Thailand: Privacy and Data Protection-related Laws

Personal Data Protection Bill

Thailand does not have a comprehensive data protection law, but a draft Personal Data Protection Bill in compliance with the EU’s GDPR will possibly be approved by the end of 2018.

Under the Bill, mainly, the collection, usage or disclosure of personal data without the consent from the data subject is prohibited and a data controller must inform the data subject on the purpose for which the respective personal data is collected and obtain the data subject’s consent. Collected personal data can be used or disclosed for the approved purposes only. Except where the data subject expressly consented otherwise, any processing of personal data for marketing purposes is not permitted. The Bill also imposes both criminal penalties and civil liability for any violation of the provisions of the Bill.

The Bill will also establish a Personal Data Protection Commission to regulate compliance with the Bill. (From LawPlusLTD here.)


“Personal Data” means any data pertaining to a person, which enables the identification of that person, whether directly or indirectly, but not including data which specifies only the name, title, workplace, or business address and data of the deceased specifically.

“Personal Data Controller” means a person or juristic person with the power and duty to make decisions regarding the collection, use, or disclosure of personal data.

“Personal Data Processor” means a person or a juristic person that collects, uses, or discloses Personal Data on behalf of, or in accordance with, the instructions of a Personal Data Controller.

Consent from a Data Subject is still required for the collection of Personal Data. Under the 2015 draft, consent is exempted if data is collected: for conducting research, statistical analysis, or for the public interest, and the data is kept confidential; for preventing emergencies or protecting others from danger; from publicly available information; in compliance with the law; or, for other reasons as further prescribed by the Commission. The new 2018 draft includes two additional provisions: for the public interest or in the exercise of a government authority, which is the Data Controller, provided that it does not violate the fundamental rights and freedom of the Data Subject; and for the legitimate interests of the Data Controller or a third party, provided that it does not violate the fundamental rights and freedom of the Data Subject.

Cross-border Transfer of Personal Data

Overseas transfers of Personal Data must be made in accordance with a specific regulation, which is to be prescribed by the Commission, except in the following cases: where the law so prescribes; where the consent of the Data Subject has been obtained; where it is in compliance with a contract entered into by the Data Subject and the Data Controller; where it is for the interests of the Data Subject, who is unable to give consent at such time; where it is a transmission to a person who has been granted a mark certifying the standards in relation to personal data protection; or other cases as prescribed by the Commission.

Data Controller’s Duties

Under the 2015 draft, the Data Controller is required to meet the following requirements: Security Measures. Arrange for appropriate security measures to prevent unauthorized access. Prevention Measures. If the personal data must be disclosed to another person (non-Data Controller), the Data Controller must prevent that person from using or disclosing the Personal Data unlawfully, or without authorization. Deletion Requirement. Destroy Personal Data when the permitted period expires, or the Data Subject revokes their consent. Notification of Breach. Inform the Data Subject of any breach incident without delay. The number of cases in which the Data Subjects have been affected must also be reported to the Commission, as required by the Commission. New Internal Assessment Requirement. Frequently assess possible impacts to Personal Data from a privacy aspect.

Data Processor’s Duties

The Data Processor is required to: arrange for collection, use, or disclosure of Personal Data, specifically in accordance with the instructions of the Data Controller, except for those instructions which are unlawful or which fall outside the personal data protection requirements under this act; arrange for appropriate security measures to prevent unauthorized access to Personal Data; and prepare and maintain records for processing transactions, as further required by the Commission. (From Tilleke here.) (See news from NationMultimedia here.) (See GDPR influence at PressReader here.) (See an overview of the privacy landscape from PrivacyInternational here.

Existing Right to Privacy

According to SEC securities law: • In undertaking digital asset businesses, the approved operators shall comply with the rules, conditions and procedures as specified in the notification of the SEC; for instance, having adequate sources of capital covering business operation and other several risks, having reliable operating systems and data security systems, maintaining records of assets belonging individual clients, segregating client assets from their own assets, and conducting Know Your Customer (KYC) and Customer Due Diligence (CDD).

The right to privacy generally provided by the Constitution of the Kingdom of Thailand B.E. 2550 (A.D. 2017):

Section 35 A person’s family rights, dignity, reputation and the right of privacy shall be protected. The assertion or circulation of a statement or picture in any manner whatsoever to the public, which violates or affects a person’s family rights, dignity, reputation or the right of privacy, shall not be made except for the case which is beneficial to the public. Personal data of a person shall be protected from the seeking of unlawful benefit as provided by the law.

Another area where it can be seen that the personal data of a person is protected from any wrongful act is in the Thai Civil and Commercial Code (“CCC”). It is quite clear in the CCC that a wrongful act would amount to any person who wilfully, negligently or unlawfully injures the life, body, health, liberty, property or any right of another person. In this context, “disclosure” or “transfer” of data may be considered a wrongful act if it causes damage to the data owner.

On a different level, the Computer Crime Act (2007) plays an extremely important role in protecting the public against internet spam, hackers and identity theft by imposing heavy fines and imprisonment on perpetrators if found guilty of such crimes. Although the amendments of said Act late last year sparked some concerns as to the vague definitions of certain terms in the Act, another act also came into force last year, the Cyber Security Act, which gives wider power to the authorities.

Furthermore, there is the Official Information Act, which extends to cover the protection of personal information of Thai people and foreigners who have residence in Thailand. This Act defines personal data quite broadly, which gives a wider protection to any person. In this Act, personal data includes ‘any’ information relating to the person.

State enterprises which provide the services electronically are required to ensure that data collected from persons in the course of provided the services are properly stored, secured and not disclosed by virtue of the Notification of the Electronic Transaction Committee on the Policy and Practice relating to the Personal Data Protection of the State Enterprises of B.E. 2553 (A.D. 2010).

The Financial Institution Act, the National Health Service Act and other specific businesses have set out additional criteria to ensure that data collected from persons in the course of trading are not disclosed, and are adequately protected. These restrictions are in place to ensure that the data is kept within a business and only used for the purpose of its own business operation. In addition to this, there are also requirements in some businesses that the business should have proper security mechanisms put in place to ensure that the data in their possession is safe and adequately protected. Obtaining consent from an individual prior to the release of personal data of the individual is also something that is typically built into a contract with various businesses.

There are rarely any exceptions to these requirements, except for instances where it relates to the national security of the Kingdom of Thailand. (Taken from InhouseCommunity here.)


Personal Data Protection Bill

  • (From LawPlusLTD here.)
  • (From Tilleke here.)
  • (See news from NationMultimedia here.)
  • (See GDPR influence at PressReader here.)
  • (See an overview of the privacy landscape from PrivacyInternational here.)

Existing Privacy

  • (Taken from InhouseCommunity here.)
Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus