procedures or other laws.
The Office’s operation shall not be governed by the laws on labor protection, labor relations, state enterprise labor relations, social security, and workmen’s compensation. However, the staff and employees of the Office shall be entitled to compensation at the rate not less than the rate stipulated by the laws on labor protection, social security, and workmen’s compensation.
The Office shall be deemed a government agency under the law on tort liability of government official.
In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in section 43 paragraph one, the Office shall have the duty to perform academic and administrative tasks for the Committee, the commission supervising the Office of Personal Data Protection Committee, the expert committee, and the sub-committee. The Office shall also have the following duties and power:
In carrying out the Office’s operation, apart from those stipulated under section 44, the Office shall also have the power and duties to carry out the following:
The fund and properties used in the Office’s business operations shall consist of the following:
The immovable properties that the Office acquires by the purchase or exchange using the Office’s revenue in section 46 (4) or (5) shall be under the Office’s ownership.
There shall be a commission supervising the Office of Personal Data Protection Committee consisting of a Chairperson, who is selected and appointed from a person having distinguished knowledge, skills and experience in Personal Data protection, the Permanent Secretary of the Ministry of Digital Economy and Society, and the Secretary-General of Office of the National Digital Economy and Society Commission as directors, and six honorary directors which, at least three persons, are selected and appointed from persons having distinguished knowledge, skills and experience in Personal Data protection, and other related areas which will be useful for the operation of the Office.
The Secretary-General shall be a director and secretary, and shall appoint assistant secretaries from the officials of the Office not exceeding two persons.
The substances of section 11 and section 13 shall apply to the Chairperson and the honorary director of the Commission mutatis mutandis.
There shall be a selection committee of eight members, consisting of the persons appointed by the Committee, having the duty to select the appropriate persons who should be appointed as the Chairperson and the honorary director in section 48.
The selection committee shall select one member to act as the Chairperson of the selection committee and another one member to act as the Secretary of the selection committee and the Office shall perform the duty as the administrative unit of the selection committee.
In the event that any member of the selection committee is vacant, a new member must be selected to replace such vacancy without delay. During the time that no new member has been selected, the selection committee shall consist of the existing members.
No member of the Section Committee shall be entitled to be nominated as the Chairperson and the honorary director in section 48.
The rules and procedures of selection shall be as prescribed by the Committee by taking into account the transparency and fairness in the selection.
In selecting the Chairperson and the honorary director in section 48, the selection committee shall select the persons who have qualifications in section 48 paragraph one, including having the qualifications and no prohibited characteristics under section 48 paragraph three and agree to be nominated for the selection in the same number as the number of Chairperson and the honorary director to be appointed in section 48.
After the total number of Chairperson and the honorary director in section 48 have been selected, the selection committee shall submit the name of Chairperson and the honorary director in section 48 together with the evidence of qualifications and no prohibited characteristics as well as the consent of such persons to the Committee for the appointment as the Chairperson and the honorary director according to section 48.
The Committee shall publish names of the appointed Chairperson and the honorary directors in section 48 in the Government Gazette.
The Chairperson and the honorary director in section 48 shall hold office for a term of four years.
Upon the expiration of the term of office in paragraph one, the appointment of the new Chairperson and the new honorary director must be done within sixty days. If the new Chairperson or the new honorary director has not yet been appointed, the Chairperson or the honorary director whose term of office has expired, shall be in office to continue to perform his or her duties until the new appointed Chairperson or the honorary director assumes his or her duties.
The Chairperson, or the honorary director, who vacates office upon the expiration of the term, may be reappointed, but shall not seat in his or her office for more than two terms.
n the case where the Chairperson or the honorary director in section 48 vacates office before the expiration of the term, the commission supervising the Office of Personal Data Protection Committee shall consist of all the existing members until the new Chairperson or the new honorary director is appointed. In the case where the Chairperson vacates office before the expiration of the term, the Permanent Secretary of the Ministry of Digital Economy and Society shall temporarily perform the duties of the Chairperson.
The new Chairperson and honorary director shall be appointed to replace the vacant office within sixty days from the date of the vacant office and shall be in office for the remaining office term of the replaced person. If the remaining office term of the Chairperson and the honorary director is less than ninety days, the appointment of the new Chairperson or the new honorary director may not have to be made.
The Chairperson shall preside over the meeting. If the Chairperson does not attend the meeting, or is unable to perform the duties, the attending members shall elect one member among themselves to be the chairperson of the meeting.
A decision of the meeting shall be made by a majority of votes. Each member shall have one vote. In case of equal votes, the chairperson of the meeting shall have an additional vote as the decisive vote.
Any member having an interest in the matter to be considered in the meeting shall be prohibited from attending such meeting.
The Commission Supervising the Office of Personal Data Protection Committee shall have the following powers and duties:
The commission supervising the Office of Personal Data Protection Committee shall have the power to appoint a sub-committee to perform any duties or act as assigned by the commission supervising the Office of Personal Data Protection Committee.
The performance of duties and numbers of the sub-committee in paragraph one or persons in paragraph two shall be in accordance with those prescribed by the commission supervising the Office of Personal Data Protection Committee.
For a meeting of the sub-committee, the substances of section 53 shall apply mutatis mutandis.
The Chairperson and members of the commission supervising the Office of Personal Data Protection Committee, advisers of the commission supervising the Office of Personal Data Protection Committee, Chairperson and members of the sub- committee appointed by the commission supervising the Office of Personal Data Protection Committee shall receive a meeting allowance or other benefits according to the rules prescribed by the Committee with the approval of the Ministry of Finance.
There shall be a Secretary-General who is appointed by the commission supervising the Office of Personal Data Protection Committee and the Secretary- General has the duty to administer the affairs of the Office.
The appointment of the Secretary-General in paragraph one shall be made in accordance with the rules and methods of recruitment, as prescribed by the commission supervising the Office of Personal Data Protection Committee.
Any person holding any of the following prohibiting characteristics shall not be Secretary-General:
The Secretary-General shall hold office for each term of four years and may be reappointed. However, the Secretary-General shall not hold office more than two terms.
Not less than thirty days but not over sixty days before the end of the office term of the Secretary-General or within sixty days from the date that the Secretary-General vacates office before the end of the office term, the commission supervising the Office of Personal Data Protection Committee shall appoint a selection committee to select a new Secretary- General. The selection committee shall nominate not more than three appropriate persons to the commission supervising the Office of Personal Data Protection Committee.
In each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed by the commission supervising the Office of Personal Data Protection Committee.
In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:
The Secretary-General shall have the following duties and
The Secretary-General shall be responsible for the administration of the Office and shall directly report to the commission supervising the Office of Personal Data Protection Committee.
General shall act as the Office’s representative. In this connection, the Secretary-General may grant the power to any person to perform any specific work on his or her behalf according to the rules prescribed by the commission supervising the Office of Personal Data Protection Committee.
The commission supervising the Office of Personal Data Protection Committee shall be responsible for determining salary rate and other benefits of the Secretary-General according to the rules prescribed by the Cabinet.
In the interests of administration of the Office, the Secretary- General may request a civil official, staff, officer, or employee of a public sector, government agency, state enterprise, civil local administration, public organization or other government agencies to work as its temporary staff or employee, provided that the approval is obtained from his or her supervisor or employer with an agreement made at the time of such approval. In the event that a government official is approved to work as a temporary staff or employee, it shall be deemed that such person is permitted to leave the original official service or employment to perform any work.
Upon the end of the term approved to work for the Office, the government official in paragraph one shall be entitled to return and be appointed to be in office and to receive the salary in the original official service or work unit not lower than the original level of position and salary according to the agreement made at the time of the approval.
In the event that such government official has returned and been appointed to work in the original official service or work unit in paragraph two, the period that such government official worked for the Office shall be counted as full time working in such original official service or work unit, as the case may be, for the purpose of calculating pension or other benefits of the same nature.
For the civil official or government official who is working in compensation for the scholarship granted to him or her by a public sector, or government agency and is transferred to work at the Office by the approval of his or her supervisor of the original public sector or government agency, it shall be deemed that working in the Office has reimbursed the compensation under the scholarship contract and the work period with the Office shall be counted as a time period of compensation for the scholarship.
In the event that any government agency makes a request that the Office’s officer who is working in compensation for the scholarship granted to him or her by the Office to be a civil official or government official in such government agency, such request must be approved by the Secretary-General first and it shall be deemed that working in such government agency has reimbursed the compensation under the scholarship contract and the work period with such government agency shall be counted as the time period of compensation for the scholarship.
Accounting of the Office shall be made in accordance with international standards according to the forms and rules prescribed by the commission supervising the Office of Personal Data Protection Committee.
The Office shall prepare financial statements and accounting
The Government Audit Office or a certified public accountant approved by the Government Audit Office shall be the Office’s auditor and shall evaluate the Office’s expenditures and property on an annual basis and report the auditing results to the commission supervising the Office of Personal Data Protection Committee for certification.
The Office shall prepare an annual operation report and submit to the commission supervising the Office of Personal Data Protection Committee and the Minister within one hundred and eighty days from the date of the fiscal year-end and shall disseminate this report to the public.
The Committee shall appoint one or more expert committees based upon their field of expertise, or as the Committee deems fit.
The qualifications and prohibitions, term of office, vacation from office, and other operations of the expert committee shall be in accordance with the Committee’s notification.
The expert committee shall have the following duties and
The filing, refusal of acceptance, dismissal, consideration, and timeframe for the consideration of the complaints shall be in accordance with the Committee’s rule by taking into account the refusal of acceptance of the complaints or dismissal of the matter in the event that there has been the authority to consider such matter under other laws.
In the event that a complainant does not comply with the rules provided in section 73 paragraph two, or the complaint filed is prohibited from being accepted for consideration under such rules, the expert committee shall not accept such complaint for consideration.
If, after the expert committee’s consideration of the complaint pursuant to section 72 (1), or the investigation of any act pursuant to section 72 (2), it is found that such complaint or act has no ground, the expert committee shall issue an order to dismiss such complaint or investigation.
If, after the expert committee’s consideration or investigation under paragraph two, it is found that such complaint or act can be settled, and the concerned parties are willing to settle the dispute, the expert committee shall proceed with the dispute settlement. However, if such complaint or act cannot be settled, or the dispute settlement fails, the expert committee shall have the power to issue the following orders:
In the event that the Data Controller or the Data Processor does not comply with the orders provided under paragraph three (1) or (2), the provisions in connection with administrative enforcement under the law on administrative procedure shall be applied mutatis mutandis. In the event that the properties of the Data Controller or the Data Processor are to be seized, attached, or sold by auction, as required by the law on administrative procedure, the expert committee shall have the power to order such seizure, attachment, and sale by auction for such purpose.
The issuance of the order under paragraph one, two, or three (1) or (2) shall be in accordance with the criteria and methods under the Committee’s notification.
The orders of the expert committee shall be signed by the Chairperson of the expert committee.
The order of the expert committee in this Section shall be final.
In order to proceed in accordance with this section, when the consideration result is issued, the expert committee shall inform the complainant of such result together with the reasons. In case that the complaint is not accepted for consideration or dismissed as such complaint has already been under consideration of an official authority under other laws, the expert committee shall inform the complainant of the same. If the complainant wishes to propose such matter to the official authority under other laws, the expert committee shall proceed to do so and shall be deemed that such official authority has received such complaint from the date when the expert committee has received such complaint.
The expert committee shall have the power to order any person to submit documents or information in connection with the subject matter of a complaint, or any other matter related to the protection of the Personal Data under this Act. The expert committee shall also have the power to request any person to make a statement of facts.
In order to act in accordance with this Act , the Competent Officer shall have the following duties and power:
In carrying out the duty in (2), if there is a necessity to protect the benefits of the data subject or for public's interest, the Competent Officer shall file a compliant to the competent court to issue an order granting permission to the Competent Officer to enter the premises of the Data Controller, or any person involved in the offense under this Act, during the interval between sunrise and sunset or during the business hours of such premises, to investigate and collect facts, seize, or attach documents, evidence, or any other items related to the offense, or which has a cause to believe that they are used to commit such offense.
In order to appoint the Competent Officer, the Minister shall consider appointing such person from the civil officials or other government officials whose position is not lower than a civil official at the operational level or equivalent, and having the qualifications in accordance with the notification issued by the Committee.
During the performance of his or her duties under this Section, the Competent Officer shall present his or her identification card to the relevant persons and be provided with reasonable facilitation by the relevant persons.
The identification card of the Competent Officer shall be in accordance with the form required by the notification of the Committee.
The Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provisions of this Act which causes damages to the data subject, shall compensate the data subject for such damages, regardless of whether such operation is performed intentionally or negligently, except where the Data Controller or the Data Processor can prove that such operation was a result of:
The court shall have the power to order the Data Controller or the Data Processor to pay punitive damages in addition to the actual compensation rendered
by the court as deems fit, but shall not exceeding two times of such actual compensation amount, by taking into account the relating circumstances such as the severity of damages incurred by the data subject, the interest obtained by the Data Controller or the Data Processor, the financial status of the Data Controller or the Data Processor, remedy provided by the Data Controller or the Data Processor, or the data subject’s act in contributing to cause the damages.
The claim for compensation from the wrongful act against the Personal Data under this Act shall be barred by prescription after the lapse of three years from the date that the injured person know of the damages and the identity of the Data Controller or the Data Processor who is to be liable, or after ten years from the date of which the wrongful act against the Personal Data took place.
Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply with section 28, which relates to the Personal Data under section 26 in a manner that is likely to cause other person to suffer any damage, impair his or her reputation, or expose such other person to be scorned, hated, or humiliated, shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
Any Data Controller who violates the provisions under section 27 paragraph one or paragraph two, or fails to comply with section 28, which relates to the Personal Data under section 26 in order to unlawfully benefit himself or herself, or another person, shall be punished with imprisonment for a term not exceeding one year, a fine not exceeding Baht one million, or both.
ny person who comes to know the Personal Data of another person as a result of performing duties under this Act and discloses it to any other person shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
The provisions of paragraph one shall not be enforced against disclosures in any of the following circumstances:
In the case where the offender who commits the offense under this Act is a juristic person and the offense is conducted as a result of the instructions given by or the act of any director, manager or person, who shall be responsible for such act of the juristic person, or in the case where such person has a duty to instruct or perform any act, but omits to instruct or perform such act until the juristic person commits such offense, such person shall also be punished with the punishment as prescribed for such offense.
Any Data Controller who fails to comply with section 23, section 30 paragraph four, section 39 paragraph one, section 41 paragraph one, or section 42 paragraph two or paragraph three, or fails to obtain consent using a form or statement set forth by the Committee under section 19 paragraph three, or fails to notify the impact of the withdrawal of consent under section 19 paragraph six, or fails to comply with section 23 which applies mutatis mutandis according to section 25 paragraph two, shall be punished with an administrative fine not exceeding Baht one million.
Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25 paragraph one, section 27 paragraph one or two, section 28, section 32 paragraph two, or section 37, or who obtains consent by deceiving or misleading the d ata subject about the purposes, or fails to comply with section 21 which applies mutatis mutandis according to section 25 paragraph two, or fails to send or transfer the Personal Data in accordance with section 29 paragraph one or paragraph three, shall be punished with an administrative fine not exceeding Baht three million.
Any Data Controller who violates section 26 paragraph one or three, or section 27 paragraph one or paragraph two, or section 28 in relation to the Personal Data under section 26, or fails to send or transfer the Personal Data under section 26 to be in accordance with section 29 paragraph one or paragraph three, shall be punished with an administrative fine not exceeding Baht five million.
Any Data Processor who fails to comply with section 41 paragraph one, or section 42 paragraph two or three, shall be punished with an administrative fine not exceeding Baht one million.
Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer the Personal Data in accordance with section 29 paragraph one or three, or fails to comply with section 37 (5) which applies mutatis mutandis according to section 38 paragraph two, shall be punished with an administrative fine not exceeding Baht three million.
Any Data Processor who send or transfer the Personal Data under section 26 paragraph one or three, by not complying with section 29 paragraph one or three, shall be punished with an administrative fine not exceeding Baht five million.
Any representative of the Data Controller or of the Data Processor who fails to comply with section 39 paragraph one which applies mutatis mutandis according to section 39 paragraph two, and section 41 paragraph one which applies mutatis mutandis according to section 41 paragraph four, shall be punished with an administrative fine not exceeding Baht one million.
Any person who fails to act in compliance with the order given by the expert committee, or fails to provide statement of facts under section 75, or fails to comply with section 76(1), or fails to facilitate government officials under section 76 paragraph four, shall be punished with an administrative fine not exceeding Baht five hundred thousand.
The expert committee shall have the power to render the punishment a s an administrative fine prescribed in this Part. In the event that it deems fit, the expert committee may issue an order for rectification or a warning first.
In determining whether to issue an order to impose an administrative fine, the expert committee shall take into consideration the severity of the circumstances of the act of offense, size of the business of the Data Controller or the Data Processor, or other circumstances according to the rules prescribed by the Committee.
In cases where a person imposed with an administrative fine refuses to pay such fine, the provisions concerning the execution of administrative orders under the administrative procedure law shall apply mutatis mutandis. In cases where there is no officer to execute an administrative order, or there is such officer but such order cannot be executed otherwise, the expert committee shall entitled to file a lawsuit with the Administrative Court in order to demand payment of such fine. In such event, if the Administrative Court is of the opinion that the order that imposes an administrative fine is lawful, the Administrative Court may render judgment and order seizure or attachment of assets for sale by auctions, to pay such fine.
The order to impose the administrative fine and the administrative execution shall apply mutatis mutandis according to section 74 paragraph six, and the administrative execution per paragraph three shall apply mutatis mutandis according to section 74 paragraph four.
At the early stage, the Committee shall consist of committee members under section 8 (2) and (3), and the Secretary-General shall be the committee member and secretary, who shall perform duties as necessary for the time being, but for not more than ninety days from the effective date of this Act. A Vice-Chairperson shall temporarily act as a Chairperson.
The Office shall manage to appoint a Chairperson under section 8 (1), and the honorary director under section 8 (4), within ninety days from the effective date of this Act.
A commission supervising the Office of the Personal Data Protection Committee shall be set up within ninety days from the date when the Chairperson and the honorary director are appointed in accordance with section 91.
The Secretary-General shall be appointed within ninety days from the date when the Office has been set up in accordance with section 93.
The Office shall be set up in order to operate in accordance with this Act within one year from the effective date of this Act.
During the period when the Office has not yet been duly set up, the Office of the Permanent Secretary of the Ministry of Digital Economy and Society shall perform the duties in accordance with this Act, and the Minister shall appoint a Deputy Permanent Secretary of the Ministry of Digital Economy and Society to perform the Secretary-General's duties until there is an appointment of the Secretary-General in accordance with section 92 paragraph two.
At the early stages, the Cabinet shall allocate the initial budget for the Office as necessary.
The Ministry shall propose to the Cabinet to consider procuring a civil official, official, staff, or any other operating officer in other government organizations to temporarily act as an official of the Office within the period specified by the Cabinet.
It shall be deemed that the civil official, official, staff, or any other operating officer in other government organizations who temporarily act as an official of the Office in accordance with paragraph two remains in his or her own position, and still receive salary or wages, as the case may be, from his or her original department. The Committee may also determine a special remuneration for the civil official, staff, official, or any other operating officer in other government organizations in accordance with paragraph two during his or her operation in the Office.
Within one hundred and eighty days from the date on which the Office has been set up, the Office shall proceed to recruit the civil official, official, staff, or any other operating officer in other government organizations in accordance with paragraph two to be a permanent official of the Office afterwards.
Any civil official, official, staff, or any other operating officer in other government organizations who has been recruited and seated in accordance with paragraph four shall have his or her working period for his or her previous department continued and counted together with his or her working period for the operation in the Office under this Act.
For Personal Data that has previously been collected by a Data Controller before the effective date o f this Act, the Data Controller shall be entitled to continue to collect and use such Personal Data for the original purposes. However, the Data Controller shall prepare and publicize a consent withdrawal method to facilitate the data subject, who does not wish the Data Controller to continue collecting and using his or her Personal Data, to notify his or her withdrawal of consent easily.
The disclosure and other acts other than the collection and use of Personal Data under paragraph one, shall be in accordance with the provisions hereunder.
The issuance of the regulations and notifications in accordance with this Act shall be completed within one year from the date this Act enters into force. If such cannot be carried out, the Minister shall report to the Cabinet the reasons thereof.