On February 28, 2019, Thailand’s National Legislative Assembly passed the Personal Data Protection Act (PDPA).
According to this source, the PDPA will be signed and endorsed by the monarch, and will then be published in the Government Gazette before to enter into force later this year.
This article explains that the legislative text includes the following provisions:
- data subjects have rights similar to the ones provided for by the GDPR, including the right to obtain a copy of data being processed and the right to data portability;
- transfers of personal data to a third countries may take place where the Thailandese data Protection Agency (DPA) deems that “the third country ensures an adequate level of protection. Some exemptions from this transfer requirement includes transferring personal data pursuant to applicable laws, transferring with consent from the data subject who has already been informed that the third country lacks a suitable level of data protection, and in case it is necessary to comply with contracts;”
- there will be both criminal penalties and civil liabilities for violations;
- compensation of damages for civil cases is limited to three years from the date of knowledge of the cause of action and the identity of the responsible person, or ten years from the day when the breach of personal data was committed;
- administrative fines range from THB 1 million (around 31,000 USD) to THB 5 million(around 150,000 USD).