Welcome to Wissen Co Newsletter

In this issue, we provide to our clients, members of Chamber of Commerce, and friends up-to-date information and details regarding theenforcement of Personal Data Protection Act B.E. 2562 (A.D. 2019) and new draft labourprotection law.

The enforcement of Personal Data Protection Act B.E. 2562 (A.D. 2019) (“PDPA”)

As we are aware that there were postponements of the enforcement of the PDPA for 2 times since 2020 and there is no sign from the Ministry of Digital Economy and Society (“MDES”) to again postpone the enforcement for the third time, to brush up the knowledge of the PDPA that soon will be effective, we have summarized the important provisions and details as follows: 

  • Types and Definition of Personal Data

Personal data means any data pertaining to a person that enables the identification of that person, whether directly or indirectly, but specifically excluding data of the deceased.

Sensitive personal data means personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner as prescribed by the Personal Data Protection Committee

  • Consent for collection, use and disclosure

A requirement for data controllers to gain consent from data subjects (in writing or electronic means) before they can process their personal data in certain ways (subject to certain exceptions). The request for consent must be clear and made in writing or by electronic means. For sensitive personal data, an explicit consent from the data subject is required in order to collect, use and disclose such data(subject to certain exceptions).

  • Extraterritoriality of the law’s effect

Overseas data controller and data processer can also be subject to this Act, provided that there appears any goods or services offered by the data controller or data processor to data subject in Thailand regardless of payment is made to the data subject or not, including monitoring any behavior of data subject that takes place within Thailand.

  • Cross-border Transfer of Personal Data

The requirements and exemptions for the transfer of personal data to a third country which does not have an adequate level of protection (generally strictly prohibited) are unchanged. The exemptions are:

  1. transferring personal data pursuant to applicable laws;
  2. consent from the data subject, who has been informedthat the third country lacks a suitable level of data protection;
  3. it is necessary to comply with contracts in which the data subject is a party, or pursuant to the data subject’s requests prior to entering into contracts;
  4. transfer in accordance with an agreement between a data controller and another entity for the benefit of the data subject;
  5. to prevent or suspend damage to the life, body, or health of the data subject, or other persons, when the consent of the data subject could not be obtained at that time; and
  6. when necessary for substantial public interest purposes.

Furthermore, in the case of transferring personal data to the affiliated companies in overseas for the business purpose, the personal data protection policy must be approved by the Personal Data Committee.

  • Requirement for data controllers outside Thailand

In the case that the data controller located outside Thailand, the data controller must appoint the person wholocates in Thailand as representatives to act on its behalf and such person shall fully be assigned all power without any limitation of liability for collecting, using, or disclosing personal data in accordance with the purpose of the data controller.

  • Penalties for noncompliance

Both civil and criminal penalties can be imposed on the data controller for violation. The violations would be punishable (i) subject to claim for damages under civil liability; and/or (ii) subject to imprisonment or monetary fines or both under criminal offense. In this regard, the court can order punitive damages up to twice the value of the actual damage. The claim for damages arising from violating the personal data is barred by prescription after three years from the day when the wrongful act and the person bound to make compensation became known to the injured person, or ten years from the day when the wrongful act was committed. In addition, in some case, the Committee is entitled to order the data controller and the data processor to pay the administrative fine at the range from 1 million Baht to 5 million Baht as the case may be.

New draft labour protection law

Due to COVID-19 causing the change of working environment of employees, Mr. Anutin Charnvirakul, Deputy Prime Minister of Thailand and also the Minister of Public Health, and his team have proposed a new bill as new labour protection act by adding new provisionto the Labour Protection Act B.E. 2541 (A.D. 1998) to support the Work from Home method. The new provision will allowan employer and an employee to be able to agree for an employee to work from home at lease 8 hours a week and those working hours will be deemed as normal working hours of an employee.


If this new bill has passed National Assembly, this will be benefit to employees not to waste time being stuck in traffic from their daily commutes. However, this is still in the early stage of legislation process. If the new bill has passed the National Assembly and the Royal Decree on this matter is announced, we will once again inform you.

Mr. Wichien Harnpraween
Managing Partner

Tel:+662 2592627 thru 9
Fax: +662 2592630