Image for article type insight
Insight

Thailand: Operationalising PDPA - Lawful basis, sensitive personal data, and data processing safeguards - Part four

September 28, 2022
Summary

Thailand's Personal Data Protection Act 2019 (PDPA), effective from 1 June 2022, regulates the processing of personal data and introduces the roles of data controllers and processors, with the former bearing significant obligations. The PDPA aligns with international standards like the GDPR and requires a lawful basis for data processing, such as consent, which must be clear and unambiguous. Sensitive personal data is subject to stricter processing conditions, and data controllers must ensure data accuracy and security, including when transferring data overseas. The PDPA's operational details will be further clarified by the Personal Data Protection Committee, impacting both local and foreign businesses.

Background Thailand's PDPA is the country's first unified data privacy legislation for personal data protection. Coming at a time when people around the world are increasingly aware of the risks and negative consequences of their personal data being compromised, the PDPA seeks to align with international standards, such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Prior to the enactment of the PDPA, privacy rights were recognised in the Constitution of the Kingdom of Thailand. Beyond this, the handling of personal data was governed by specific regulations for a handful of sectors, such as telecommunications, financial institutions, securities, and life scien

Insight

Gain access to unlimited articles with 7 day access to all features, no credit card required.

or

Other options: