Personal Data Protection Act (“PDPA”)


Personal Data Protection Act of Thailand 2019

Deferral of PDPA Enforcement until 1 June 2022

On 5 May 2021, Thai cabinet passed its resolution to postpone the enforcement of Personal Data Protection Act of Thailand B.E.2562 (A.D.2019) (“PDPA”) for another one year which will be effective on 1 June 2022.

Royal Decree on the list of 22 businesses not being subjected to PDPA will be extended to the same date.



Meanwhile, the Data Controller still needs to comply with the security standard of the personal data in accordance with the DES notification by having Access Control measure and realizing the significant of personal data protection.

DES is also preparing a drafted secondary law and promotion plan of personal data protection which has been already accepted by public hearing, and arranging for the guideline on personal data protection for 7 sectors including tourism, public health, education, retail and online market, transportation, real estate and government mission.

Understanding of PDPA for the business operators especially the SMEs will lead to confidence in implementing PDPA and digital technology to develop innovation appropriately in collecting, using and disclosing of personal data.


What the business entitles shall prepare before the full effect of the PDPA

  1. Understanding and analysis of the PDPA. The business shall start consulting with a  law firm or its legal team to understand the PDPA including obligations, responsibilities and the effects which may impact the business. For example, understanding the roles and obligations of data controller and/or data processor. 
  2. Categorize the data. Determine which data processed by the business is affected by the PDPA. Categorize personal data or sensitive data and prepare the policies how the business, employees and other relevant persons should process and handle those personal data.
  3. Preparing relevant agreements regarding the process of personal data. In case personal data is processed by a third-party or the business operators are required to appoint the Data Protection Officer or the DPO, the business shall consider to prepare data processing agreement with the data processor or DPO service agreement with the DPO as the case may be.
  4. Prepare to implement the privacy policy. The business shall prepare the privacy policy on how personal data will be collected, used, processed, or stored disclosed. The privacy statements shall also include the rights of the data subject under the PDPA.  


Legal Insight Vol. April 2021 of Bangkok Global Law 

The PDF file can be downloaded via the link as set below. 

Personal Data Protection Act (“PDPA”)_Bangkok Global Law