Advance Blog

June 12, 2020
Tilleke Gibbins

Personal Data Protection Act: Thai Cabinet Provides Partial Compliance Extension to May 2021

On May 19, 2020, the Thai Cabinet approved the implementation of a royal decree providing a one-year
exemption from certain provisions under the Personal Data Protection Act 2019 (PDPA).

The royal decree, once published in the Royal Gazette, will be effective from May 27, 2020, until May 31, 2021.

Based on the Cabinet’s announcement, the decree is expected to provide exemption from the following

chapters and provisions of the PDPA:
• Chapter II: Personal Data Protection;
• Chapter III: Rights of the Data Subject;
• Chapter V: Complaints;
• Chapter VI: Civil Liability;
• Chapter VII: Penalties; and
• Section 95: Grandfather provision.

A wide-ranging list of categories should be provided in the decree, identifying operations in the private, public,and social enterprise sectors that qualify for the exemption. In the current draft, these businesses include, for example, banking, commercial, communications and telecommunications, construction, digital, education, energy, finance, insurance, medical and public health, professional practices, real estate, tourism, and transportation.

The government anticipates that the extension will give applicable business operators and organizations more flexibility in preparing themselves for compliance with the PDPA. However, it should be emphasized that, during
the one-year extension period, businesses should continue to internally roll-out their assessment programs and make use of the time to understand their current practices for handling and processing personal data are,
as well as to identify and resolve any compliance gaps. Building awareness of the PDPA within the organization before May 31, 2021, will continue to be essential for PDPA compliance.

It is important to highlight that the data controllers must still implement security protection measures for personal data, in accordance with the standards prescribed by the Ministry of Digital Economy and Society.
If you have any questions about the PDPA, the royal decree, and their implementation, please do not hesitate to contact any member of the Tilleke & Gibbins PDPA team, including Athistha (Nop) Chitranukroh at
[email protected], Nopparat Lalitkomon at [email protected], or Gvavalin Mahakunkitchareon at
[email protected].

Nopparat Lalitkomon, Attorney-at-Law, Tilleke & Gibbins
Nopparat Lalitkomon is an attorney-at-law in Tilleke & Gibbins’ corporate and commercial group in Bangkok, specializing in technology and digital matters for clients in high-tech industries. He is regularly called upon to advise domestic and multinational companies on a wide range technology matters, such as e-commerce, e-transaction, and e-payment matters, as well as data privacy and protection. In addition, he is a trusted advisor for general corporate and commercial matters in Thailand including foreign investment, investment promotion, labor and employment, tax, banking regulations, direct marketing, mergers, acquisitions, and joint ventures. Nopparat graduated with an LLB from Thammasat University and an LLM in International Competition Law and Policy from the University of Glasgow. He is a member of the Thai Bar Association, holds a notarial services certificate, and is fluent in Thai and English.
Gvavalin Mahakunkitchareon, Attorney-at-Law, Tilleke & Gibbins
Gvavalin Mahakunkitchareon is an attorney-at-law in Tilleke & Gibbins’ corporate and commercial group in Bangkok. She provides assistance and advice to both international and local clients on a wide range of corporate and commercial matters, including corporate services, company formation, employment, foreign investment (particularly in obtaining foreign business licenses), immigration, and e-commerce transactions. The depth of her business and legal knowledge and the international scope of her experience make her a much sought-after advisor for clients in a wide range of industries. Gvavalin graduated from the University of Tasmania, Australia, with a Bachelor of Laws and Graduate Diploma in Legal Practice. She also holds an MBA from Assumption University in Bangkok. She is admitted to the Supreme Court of Tasmania as a legal practitioner.
Athistha (Nop) Chitranukroh, Partner and Director, Corporate and Commercial, Tilleke & Gibbins
Athistha (Nop) Chitranukroh is a partner and director of Tilleke & Gibbins’ corporate and commercial group, head of the firm’s insurance practice, and joint head of the firm’s technology industry group. She represents multinational and local insurers and reinsurers on a range of key matters, including market entry, M&As, insurtech, and regulatory compliance across Southeast Asia. She also regularly advises technology clients on privacy and data protection, fintech, regtech, digital currencies, and more. Prior to joining Tilleke & Gibbins, Nop served as General Counsel of an American multinational corporation, listed on the New York Stock Exchange, where she oversaw all operations within the legal department in Thailand. She was responsible for a wide range of legal and regulatory issues in Thailand and other Southeast Asian countries, and led significant restructuring, business expansion, and regional shared service projects. Nop was previously an Asia-Pacific Regional Legal Counsel for the same multinational corporation in Singapore. She also worked in private practice for almost a decade at the Bangkok office of a leading international law firm. She serves as an advisor to the Thai General Insurance Association, an advisory board member of Insurtech Asia, the firm’s representative to the Thai Fintech Association, and a Certified Information Privacy Professional/Asia (CIPP/A) with the International Association of Privacy Professionals. Nop is ranked as a Band 2 practitioner in Chambers Asia-Pacific 2018, and recognized as an “authority on non-contentious insurance” by Asialaw Profiles. In 2018 she was named one of Asia’s top 40 lawyers under 40 by Thomson Reuters’ Asian Legal Business.

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

As the Personal Data Protection Act (PDPA) also applies to personal data collected prior to the PDPA’s entry into force, please be informed that AustCham Thailand will automatically keep your contact details including email address, name and last name, and company details, on our mailing list.

Your data was received by AustCham Thailand as a result from you either registering or attending an event, contacting our office or subscribing to regular updates via the website. However, if you would like to stop receiving emails AustCham Thailand and revoke your consent for AustCham to keep and use your data to contact you for chamber events and updates, please scroll down to the end of this email and click “Unsubscribe from this list”. Your personal data will be shortly deleted once the opt-out notice request is received.

Please note that your data is kept in AustCham’s CRM system, please see here for AustCham’s Terms of Use and Privacy Policy. AustCham uses a management software system from Wild Apricot, and emails are distributed through MailChimp.