Professional Documents
Culture Documents
2019 PWC Legal Insight
2019 PWC Legal Insight
2019 PWC Legal Insight
LEGAL UPDATE
TAX & LEGAL Services
*Issued Date: 08 March 2019
Summary : Thailand’s Personal Data Protection Act (PDPA) was approved by the National
Legislative Assembly on 28 February 2019 and, after being signed and endorsed
by the monarch, it will be published in the Royal Thai Government Gazette and
passed into law. After this, several pieces of subordinate legislation will be enacted
to provide a procedural framework so that the PDPA can be practically enforced.
Many provisions relating to the collection, use, and disclosure of personal data will
come into force and into effect one year after the publication of the Act in the Royal
Thai Government Gazette. The table below provides the key elements of the
significant provisions of the PDPA.
© 2019 PricewaterhouseCoopers Legal & Tax Data controller - a natural or juristic person who has the
Consultants Ltd. All rights reserved. PwC
refers to the Thailand member firm, and may authority to decide on the collection, use or disclosure of
sometimes refer to the PwC network. Each personal data.
member firm is a separate legal entity. Please
see www.pwc.com/structure for further
details. Data processor - a natural or juristic person who collects,
This content is for general information uses or discloses personal data in accordance with the order
purposes only, and should not be used as a or on behalf of the data controller.
substitute for consultation with professional
advisors.
At PwC, our purpose is to build trust in
society and solve important problems. We’re Collection of The collection of personal data requires the consent of the
a network of firms in 158 countries with personal data data owner and must be for a lawful purpose and directly
more than 236,000 people who are relevant to, and necessary for, the activities of the data
committed to delivering quality in assurance,
advisory and tax services. Find out more and controller. Before or when personal data is collected, the
tell us what matters to you by visiting us data owner must be notified of the following:
at www.pwc.com.
Page 1 of 4
PwC Legal Insight # 01/2019
LEGAL UPDATE
TAX & LEGAL Services
*Issued Date: 08 March 2019
Data owner’s Data owners have legitimate rights under the PDPA.
rights They can do any of the following:
Page 2 of 4
PwC Legal Insight # 01/2019
LEGAL UPDATE
TAX & LEGAL Services
*Issued Date: 08 March 2019
Duties of the Duties of the data controller and data processor with
data controller respect to personal data processing
and data
processor Data controller
Data processor
Page 3 of 4
PwC Legal Insight # 01/2019
LEGAL UPDATE
TAX & LEGAL Services
*Issued Date: 08 March 2019
Data protection The data controller and data processor must appoint a
officer (DPO) DPO under the circumstances specified in the PDPA. The
DPO must be independent and primarily responsible for
making sure that the processing of personal data of the
organisation’s staff, customers, providers or any other
individuals will comply with the data protection rules.
Violation of the
law Major sanctions (more
Liability details are included in the
PDPA)
1. Civil liability Compensation at the court’s
discretion
Important note:
Where a juristic person commits offences, the directors,
managers, or others with the authority to represent the
juristic person, who cooperate or are aware of the
commission of the offences or fail to take reasonable
action to prevent the offence, will be liable under the same
provisions as the juristic person.
Page 4 of 4