Single Blog Title

This is a single blog caption

Postponement of Enforcement of Thailand’s Personal Data Protection Act

EY Corporate Services Limited has provided information concerning the postponement of the enforcement of  Thailand’s Personal Data Protection Act for another year. 

On 5 May 2021, the cabinet approved in principle a draft Royal Decree which specifies those organizations and businesses that will, when the Royal Decree is effective, be eligible for temporary exemption from the application of the Personal Data Protection Act B.E. 2562 (“PDPA”) for another year (1 June 2021 to 31 May 2022) as proposed by Ministry of Digital and Economy and Society (“MDES”) for efficiency purposes.
This postponement is aimed at providing an extension from the date on which the PDPA becomes effective, 1 June 2021. Details of eligible businesses are not provided but reference can be made to the 22 eligible types of organization and business identified for the previous postponement as below.

  1. Government agencies
  2. Foreign government agencies and international organizations
  3. Foundation, associations, religious organizations and non-profit organizations
  4. Agricultural businesses
  5. Industrial businesses
  6. Commercial businesses
  7. Medical and public health businesses
  8. Energy, steam, water and waste disposal businesses, including related businesses
  9. Construction businesses
  10. Repair and maintenance businesses
  11. Transportation, shipping and storage businesses
  12. Travel businesses
  13. Communications, telecommunications, computer and digital businesses
  14. Financial, banking and insurance businesses
  15. Real estate businesses
  16. Professional service businesses
  17. Management and supporting service businesses
  18. Science, technology, academic, social work and art businesses
  19. Educational businesses
  20. Entertainment and recreation businesses
  21. Security businesses
  22. Household and community enterprise businesses whose activities cannot be clearly classified
Data controllers of the 22 types of eligible organization and business are temporarily exempted from the application of certain parts of the Act as follows:
  • Chapter 2: The protection of personal data
  • Chapter 3: The rights of data subject
  • Chapter 5: Complaints
  • Chapter 6: Civil liabilities
  • Chapter 7: Penalties
  • Section 95: Transitional provisions regarding storage and use of personal data collected before the date the Act comes into force
However, the data controllers of organizations that are exempted must establish personal data security measures in accordance with the standards specified by the Ministry of Digital Economy and Society.
Further details of this measure and associated regulations have yet to be announced.
For further information, please contact

EY Corporate Services Limited
33rd Floor, Lake Rajada Office Complex
193/136-137 Rajadapisek Road
Klongtoey, Bangkok 10110
Tel: +66 2264 9090