PDPA effective on 1 June 2022

The date for enforcement of the Personal Data Protection Act (PDPA) has been postponed again. It will now be effective for data controllers beginning 1 June 2022. The section of the PDPA on the Office of the Board of Personal Data Protection (OBPDP) is being put into effect so that the government can continue to work on setting up the OBPDP, which has not yet been completed.

Keywords: Mazars, Thailand. Legal, PDPA, OBPDP, Ministry of Digital Economy and Society

18 May 2021

However, data controllers must still comply with the regulations set out by the Ministry of Digital Economy and Society. The regulations were announced on 17 July 2020, and require data controllers to take technical and physical measures to protect and manage personal data, including controlling access, drawing up and using consent forms, being responsible for data management, and monitoring systems for the use, change, deletion, and transfer of data.

Data controllers also have the duty to notify the appropriate person related to such measures including, but not limited to, the employee, stakeholders, and any other person involved in handling personal data.

Thus, companies that act as data controllers are still required to prepare and apply a personal data protection policy and personal data documents, such as a consent form, while the Thai government completes the set-up of the OBPDP. The PDPA should become fully effective in June 2022, including those regulations which are currently still in the process of being finalized.

Although enforcement of the PDPA has been delayed, data controllers should study the implementation process to become familiar with it. At Mazars, our legal team can provide advice and practical executive training on the PDPA’s impact on your business. 

To receive a personal consultation on any legal issues you are dealing with, please contact us.

Your personal data is collected by Mazars in Thailand, the data controller, in accordance with applicable laws and regulations. Fields marked with an asterisk are required. If any required field is left blank, it will not be possible to process your request. Your personal data is collected for the purpose of processing your request.

You have a right to access, correct and erase your data, and a right to object to or limit the processing of your data. You also have a right to data portability and the right to provide guidance on what happens to your data after your death. Finally, you have the right to lodge a complaint with a supervisory authority and a right not to be the subject of a decision based exclusively on automated processing, including profiling, that produces legal effects concerning you or significantly affects you in a similar way.

Want to know more?