The chamber has from our member Tilleke & Gibbins received the latest update on the PDPA approved last month. Once approved it will be published in the Government Gazette before becoming effective, which is expected within 2019. Most provisions will come into force 180 days after publication in the Government Gazette.
Highlights of the current draft PDPA include:
- Extraterritorial effect. Overseas data controllers and processers can be subject to the PDPA if they offer any goods or services to data subjects in Thailand, or monitor any behavior that takes place within Thailand. Such overseas data controllers and processors must also appoint a local representative and comply with the PDPA. The concept has been adopted substantially from the GDPR.
- Definition of Personal Data. The definition of “Personal Data” remains unchanged from the previous draft—i.e., any data pertaining to a person that enables the identification of that person, whether directly or indirectly, but specifically excluding data of the deceased. Personal Data does not include business information (business title, business address, and business contact details).
- Definition of a Data Subject. This definition has been entirely deleted since the previous hearing. Interpretation of “Data Subject” now varies section-by-section.
- Collecting consent. Requests for consent must be clear and must not be made to deceive or mislead the data subject. Consent must be made in writing or via electronic means, unless impossible by its nature. Consent can be exempted in several circumstances, including for vital interests, legitimate interests, public interests, and the performance of contractual obligations.