Advance Blog

August 28, 2020
Watson Farley & Williams promo logo RGB v2


On 21 May 2020, the Thai government issued a Royal Decree exempting 22 business categories from the operation of the Personal Data Protection Act B.E. 2562 (“PDPA”) until 31 May 2021 (“Exempt Businesses”). The Personal Data Protection Commission is empowered under the Royal Decree to make a determination if there is any uncertainty as to whether a business is exempt, and business operators in Thailand should already have obtained legal advice on whether they are an Exempt Business.

Prior to the issuance of the Royal Decree, news reports suggested that there were concerns among businesses that they were not ready for implementing the required measures to comply with the PDPA. The Royal Decree was the Thai government’s response to these concerns.

“Exempt Businesses are now required to implement personal data security measures.”

The Royal Decree required Exempt Businesses to implement personal data security measures in line with the standard specified by the Ministry of Digital Economy and Society (“Interim Standards”). The Interim Standards were published on 17 July 2020, and Exempt Businesses are now required to implement personal data security measures that comply with those standards.

The Interim Standards set out the following minimum level of action to be taken by data controllers (“Required Measures”):

  1. restricting access to personal data, data storage and processing devices;
  2. determining the persons and the conditions for the authorisation of access to personal data;
  3. restricting access to personal data to authorized persons only;
  4. establishing procedures to prevent unauthorized access, removal of personal data, data storage or processing devices; and
  5. establishing procedures to retroactively verify access to personal data.

Data controllers must implement administrative, technical and physical safeguards for the Required Measures. Data controllers may opt to use personal data security standards which differ from the Required Measures, provided those standards are not lower than the Required Measures.

In addition to implementing the Required Measures, Data Controllers must also:

  • notify their employees, staff and related persons of the personal data security measures it has introduced; and
  • build awareness on the importance of personal data protection among their employees, staff and related persons to ensure strict compliance with the Required Measures.

“Data controllers must implement administrative, technical and physical safeguards for the Required Measures.”

As a result, merely introducing personal data protection arrangements that satisfy the Required Measures is not enough to satisfy the Interim Standards: Exempt Businesses also need to ensure that their employees are aware of those arrangements in order to satisfy the Interim Standards.

Exempt Businesses therefore need to include their personal data protection arrangements in their employee compliance training programs, and those that are unable to demonstrate employee awareness of their personal data protection arrangements face potentially open-ended liability for negligence claims for data breaches that occur before 1 June 2021.

Exempt Businesses that properly implement the Interim Standards will reduce their liability for data breaches but should not lose sight of the fact that their personal data security measures will need to be completely compliant with the PDPA from 1 June 2021 onwards.

Rather than leaving full PDPA compliance until 2021, Exempt Businesses should use the remainder of the interim exemption period to expand their interim personal data security measures into fully compliant data privacy measures that satisfy the PDPA.

For further information on the PDPA in general, see our previous article.

Christopher Osborne, Partner, Watson Farley & Williams (Thailand) Limited
Christopher is a partner in the firm’s corporate and M&A group. Based in Thailand since 2001, Chris specialises in cross-border M&A and joint ventures as well as advising on regulatory compliance issues in Thailand. His clients range from household name industry leaders to emerging companies in the FMCG and artisanal food, property, energy, construction and services sectors based across Europe and Asia.
Kulkanya Vorawanichar, Senior Associate, Watson Farley & Williams (Thailand) Limited
Kulkanya is a senior associate in the firm’s corporate and M&A group. She focuses on corporate and investment matters. She has extensive experience providing advice on business rehabilitation, corporate governance, mergers & acquisitions, compliance with listing rules, securities lending, joint ventures, property funds, shareholder arrangements, loan restructurings, contract managements and tax planning.
Kanyapat Ratanawilas, Associate, Watson Farley & Williams (Thailand) Limited
Kanyapat is an associate in the firm’s corporate and M&A group. She focuses on finance, investment and corporate matters. Her experience includes advising on regulatory compliance in relation to the financial services, securities law, data privacy, competition law, as well as asset financing and other corporate and commercial matters.

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

As the Personal Data Protection Act (PDPA) also applies to personal data collected prior to the PDPA’s entry into force, please be informed that AustCham Thailand will automatically keep your contact details including email address, name and last name, and company details, on our mailing list.

Your data was received by AustCham Thailand as a result from you either registering or attending an event, contacting our office or subscribing to regular updates via the website. However, if you would like to stop receiving emails AustCham Thailand and revoke your consent for AustCham to keep and use your data to contact you for chamber events and updates, please scroll down to the end of this email and click “Unsubscribe from this list”. Your personal data will be shortly deleted once the opt-out notice request is received.

Please note that your data is kept in AustCham’s CRM system, please see here for AustCham’s Terms of Use and Privacy Policy. AustCham uses a management software system from Wild Apricot, and emails are distributed through MailChimp.