The implementation of Thailand’s Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”) has been delayed until May 31, 2021.

Certain data controllers’ compliance with the main operative provisions concerning personal data protection (including those covering requests for data subjects’ consent; collection/use and disclosure of personal data; rights of data subjects; complaints; and civil liabilities and penalties), which were previously scheduled to come into force this year, has been deferred for another one-year period, i.e., until May 31, 2021.

Those data controllers for whom compliance has been deferred include agencies and operators of prescribed businesses specified in the Royal Decree on Agencies and Businesses Not Subject to the PDPA B.E. 2563 (2020) (the “Royal Decree”). The Royal Decree covers a broad range of agencies and businesses, including governmental authorities, industrial businesses, commercial businesses, transportation businesses, telecommunication/computer/digital businesses, banking and finance businesses, insurance businesses, real estate businesses and professional businesses. If any data controller is unsure as to whether it falls within the scope of those listed in the Royal Decree as being exempt from compliance with the PDPA until May 31, 2021, it may seek advice from the Personal Data Protection Committee.

Update: On July 17, 2020, the Thai government issued an interim Notification of Standards for Maintenance of Security of Personal Data (the “Notification”). The Notification is intended to act as a stop-gap to ensure that personal data is protected until the deferred provisions of the PDPA become effective in 2021 and compliance with the PDPA becomes mandatory. Under the Notification, certain data controllers must immediately implement basic security controls and measures, including, among others, administrative, technical and physical safeguards for personal data security and staff training and awareness.