On 21 May 2020, a Royal Decree was published in the Royal Gazette; to postpone enforcement of the Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”) on data controllers of certain entities for another year (the “Decree”). Said Royal Decree will take effect from 27 May 2020 to 31 May 2021.
The PDPA was enacted and has been partially in effect since 28 May 2019, whereby the key substantive provisions would have come into force after a grace period of one year from the publication date, i.e. 27 May 2020. These provisions include those in Chapter 2 (Personal Data Protection); Chapter 3 (Data Subject Rights), Chapter 5 (Complaints); Chapter 6 (Civil Liability); Chapter 7 (Penalties); Section 95 (Transitional Clause); and Section 96 (Issuance of Sub-regulation and Notification under the PDPA).
However, as the Personal Data Protection Committee is still not fully establishment and no sub-regulation has been enacted yet, the Ministry of Digital Economy and Society (“MDES”) has noticed the necessity for organisations to have a more reasonable timeframe to prepare themselves for compliance with the law. Moreover, under the current COVID-19 situation in Thailand – where the operation of a business is not the same as during a normal situation -the MDES is concerned that it might be too burdensome and expose businesses to unnecessary legal risks for incompliance with the law. The Royal Decree to promulgate exemption of enforcement of the PDPA for entities and businesses was thus proposed and approved by the cabinet on 19 May 2020.
The enforcement of the key substantive provisions of the PDPA will not be applicable to the entities and businesses listed in the Appendix of the Royal Decree from 27 May 2020 to 31 May 2021, i.e. it will take effect as of 1 June 2021.
There are 22 types of entities and businesses in said list, which seems to cover the majority of businesses. These include:
- Government agencies
- Foreign state agencies and international organisations
- Foundations, associations, religious organisations and non-profit organisations
- Agricultural businesses
- Industrial activities
- Commercial activities
- Medical and public health affairs
- Energy, steam, water and waste disposal businesses, including related businesses
- Construction businesses
- Repair and maintenance services
- Businesses related to transportation, logistics and storage of goods
- Tourism businesses
- Communications, telecommunications, computers and digital businesses
- Finance, banking, and insurance businesses
- Real estate businesses
- Professional businesses
- Administration and support services
- Science and technology affairs, academic work, social work and arts
- Educational businesses
- Entertainment and recreational activities
- Security businesses
- Household affairs and community enterprises which cannot be clearly classified.
Despite the fact that most of the key legal operative provisions of the PDPA will not be applicable to these 22 types of entities until 1 June 2021, the Royal Decree stipulates that the data controllers of these entities have obligations under the law to provide appropriate measures to secure personal data, which will be prescribed by the MDES.
Under Section 96 of PDPA, it is required that sub-regulations and notifications under the PDPA are to be enacted within one year from 27 May 2020. It is therefore recommendable that entities and businesses keep checking for announcements of the sub-regulations and notifications thus to ensure their compliance with the PDPA.