Personal Data Protection Act, B.E. 2562 (2019)
Personal Data Protection Act, B.E. 2562 (2019)
His Majesty King Phra Poramenthra Ramathibodi Sisin Maha Vajiralongkorn Phra Vajira Klao Chao Yu Hua
Given on the 24th Day of May B.E. 2562;
Being the 4th Year of the Present Reign.
His Majesty King Phra Poramenthra Ramathibodi Sisin Maha Vajiralongkorn Phra Vajira Klao Chao Yu Hua is graciously pleased to proclaim that: Whereas it is expedient to have an enabling act on the law concerning personal data protection. This Act contains certain provisions in relation to the restriction of rights and freedom of a person, which sections 26, 32, 33, and 37 of the Constitution of the Kingdom of Thailand permit by virtue of the law. The rationale and necessity to restrict the rights and freedom of a person in accordance with this Act are to efficiently protect personal data and establish effective remedial measures for data subjects whose rights to the protection of personal data are violated. The enactment of this Act is consistent with the criteria prescribed under section 26 of the Constitution of the Kingdom of Thailand.
Be it, therefore, enacted by the King, by and with the advice and consent of the National Legislative Assembly acting as the parliament, as follows:
Section 1 This Act is called the “Personal Data Protection Act, B.E. 2562 (2019)”.
Section 2 This Act shall come into force on the day following the date of its publication in the Government Gazette, except for the provisions of Chapter II, Chapter III, Chapter V, Chapter VI, Chapter VII, section 95, and section 96, which shall come into effect after a period of one year from the date of its publication in the Government Gazette.
Section 3 In the event that there is any sector-specific law governing the protection of Personal Data in any manner, any business, or any entity, the provisions of such law shall apply, except:
(1) for the provisions with respect to the collection, use, or disclosure of Personal Data and the provisions concerning the rights of data subjects including relevant penalties, the provisions of this Act shall apply additionally, regardless of whether they are repetitive with the above specific law.
(2) for the provisions regarding complaints, provisions granting power to the expert committee to issue an order to protect the data subject, and provisions regarding the power and duties of the Competent Official, including relevant penalties, the provisions of this Act shall apply in the following circumstances:
(a) in the event that such law has no provision regarding complaints;
(b) in the event that such law has provisions granting power to the competent official, who has the power to consider the complaints under such law, to issue an order to protect the data subject, but such power is not equal to the power of the expert committee under this Act; and either the competent official who has power under such law makes a request to the expert committee, or the data subject files a complaint with the expert committee under this Act, as the case may be.
Section 4 This Act shall not apply to:
(1) the collection, use, or disclosure of Personal Data by a person who collects such Personal Data for personal benefit or household activity of such person only;
(2) operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science, or cybersecurity;
(3) a person or a juristic person who uses or discloses Personal Data that is collected only for the activities of mass media, fine arts, or literature, which are in accordance with professional ethics or for public interest;
(4) The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use, or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament, or their committee, as the case may be;
(5) trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with criminal justice procedure;
(6) operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business.
The exceptions to apply all or parts of the provisions of this Act to any Data Controller in any manner, business, or entity, in a similar manner to the Data Controller in paragraph one, or for any other public interest purpose, shall be promulgated in the form of a Royal Decree.
The Data Controller under paragraph one (2), (3), (4), (5), and (6) and the Data Controller of the entities that are exempted under the Royal Decree in accordance with paragraph two shall also implement security protection of Personal Data in accordance with the standard.
Section 5 This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place within the Kingdom of Thailand or not.
In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor involve:
(1) the offering of goods or services to data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject;
(2) the monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.
Section 6 In this Act:
“Personal Data” means any information relating to a person, which enables the identification of such person, whether directly or indirectly, but excluding information of deceased persons in particular;
“Data Controller” means a person or juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of Personal Data;
“Data Processor” means a person or juristic person who operates in relation to the collection, use, or disclosure of Personal Data pursuant to orders given by or on behalf of a Data Controller, where such person or juristic person is not the Data Controller;
“Person” means a natural person;
“Committee” means the Personal Data Protection Committee;
“Competent Official” means any person appointed by the Minister to perform acts under this Act;
“Office” means the Office of the Personal Data Protection Committee;
“Secretary-General” means the Secretary-General of the Personal Data Protection Committee;
“Minister” means the Minister in charge under this Act.
Section 7 The Minister of Digital Economy and Society shall be in charge under this Act and shall have the power to appoint the Competent Official to perform acts under this Act.
Chapter I
Personal Data Protection Committee
Section 8 There shall be a Personal Data Protection Committee, consisting of:
(1) a Chairperson selected and appointed from persons having distinguished knowledge, skills, and experience in the field of Personal Data protection, consumer protection, information technology and communication, social science, law, health, finance, or any other field relevant and useful for the protection of Personal Data;
(2) the Permanent Secretary of the Ministry of Digital Economy and Society, who shall serve as Vice-Chairperson;
(3) directors ex officio as five members consisting of the Permanent Secretary of the Prime Minister’s Office, the Secretary-General of the Council of State, the Secretary-General of the Consumer Protection Board, the Director-General of the Rights and Liberties Protection Department, and the Attorney General;
(4) honorary directors as nine members, selected and appointed from persons having distinguished knowledge, skills, and experience in the field of Personal Data protection, consumer protection, information technology and communication, social science, law, health, finance, or any other field relevant and useful for the protection of Personal Data.
The Secretary-General shall be a director and secretary, and the Secretary-General shall appoint assistant secretaries from the officials of the Office, not exceeding two persons.
The rules and procedures for the selection of persons appointed as Chairperson and honorary directors, including the replacement of a Chairperson or honorary director who vacates office before the expiration of the term under section 13, shall be prescribed by notification issued by the Cabinet, taking into account transparency and fairness in the selection process.
Section 9 There shall be a selection committee of eight members tasked with selecting appropriate persons to be appointed as Chairperson under section 8(1) or honorary directors under section 8(4), consisting of:
(1) two persons appointed by the Prime Minister;
(2) two persons appointed by the President of the Parliament;
(3) two persons appointed by the Ombudsman;
(4) two persons appointed by the National Human Rights Commission.
If the appointing authority in (2), (3), or (4) fails to appoint members of the selection committee within forty-five days from the date of notice from the Office, the Office shall nominate persons for the Prime Minister’s consideration and appointment as members of the selection committee on behalf of such appointing authority.
The selection committee shall choose a Chairperson and a Secretary from among its members, and the Office shall serve as the administrative unit of the selection committee.
In the event of a vacancy in the selection committee, a new member must be promptly selected to fill the vacancy. During the period without a new member, the selection committee shall function with the existing members.
No member of the selection committee is eligible to be nominated as Chairperson under section 8(1) or honorary director under section 8(4).
Section 10 When selecting the Chairperson under section 8(1) or honorary directors under section 8(4), the selection committee shall choose individuals who meet the qualifications in section 8(1) or section 8(4), including meeting the qualifications and not possessing any prohibited characteristics under section 11, and agree to be nominated for selection in the number corresponding to the number of Chairpersons to be appointed under section 8(1) or the number of honorary directors to be appointed under section 8(4).
After selecting the Chairperson under section 8(1) or honorary directors under section 8(4), the selection committee shall submit their names, along with evidence of their qualifications and lack of prohibited characteristics, and their consent to the Cabinet for appointment as Chairperson under section 8(1) or honorary directors under section 8(4).
The Prime Minister shall publish in the Government Gazette the names of the Chairperson under section 8(1) or honorary directors under section 8(4) appointed by the Cabinet.
Section 11 The Chairperson and honorary directors must possess the qualifications and must not have the following prohibited characteristics:
(1) Thai nationality;
(2) not being bankrupt or having been previously dishonestly bankrupt;
(3) not being incompetent or quasi-incompetent;
(4) not having a final judgment of imprisonment, regardless of actual imprisonment, except for offenses of negligence or misdemeanors;
(5) not having been dismissed or discharged from public office, government agency, state enterprise, or private agency for dishonesty in duty or serious misconduct;
(6) not having been removed from office under the law;
(7) not holding political office, local assembly membership, local administration management position, political party directorship, political party advisor or officer, or any similar position.
Section 12 The Chairperson and honorary directors serve a term of four years.
Upon expiration of the term under paragraph one, if a new Chairperson or honorary director has not been appointed, the outgoing Chairperson or honorary director shall continue to perform duties until a successor assumes office.
A Chairperson or honorary director who has vacated office upon term expiration may be reappointed but may not hold office for more than two terms.
Section 13 In addition to vacating office upon expiration of the term under section 12, the Chairperson and honorary directors vacate office upon:
(1) death;
(2) resignation;
(3) dismissal by the Cabinet for negligence, disgraceful behavior, or incapacity;
(4) disqualification or possession of any prohibited characteristics under section 11.
If a Chairperson or honorary director vacates office before term expiration, the replacement shall serve the remaining term of the vacating Chairperson or honorary director, unless the remaining term is less than ninety days, in which case a new appointment may not be necessary.
If a Chairperson vacates office prematurely, the Vice-Chairperson shall temporarily perform Chairperson duties.
Section 14 A quorum for a Committee meeting requires the presence of at least half of all members.
The Chairperson presides over meetings. In the absence or inability of the Chairperson to perform duties, the Vice-Chairperson acts as Chairperson. If both the Chairperson and Vice-Chairperson are absent or unable to perform duties, attending members shall elect a chairperson from among themselves.
Decisions at meetings require a majority vote. Each member has one vote. In case of a tie, the Chairperson casts an additional decisive vote.
Committee meetings may be conducted electronically or by other means as determined by the Committee.
Section 15 Any member with a direct or indirect interest in a matter under consideration must disclose such interest to the Committee before the meeting and refrain from attending the meeting discussing that matter.
Section 16 The Committee has the following duties and powers:
(1) Develop a master plan for promoting and protecting Personal Data in line with policies, national strategies, and relevant national plans, to propose to the national digital economy and society committee under the law governing digital economy and society development;
(2) Support government agencies and the private sector in implementing activities under the master plan in (1) and evaluate the results;
(3) Establish measures or guidelines for Personal Data protection to comply with this Act;
(4) Issue notifications or rules for Act enforcement;
(5) Establish criteria for protecting Personal Data sent or transferred to foreign countries;
(6) Establish guidelines for Personal Data protection that Data Controllers and Data Processors must follow;
(7) Recommend to the Cabinet the enactment or amendment of laws or rules related to Personal Data protection.
(8) to recommend to the Cabinet on the enactment of the Royal Decree or reconsideration of the suitability of this Act at least every five years;
(9) to provide advice or consultancy on any operation for the protection of Personal Data of government agencies and private agencies, ensuring compliance with this Act;
(10) to interpret and render rulings on issues arising from the enforcement of this Act;
(11) to promote and support learning, skills, and understanding of the protection of Personal Data among the public;
(12) to promote and support research for the development of technology related to the protection of Personal Data;
(13) to perform any other acts as prescribed by this Act or other laws that state the duties and powers of the Committee.
Section 17 The Chairperson, the Vice-Chairperson, and the Committee members shall receive a meeting allowance and other benefits in accordance with the rules prescribed by the Cabinet.
The Chairpersons of the sub-committees, the sub-committee members, the Chairperson of the expert committee, and the expert committee members appointed by the Committee shall receive a meeting allowance and other benefits in accordance with the rules prescribed by the Committee with the approval of the Ministry of Finance.
Section 18 The Committee shall have the power to appoint sub-committees to consider or perform any acts as prescribed by the Committee.
In the meetings of the sub-committees, the provisions of sections 14 and 15 shall apply mutatis mutandis.
Chapter II
Personal Data Protection
Part 1 General Provisions
Section 19 The Data Controller shall not collect, use, or disclose Personal Data unless the data subject has given consent prior to or at the time of such collection, use, or disclosure, except where permitted by the provisions of this Act or any other laws.
A request for consent shall be explicitly made in writing or via electronic means, unless impractical by its nature. When requesting consent, the Personal Data Controller shall inform the purpose of the collection, use, or disclosure of the Personal Data. Such request shall be presented clearly, in an easily accessible and understandable form, using clear and plain language that is not deceptive or misleading to the data subject regarding the purpose. In this regard, the Committee may prescribe the form and statements for obtaining consent from the Data Controller.
The Data Controller shall ensure that the data subject’s consent is freely given. Additionally, entering into a contract or receiving services shall not be conditioned upon obtaining consent for the collection, use, or disclosure of Personal Data that is unnecessary or unrelated to such contract or service provisions.
The data subject may withdraw consent at any time, with the withdrawal process being as easy as giving consent, unless restricted by law or a beneficial contract. However, the withdrawal of consent shall not affect the legality of Personal Data collection, use, or disclosure based on prior consent under this Chapter.
If withdrawal of consent impacts the data subject in any way, the Data Controller shall inform the data subject of such consequences.
Requests for consent that do not comply with this Chapter shall have no binding effect on the data subject and shall not authorize the Data Controller to collect, use, or disclose Personal Data.
Section 20 If the data subject is a minor who is not legally capable due to marriage or under section 27 of the Civil and Commercial Code:
(1) Consent must be obtained from the holder of parental responsibility if the minor cannot act independently as specified in sections 22, 23, or 24 of the Civil and Commercial Code.
(2) For minors under ten years of age, consent must be obtained from the holder of parental responsibility. If the data subject is incompetent, consent must be obtained from the custodian authorized to act on their behalf. If the data subject is quasi-incompetent, consent must be obtained from the curator with authority to act on their behalf.
The above provisions apply mutatis mutandis to the withdrawal of consent, notification to the data subject, exercise of data subject rights, data subject complaints, and other actions under this Act for data subjects who are minors, incompetent persons, or quasi-incompetent persons.
Section 21 The Data Controller shall collect, use, or disclose Personal Data only for the purposes notified to the data subject prior to or at the time of collection.
Personal Data shall not be collected, used, or disclosed for purposes different from those previously notified to the data subject under paragraph one, except:
(1) When the data subject has been informed of the new purpose and consent has been obtained prior to collection, use, or disclosure;
(2) When permitted by this Act or other laws.
Part 2 Personal Data Collection
Section 22 The collection of Personal Data shall be limited to the extent necessary for the lawful purpose of the Data Controller.
Section 23 In collecting Personal Data, the Data Controller shall inform the data subject, prior to or at the time of collection, of the following details, unless the data subject already knows them:
(1) The purpose of the collection, use, or disclosure of the Personal Data, including purposes permitted under section 24 for collecting Personal Data without the data subject’s consent;
(2) Notification regarding whether the data subject is required to provide their Personal Data to comply with a law or contract, or whether it is necessary to provide Personal Data to enter into a contract, including notification of the potential consequences if the data subject does not provide such Personal Data;
(3) The specific Personal Data to be collected and the period for which the Personal Data will be retained. If it is not possible to specify the retention period, the expected data retention period according to data retention standards shall be specified;
(4) The categories of persons or entities to whom the collected Personal Data may be disclosed;
(5) Information, address, and contact details of the Data Controller, or where applicable, the Data Controller’s representative or data protection officer;
(6) The rights of the data subject as detailed in section 19 paragraph five, section 30 paragraph one, section 31 paragraph one, section 32 paragraph one, section 33 paragraph one, section 34 paragraph one, section 36 paragraph one, and section 73 paragraph one.
Section 24 The Data Controller shall not collect Personal Data without the consent of the data subject, unless:
(1) It is necessary for achieving purposes related to preparing historical documents or archives for public interest, or for research or statistics, with appropriate measures in place to safeguard the data subject’s rights and freedoms, as prescribed by the Committee;
(2) It is necessary to prevent or suppress a danger to a person’s life, body, or health;
(3) It is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
(4) It is necessary for the performance of a task carried out in the public interest by the Data Controller, or necessary for the exercise of official authority vested in the Data Controller;
(5) It is necessary for the legitimate interests pursued by the Data Controller or by other natural or juristic persons, except where such interests are overridden by the fundamental rights of the data subject regarding their Personal Data;
(6) It is necessary for compliance with a law to which the Data Controller is subject.
Section 25 The Data Controller shall not collect Personal Data from any source other than the data subject directly, except when:
(1) The Data Controller promptly informs the data subject of the collection of Personal Data from another source, within thirty days of such collection, and obtains consent from the data subject;
(2) The collection of Personal Data falls within the exceptions where consent is not required under section 24 or section 26.
The provisions regarding notification of new purposes in section 21 and notification of information details in section 23 shall apply mutatis mutandis to the collection of Personal Data requiring consent under paragraph one, except in the following circumstances:
(1) The data subject is already aware of such new purposes or information details;
(2) The Data Controller can demonstrate that providing notice of such new purposes or information details is impossible or would hinder the use or disclosure of Personal Data, particularly for achieving purposes related to scientific, historical, or statistical research. In such cases, the Data Controller shall implement suitable measures to protect the rights, freedoms, and interests of the data subject;
(3) The use or disclosure of Personal Data is urgently required by law, with appropriate measures in place to protect the data subject’s interests;
(4) The Data Controller obtains or is aware of such Personal Data through their duties, occupation, or profession, and shall maintain new purposes or specific information details as prescribed in section 23 with confidentiality as required by law.
To notify the information detailed in paragraph two, the Data Controller shall provide such information to the data subject within thirty days after the date of Personal Data collection. If Personal Data are to be used to communicate with the data subject, notification of information details shall be provided at the time of the first communication with that data subject. If disclosure to another person is envisaged, notification of information details shall be provided prior to the first disclosure.
Section 26 Any collection of Personal Data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any data that may affect the data subject similarly, as prescribed by the Committee, is prohibited without explicit consent from the data subject, except in the following cases:
To prevent or suppress a danger to the life, body, or health of the person when the data subject is incapable of giving consent for any reason;
Carried out in the course of legitimate activities with appropriate safeguards by foundations, associations, or any other not-for-profit bodies with political, religious, philosophical, or trade union purposes for their members, former members, or persons in regular contact with such bodies, without disclosing Personal Data outside of these entities;
(1) Information that is publicly disclosed with the explicit consent of the data subject;
(2) Necessary for the establishment, compliance, exercise, or defense of legal claims;
(3) Necessary for compliance with a law for the following purposes:
(a) Preventive medicine or occupational medicine, assessment of employee working capacity, medical diagnosis, provision of health or social care, medical treatment, management of health or social care systems and services. If not required by law, and the Personal Data is under the responsibility of a healthcare or other professional bound by confidentiality laws, it must comply with the contract between the data subject and the practitioner;
(b) Public interest in public health, such as protection against cross-border contagious diseases or epidemics, or ensuring standards and quality of medicines, medicinal products, or medical devices, with specific measures to safeguard the data subject’s rights and confidentiality of Personal Data according to professional duties or ethics;
(c) Employment protection, social security, national health security, social health welfare mandated by law, protection of road accident victims, or social protection where Personal Data collection is necessary to exercise rights or fulfill obligations of the Data Controller or data subject, with suitable measures to protect the fundamental rights and interests of the data subject;
(d) Scientific, historical, or statistical research purposes or other public interests requiring only necessary Personal Data collection, with measures to protect the fundamental rights and interests of the data subject as prescribed by the Committee;
(e) Substantial public interest, with measures to protect the fundamental rights and interests of the data subject.
Biometric data in paragraph one refers to Personal Data derived from techniques or technologies related to physical or behavioral characteristics that can uniquely identify a person, such as facial recognition, iris recognition, or fingerprint data.
In cases of Personal Data collection related to criminal records, such collection shall be conducted under the control of authorized officials according to the law, or with data protection measures implemented as per rules prescribed by the Committee.
Section 27 The Data Controller shall not use or disclose Personal Data without the consent of the data subject, unless it pertains to Personal Data collected without the requirement of consent under section 24 or section 26.
Any person or juristic person obtaining Personal Data as a result of such disclosure under paragraph one shall not use or disclose such Personal Data for any purpose other than the purpose previously notified to the Data Controller in the request to obtain such Personal Data.
If the Data Controller uses or discloses Personal Data exempted from the consent requirement in paragraph one, the Data Controller shall maintain a record of such use or disclosure in accordance with section 39.
Section 28 If the Data Controller sends or transfers Personal Data to a foreign country, the destination country or international organization receiving such Personal Data must have adequate data protection standards. The transfer shall be conducted in accordance with the rules for the protection of Personal Data prescribed by the Committee in section 16(5), except in the following circumstances:
(1) Where it is necessary to comply with the law;
(2) Where the consent of the data subject has been obtained, provided that the data subject has been informed of the inadequate Personal Data protection standards of the destination country or international organization;
(3) Where it is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
(4) Where it is necessary for compliance with a contract between the Data Controller and other persons or juristic persons for the interests of the data subject;
(5) Where it is necessary to prevent or suppress a danger to the life, body, or health of the data subject or other persons, when the data subject is incapable of giving consent at that time;
(6) Where it is necessary for activities related to substantial public interest.
If there is an issue regarding the adequacy of Personal Data protection standards in the destination country or international organization, such issue shall be submitted to the Committee for decision. The Committee’s decision may be reviewed if new evidence convincingly shows that the destination country or international organization has developed adequate Personal Data protection standards.
Section 29 If the Data Controller or Data Processor, located in the Kingdom of Thailand, has implemented a Personal Data protection policy regarding the sending or transferring of Personal Data to another Data Controller or Data Processor in a foreign country within the same affiliated business or group of undertakings for joint operations, and if such Personal Data protection policy has been reviewed and certified by the Office, the sending or transferring of Personal Data to a foreign country in accordance with such reviewed and certified Personal Data protection policy shall be exempt from compliance with section 28.
The Personal Data protection policy, the nature of the affiliated undertaking or business group for joint operations, and the rules and methods for review and certification mentioned in paragraph one shall be prescribed and announced by the Committee.
In the absence of a decision by the Committee under section 28 or the Personal Data protection policy referred to in paragraph one, the Data Controller or Data Processor may send or transfer Personal Data to a foreign country exempt from compliance with section 28, provided that suitable protection measures are implemented to enforce the data subject’s rights, including effective legal remedies, according to the rules and methods prescribed and announced by the Committee.
Chapter III Rights of the Data Subject
Section 30 The data subject is entitled to request access to and obtain a copy of the Personal Data related to him or her, which is under the responsibility of the Data Controller, or to request disclosure of the acquisition of Personal Data obtained without his or her consent.
The Data Controller shall comply with the request as stated in paragraph one. The request can only be rejected where permitted by law or pursuant to a court order, and where such access and obtaining a copy of the Personal Data would adversely affect the rights and freedoms of others.
In cases where the Data Controller rejects the requests in paragraph one, the Data Controller shall record its rejection along with supporting reasons in the record as prescribed in section 39.
When the data subject makes a request as in paragraph one, and such request cannot be rejected based on the reasons in paragraph two, the Data Controller shall fulfill the request without delay, but not exceeding thirty days from the date of receiving such request.
The Committee may prescribe rules for access to and request for obtaining a copy of Personal Data in paragraph one, including extending the period under paragraph four, or other appropriate rules.
Section 31 The data subject shall have the right to receive the Personal Data concerning him or her from the Data Controller. The Data Controller shall arrange such Personal Data in a format that is readable or commonly used by automatic tools or equipment, and can be used or disclosed by automated means. The data subject is also entitled to:
(1) Request the Data Controller to send or transfer the Personal Data in such formats to other Data Controllers where feasible through automatic means;
Request to directly obtain the Personal Data in such formats that the Data Controller sends or transfers to other Data Controllers, unless technical circumstances make it impossible to do so.
(2) The Personal Data in paragraph one must be the Personal Data for which the data subject has given consent for collection, use, or disclosure according to the rules under this Act, or Personal Data exempted from consent requirements under section 24(3), or any other Personal Data referred to under section 24 as prescribed by the Committee.
The exercise of rights of the data subject in paragraph one shall not apply to the sending or transferring of Personal Data by the Data Controller which is for the performance of a task carried out in the public interest, or for compliance with law, unless such exercise of rights violates the rights and freedoms of others. In cases where the Data Controller rejects the request for such reasons, the Data Controller shall record such rejection of the request along with reasons in the record as prescribed in section 39.
Section 32 The data subject has the right to object to the collection, use, or disclosure of the Personal Data concerning him or her at any time under the following circumstances:
(1) Where the Personal Data is collected with exemptions to consent requirements under section 24(4) or (5), unless the Data Controller can prove that:
(a) The collection, use, or disclosure of such Personal Data is justified by compelling legitimate grounds;
(b) The collection, use, or disclosure of such Personal Data is carried out for the establishment, compliance, or exercise of legal claims, or defense of legal claims;
(2) Where the collection, use, or disclosure of such Personal Data is for the purpose of direct marketing;
(3) Where the collection, use, or disclosure of the Personal Data is for scientific, historical, or statistical research purposes, unless it is necessary for the performance of a task carried out for reasons of public interest by the Data Controller.
If the data subject exercises his or her right to object in paragraph one, the Data Controller shall no longer collect, use, or disclose such Personal Data. The Data Controller shall immediately distinguish such Personal Data clearly from other matters when the data subject gives notice of objection.
In cases where the Data Controller rejects the objection based on reasons in (1)(a) or (b) or (3), the Data Controller shall record such rejection of the objection request along with reasons in the record as prescribed in section 39.
Section 33 The data subject shall have the right to request the Data Controller to erase, destroy, or anonymize the Personal Data to become anonymous data that cannot identify the data subject, where the following grounds apply:
(1) The Personal Data is no longer necessary for the purposes for which it was collected, used, or disclosed;
(2) The data subject withdraws consent on which the collection, use, or disclosure is based, and where the Data Controller has no legal ground for such collection, use, or disclosure;
(3) The data subject objects to the collection, use, or disclosure of the Personal Data referred to in Section 32(1), and the Data Controller cannot reject such request under section 32(1)(a) or (b), or where the data subject exercises his or her right to object as referred to in section 32(2);
(4) The Personal Data has been unlawfully collected, used, or disclosed under this Chapter.
Paragraph one shall not apply to the extent that such Personal Data retention is necessary for freedom of expression, purposes under section 24(1) or (4), or section 26(5)(a) or (b), the establishment, compliance, or exercise of legal claims, or defense of legal claims, or for compliance with the law.
When the Data Controller has made Personal Data public and is requested to erase, destroy, or anonymize the Personal Data to become anonymous data that cannot identify the data subject under paragraph one, the Data Controller shall be responsible for the actions, including implementing technology and bearing the expenses to fulfill the request, and shall inform other Data Controllers to obtain their responses regarding the action to be taken to fulfill such request.
If the Data Controller does not take action in accordance with paragraph one or three, the data subject shall have the right to complain to the expert committee to order the Data Controller to take such action.
The Committee may announce rules for the erasure or destruction of Personal Data, or anonymization of Personal Data to become anonymous data that cannot identify the data subject under paragraph one.
Section 34 The data subject shall have the right to request the Data Controller to restrict the use of the Personal Data, where the following applies:
(1) When the Data Controller is pending examination process in accordance with the data subject’s request pursuant to section 36;
(2) When it is the Personal Data which shall be erased or destroyed pursuant to section 33(4), but the data subject requests the restriction of the use of such Personal Data instead;
(3) When it is no longer necessary to retain such Personal Data for the purposes of its collection, but the data subject has a necessity to request the retention for the purposes of the establishment, compliance, or exercise of legal claims, or defense of legal claims;
(4) When the Data Controller is pending verification regarding section 32(1), or pending examination regarding section 32(3) in order to reject the objection request made by the data subject in accordance with section 32(3).
In the event that the Data Controller does not take action in accordance with paragraph one, the data subject shall have the right to complain to the expert committee to order the Data Controller to take such action.
The Committee may prescribe and announce rules regarding the suspension of use in accordance with paragraph one.
Section 35 The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading.
Section 36 In cases where the data subject requests the Data Controller to act in compliance with section 35, if the Data Controller does not take action regarding the request of the data subject, the Data Controller shall record such request of the data subject together with reasons in the record as prescribed in section 39.
The provisions of section 34(2) shall apply mutatis mutandis.
Section 37 The Data Controller shall have the following duties:
(1) Provide appropriate security measures to prevent unauthorized or unlawful loss, access, use, alteration, correction, or disclosure of Personal Data. These measures must be reviewed when necessary or when technology changes to efficiently maintain appropriate security and safety. It shall also comply with the minimum standards specified and announced by the Committee;
(2) In circumstances where Personal Data is provided to other persons or legal persons apart from the Data Controller, the Data Controller shall take action to prevent such persons from using or disclosing such Personal Data unlawfully or without authorization;
(3) Implement an examination system for the erasure or destruction of Personal Data when the retention period ends, or when the Personal Data is no longer relevant or necessary for the purpose for which it was collected, or when the data subject requests it, or when the data subject withdraws consent. This is except where the retention of such Personal Data is necessary for freedom of expression, the purposes under section 24(1) or (4), section 26(5)(a) or (b), the establishment, compliance, or exercise of legal claims, or defense of legal claims, or compliance with the law. The provisions in section 33(5) shall govern the erasure or destruction of Personal Data mutatis mutandis;
(4) Notify the Office of any Personal Data breach without delay and, where feasible, within 72 hours after becoming aware of it, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of persons. If the Personal Data breach is likely to result in a high risk to the rights and freedoms of persons, the Data Controller shall also notify the data subject of the Personal Data breach and the remedial measures without delay. The notification and exemptions to the notification shall be made in accordance with the rules and procedures set forth by the Committee;
(5) If acting as the Data Controller under section 5(2), designate in writing a representative of the Data Controller who must be in the Kingdom of Thailand and authorized to act on behalf of the Data Controller without any limitation of liability regarding the collection, use, or disclosure of Personal Data according to the purposes of the Data Controller.
Section 38 The provisions of the representative designation in section 37(5) shall not apply to the following Data Controllers:
(1) The Data Controller which is a public authority as prescribed and announced by the Committee;
(2) The Data Controller which engages in the profession or business of collecting, using, or disclosing Personal Data, that does not fall under the nature pursuant to section 26, and does not involve a large amount of Personal Data as prescribed by the Committee in section 41(2).
In cases where the Data Controller in section 5(2) has a Data Processor, the provisions of section 37(5) and the provisions in paragraph one shall apply to such Data Processor mutatis mutandis.
Section 39 The Data Controller shall maintain, at least, the following records in order to enable the data subject and the Office to check upon, which can be either in written or electronic form:
(1) the collected Personal Data;
(2) the purpose of the collection of the Personal Data in each category;
(3) details of the Data Controller;
(4) the retention period of the Personal Data;
(5) rights and methods for access to the Personal Data, including the conditions regarding the Person having the right to access the Personal Data and the conditions to access such Personal Data;
(6) the use or disclosure under section 27 paragraph three;
(7) the rejection of requests or objections according to section 30 paragraph three, section 31 paragraph three, section 32 paragraph three, and section 36 paragraph one;
(8) explanation of the appropriate security measures pursuant to section 37(1).
The provisions in paragraph one shall apply to the representative of the Data Controller under section 5 paragraph two mutatis mutandis.
The provisions in (1), (2), (3), (4), (5), (6), and (8) may not apply to the Data Controller who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or it is not a business where the collection, use, or disclosure of the Personal Data is occasional, or it involves the collection, use, or disclosure of the Personal Data pursuant to section 26.
Section 40 The Personal Data Processor shall have the following duties:
(1) carry out the activities related to the collection, use, or disclosure of Personal Data only pursuant to the instructions given by the Data Controller, except where such instruction is contrary to the law or any provisions regarding Personal Data protection under this Act;
(2) provide appropriate security measures for preventing unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of Personal Data, and notify the Data Controller of any Personal Data breach that occurs;
(3) prepare and maintain records of personal data processing activities in accordance with the rules and methods set forth by the Committee.
The Data Processor, who fails to comply with (1) for the collection, use, or disclosure of the Personal Data, shall be regarded as the Data Controller for the collection, use, or disclosure of such Personal Data.
In carrying out the activities in accordance with the Data Processor’s obligations assigned by the Data Controller under paragraph one, the Data Controller shall prepare an agreement between the parties to control the activities carried out by the Data Processor to be in accordance with the Data Processor’s obligations for compliance with this Act.
The provisions in (3) may not apply to the Data Processor who is a small organization pursuant to the rules as prescribed by the Committee, unless the collection, use, or disclosure of such Personal Data is likely to result in a risk to the rights and freedoms of data subjects, or it is not a business where the collection, use, or disclosure of the Personal Data is occasional, or it involves the collection, use, or disclosure of the Personal Data pursuant to section 26.
Section 41 The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:
(1) the Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee;
(2) the activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require regular monitoring of the Personal Data or the system, due to having a large number of Personal Data as prescribed and announced by the Committee;
(3) the core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data according to section 26.
In the event that the Data Controller or the Data Processor are in the same affiliated business or are in the same group of undertakings, in order to jointly operate the business or group of undertakings as prescribed and announced by the Committee according to section 29 paragraph two, such Data Controller or Data Processor may jointly designate a data protection officer. In this regard, each establishment of the Data Controller or the Data Processor in the same affiliated business or in the same group of undertakings must be able to easily contact the data protection officer.
The provisions in paragraph two shall apply to the Data Controller or the Data Processor who is a public authority in (1) that is large in size or has several establishments mutatis mutandis. In the event that the Data Controller or the Data Processor in paragraph one has to designate the representative according to section 37(5), the provisions in paragraph one shall apply to the representative mutatis mutandis.
The Data Controller and the Data Processor shall have an obligation to provide information about the data protection officer, contact address, and contact channels to the data subject and the Office. The data subject shall be able to contact the data protection officer regarding the collection, use, or disclosure of the Personal Data and the exercise of rights of the data subject under this Act.
The Committee may prescribe and announce the qualifications of the data protection officer, taking into account the knowledge or expertise regarding Personal Data protection.
The personal data protection officer may be a staff member of the Data Controller or the Data Processor, or a service provider under contract with the Data Controller or the Data Processor.
Section 42 The data protection officer shall have the following duties:
(1) give advice to the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or the Data Processor, with respect to compliance with this Act;
(2) investigate the performance of the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or the Data Processor, with respect to the collection, use, or disclosure of Personal Data for compliance with this Act;
(3) coordinate and cooperate with the Office in circumstances where there are problems with respect to the collection, use, or disclosure of Personal Data undertaken by the Data Controller or the Data Processor, including the employees or service providers of the Data Controller or the Data Processor, with respect to compliance with this Act;
(4) maintain confidentiality of the Personal Data known or acquired in the course of his or her performance of duties under this Act.
The Data Controller or the Data Processor shall support the data protection officer in performing the tasks by providing adequate tools or equipment, as well as facilitating access to the Personal Data in order to perform the duties.
The Data Controller or the Data Processor shall not dismiss or terminate the data protection officer’s employment by reason of the data protection officer performing his or her duties under this Act. In the event of any problem arising while performing the duties, the data protection officer must be able to directly report to the chief executive of the Data Controller or the Data Processor.
The data protection officer may perform other duties or tasks, but the Data Controller or the Data Processor must ensure to the Office that such duties or tasks are not against or contrary to the performance of duties under this Act.
Chapter IV
Office of the Personal Data Protection Committee
Section 43 There shall be an Office of the Personal Data Protection Committee, whose objectives are to protect Personal Data, encourage and support the country’s development regarding Personal Data protection. The Office shall act as a government agency, with the status of a juristic person. The Office shall not be deemed a public sector entity under the law on administrative organization of the state, or a state enterprise under the law on budget procedures or other laws.
The operation of the Office shall not be governed by the laws on labor protection, labor relations, state enterprise labor relations, social security, and workmen’s compensation. However, the staff and employees of the Office shall be entitled to compensation at a rate not less than the rate stipulated by the laws on labor protection, social security, and workmen’s compensation.
The Office shall be considered a government a gency under the law on tort liability of government officials.
Section 44 In addition to the Office’s duty to carry out its operations to achieve the objectives as set out in section 43, paragraph one, the Office shall have the duty to perform academic and administrative tasks for the Committee, the commission supervising the Office of the Personal Data Protection Committee, the expert committee, and the sub-committee. The Office shall also have the following duties and powers:
(1) to draft the master plan for the promotion and protection of Personal Data, consistent with policies, national strategies, and relevant national plans, and to draft corrective measures regarding difficulties in implementing such policies, national strategies, and national plans in order to propose them to the Committee;
(2) to promote and support research for the development of technology relating to the protection of Personal Data;
(3) to analyze and certify compliance with and the accuracy of standards, measures, or supervision mechanisms related to Personal Data protection, as well as to review and certify the Personal Data protection policies according to section 29;
(4) to conduct surveys, collect information, and follow the latest updates and trends on Personal Data protection, as well as to analyze and research Personal Data protection issues affecting the country’s development, and propose recommendations to the Committee;
(5) to liaise with the public sector, state enterprises, local government administration, public organizations, or other organizations in the country regarding Personal Data protection;
(6) to provide consultations to government agencies and private agencies on compliance with this Act;
(7) to act as the center for providing academic services or services related to Personal Data protection to government agencies, private agencies, and the public, including promoting and providing knowledge and understanding of Personal Data protection;
(8) to establish course outlines and provide training for Data Controllers, Data Processors, data protection officers, employees, service providers, and the general public;
(9) to enter into agreements and cooperate with domestic and international organizations or agencies in matters relating to the Office’s operations carried out under its duties and powers, upon obtaining approval from the Committee;
(10) to follow up on and evaluate compliance with this Act;
(11) to carry out other duties as assigned by the Committee, the commission supervising the Office of the Personal Data Protection Committee, the expert committee, or the sub-committee, or as specified by law.
Section 45 In carrying out its operations, in addition to those stipulated under section 44, the Office shall also have the power and duties to carry out the following:
(1) to hold title to, possess, and hold property rights to properties;
(2) to create rights or carry out all kinds of juristic acts binding on properties, as well as to carry out any other juristic acts for the purpose of carrying out the Office’s operations;
(3) to provide funding to support the Office’s operations;
(4) to impose fees, maintenance fees, compensation, or service fees for the Office’s operations according to its objectives, in accordance with criteria and rates specified by the Office, with the approval of the commission supervising the Office of the Personal Data Protection Committee;
(5) to carry out any other acts specified by law to be the duties and powers of the Office, or as assigned by the Committee, the commission supervising the Office of the Personal Data Protection Committee, the expert committee, or the sub-committee.
Section 46 The funds and properties used in the Office’s business operations shall consist of the following:
(1) initial budget provided by the government under section 94, paragraph one;
(2) general grants reasonably provided by the government on a yearly basis;
(3) subsidies from domestic or international government agencies, or international governmental organizations;
(4) fees, maintenance fees, compensation, service fees, or income incurred from the Office’s operations carried out under its duties and powers;
(5) interest on funds or any other income obtained from Office properties.
The funds and properties of the Office under paragraph one are required to be submitted to the Ministry of Finance as public revenue.
Section 47 The immovable properties that the Office acquires through purchase or exchange using the Office’s revenue under section 46 (4) or (5) shall be owned by the Office.
Section 48 There shall be a commission supervising the Office of the Personal Data Protection Committee, consisting of a Chairperson selected and appointed from a person with distinguished knowledge, skills, and experience in Personal Data protection, the Permanent Secretary of the Ministry of Digital Economy and Society, and the Secretary-General of the Office of the National Digital Economy and Society Commission as directors. Additionally, there shall be six honorary directors, of whom at least three shall have distinguished knowledge, skills, and experience in Personal Data protection, and other related areas beneficial for the Office’s operations.
The Secretary-General shall serve as a director and secretary and appoint assistant secretaries from the officials of the Office, not exceeding two persons.
The provisions of section 11 and section 13 shall apply mutatis mutandis to the Chairperson and the honorary directors of the Commission.
Section 49 There shall be a selection committee of eight members appointed by the Committee, tasked with selecting suitable candidates for appointment as the Chairperson and honorary directors in section 48.
The selection committee shall designate one member to act as the Chairperson of the selection committee and another member to act as the Secretary of the selection committee, with the Office performing administrative functions for the selection committee.
In the event of a vacancy on the selection committee, a new member must promptly be appointed to fill the vacancy. During the interim period before a new member is appointed, the selection committee shall continue with its existing members.
No member of the Selection Committee shall be eligible to be nominated as the Chairperson or honorary director in section 48.
The rules and procedures for selection shall be prescribed by the Committee, ensuring transparency and fairness in the selection process.
Section 50 In selecting the Chairperson and honorary directors in section 48, the selection committee shall choose individuals who meet the qualifications specified in section 48, paragraph one, including meeting the criteria and not having the disqualifying characteristics under section 48, paragraph three. Candidates must also consent to their nomination in numbers corresponding to the positions of Chairperson and honorary directors to be appointed in section 48.
Once the total number of Chairperson and honorary directors in section 48 have been selected, the selection committee shall submit their names along with evidence of qualifications and absence of disqualifying characteristics, as well as their consent to the Committee for appointment as Chairperson and honorary directors according to section 48.
The Committee shall publish the names of the appointed Chairperson and honorary directors in section 48 in the Government Gazette.
Section 51 The Chairperson and honorary directors in section 48 shall hold office for a term of four years.
Upon expiration of their term as per paragraph one, new appointments for Chairperson and honorary directors must be made within sixty days. If new appointments have not been made within this period, the outgoing Chairperson or honorary director shall continue to perform their duties until their successor assumes office.
The Chairperson or honorary director vacating office upon the expiration of their term may be reappointed, but shall not serve for more than two consecutive terms.
Section 52 If the Chairperson or honorary director in section 48 vacates office before the expiration of their term, the commission supervising the Office of the Personal Data Protection Committee shall consist of the remaining members until a new Chairperson or honorary director is appointed. In case of a vacancy in the Chairperson’s position, the Permanent Secretary of the Ministry of Digital Economy and Society shall temporarily fulfill the duties of the Chairperson.
A new Chairperson or honorary director must be appointed to fill the vacancy within sixty days from the date of the vacancy and shall serve the remainder of the term of the person they are replacing. If the remaining term is less than ninety days, a new appointment may not be necessary.
Section 53 A quorum for a meeting of the commission supervising the Office of the Personal Data Protection Committee requires the presence of at least half of all members.
The Chairperson shall preside over the meeting. If the Chairperson is absent or unable to preside, the attending members shall elect one among themselves to chair the meeting.
Decisions at the meeting shall be made by a majority vote, with each member having one vote. In case of a tie, the chairperson of the meeting shall cast an additional deciding vote.
Any member with a vested interest in the matter under consideration at the meeting shall be prohibited from attending.
Meetings of the commission supervising the Office of the Personal Data Protection Committee may be conducted electronically, as prescribed by the Committee.
Section 54 The Commission Supervising the Office of the Personal Data Protection Committee shall have the following powers and duties:
(1) to prescribe administrative policy and approve the Office’s operational plan;
(2) to issue rules governing organization, financial matters, human resources administration, general administrative tasks, internal audit, as well as welfare and support services of the Office;
(3) to approve the annual operational plan, annual spending plan, and annual budget of the Office;
(4) to oversee the administration and operations of the Office and ensure compliance of the Secretary-General with this Act and other related laws;
(5) to appoint a selection committee for the selection of the Secretary-General;
(6) to adjudicate appeals against administrative decisions of the Secretary-General concerning Office administration;
(7) to evaluate the results of the Office’s operations and the work performance of the Secretary-General;
(8) to perform any other duties prescribed by this Act or other related laws as the powers and duties of the Commission Supervising the Office of the Personal Data Protection Committee, or as assigned by the Committee or the Cabinet.
For the rules in (2), if there are restrictions on the Secretary-General’s authority to enter into juristic acts with third parties, such restrictions must be published in the Government Gazette.
Section 55 The Commission Supervising the Office of the Personal Data Protection Committee shall have the power to appoint a sub-committee to perform any duties or act as assigned by the Commission Supervising the Office of the Personal Data Protection Committee.
The Commission Supervising the Office of the Personal Data Protection Committee may appoint individuals with skills or experience that would be beneficial for the duties performed by the Commission Supervising the Office of the Personal Data Protection Committee as its advisers.
The performance of duties and the number of members in the sub-committee in paragraph one, or individuals in paragraph two, shall comply with those prescribed by the Commission Supervising the Office of the Personal Data Protection Committee.
For meetings of the sub-committee, the provisions of section 53 shall apply mutatis mutandis.
Section 56 The Chairperson and members of the Commission Supervising the Office of the Personal Data Protection Committee, advisers of the Commission Supervising the Office of the Personal Data Protection Committee, Chairperson and members of the sub-committee appointed by the Commission Supervising the Office of the Personal Data Protection Committee shall receive meeting allowances or other benefits according to the rules prescribed by the Committee, with the approval of the Ministry of Finance.
Section 57 There shall be a Secretary-General appointed by the Commission Supervising the Office of the Personal Data Protection Committee, who has the duty to administer the affairs of the Office.
The appointment of the Secretary-General in paragraph one shall be made in accordance with the rules and methods of recruitment as prescribed by the Commission Supervising the Office of the Personal Data Protection Committee.
Section 58 A person to be appointed as Secretary-General must have the following qualifications:
(1) be of Thai nationality;
(2) be at least thirty-five years old but not older than sixty years old;
(3) have knowledge, skills, and experience in areas related to the mission of the Office and administration.
Section 59 Any person possessing any of the following disqualifying characteristics shall not be eligible to be Secretary-General:
(1) be bankrupt or have been dishonestly bankrupt;
(2) be an incompetent or quasi-incompetent person;
(3) have been previously imprisoned by final court judgment, regardless of whether there was actual imprisonment, except for offenses committed by negligence or misdemeanors;
(4) be a civil official, staff, or employee of a government agency, state enterprise, or other governmental organization, or local government agency;
(5) be or have been previously an elected official, political office holder, member of a local assembly, or in a managerial position in local administration, unless having been discharged from office for at least one year;
(6) be or have been previously a director or hold other political positions in a political party, or an officer of a political party, unless having been discharged from office for at least one year;
(7) have been previously dismissed or terminated from an official position or any previous organization due to dishonest performance of duties or serious misconduct;
(8) have been dismissed due to failing the performance evaluation in accordance with section 62(4);
(9) be a direct or indirect interested party in the Office’s related business.
Section 60 The Secretary-General shall hold office for a term of four years and may be reappointed. However, the Secretary-General shall not serve more than two terms.
Not less than thirty days but not more than sixty days before the end of the Secretary-General’s term or within sixty days from the date the Secretary-General vacates office before the end of the term, the Commission Supervising the Office of the Personal Data Protection Committee shall appoint a selection committee to nominate up to three suitable persons to the Commission Supervising the Office of the Personal Data Protection Committee.
Section 61 Each year, the performance of the Secretary-General shall be evaluated in accordance with the period and method prescribed by the Commission Supervising the Office of the Personal Data Protection Committee.
Section 62 In addition to vacating office upon the expiration of the term in section 60, the Secretary-General shall vacate office upon:
(1) death;
(2) resignation;
(3) disqualification under section 58 or any of the disqualifying characteristics under section 59;
(4) dismissal by the Commission Supervising the Office of the Personal Data Protection Committee due to failure to pass the performance evaluation, disgraceful behavior, negligence, or dishonesty in the performance of duties, or incapability.
Section 63 The Secretary-General shall have the following duties and powers:
(1) manage the Office’s work to achieve the Office’s missions in accordance with national policies, plans, strategic plans, policies of the Cabinet, Committee, and Commission Supervising the Office of the Personal Data Protection Committee, and according to the rules, regulations, or resolutions of the Commission Supervising the Office of the Personal Data Protection Committee;
(2) establish regulations regarding the Office’s operations that do not contradict laws, Cabinet resolutions, regulations, rules, requirements, policies, resolutions, or notifications prescribed by the Commission Supervising the Office of the Personal Data Protection Committee;
(3) supervise the Office’s staff and employees and evaluate their performance according to the Office’s rules or regulations;
(4) appoint the Deputy Secretary-General and Assistant Secretary-General with the approval of the Commission Supervising the Office of the Personal Data Protection Committee to assist in duties assigned by the Secretary-General;
(5) recruit, appoint, promote, adjust salaries of, take disciplinary actions against, and dismiss Office staff and employees according to the rules or regulations of the Commission Supervising the Office of the Personal Data Protection Committee;
(6) perform any acts according to the regulations, rules, requirements, policies, resolutions, or notifications prescribed by the Commission Supervising the Office of the Personal Data Protection Committee.
The Secretary-General shall be responsible for the administration of the Office and shall directly report to the Commission Supervising the Office of the Personal Data Protection Committee.
Section 64 The Secretary-General shall act as the Office’s representative. In this capacity, the Secretary-General may delegate authority to any person to perform specific tasks on their behalf according to the rules prescribed by the Commission Supervising the Office of the Personal Data Protection Committee.
Section 65 The Commission Supervising the Office of the Personal Data Protection Committee shall be responsible for determining the salary rate and other benefits of the Secretary-General according to the rules prescribed by the Cabinet.
Section 66 In the interest of administering the Office, the Secretary-General may request a civil official, staff, officer, or employee of a public sector, government agency, state enterprise, civil local administration, public organization, or other government agencies to work as temporary staff or employees, provided that approval is obtained from their supervisor or employer, with an agreement made at the time of such approval. If a government official is approved to work temporarily, they are considered permitted to leave their original official service or employment to perform the work.
Upon the end of the approved term to work for the Office, the government official in paragraph one shall be entitled to return and be appointed to their original official service or work unit, receiving a salary not lower than their original position and salary level, as agreed at the time of approval.
If such a government official returns and is appointed to work in their original official service or work unit as stated in paragraph two, the period worked for the Office shall be counted as full-time service in their original official service or work unit, as applicable, for the purpose of calculating pensions or similar benefits.
Section 67 For civil officials or government officials working under compensation scholarships granted by a public sector or government agency and transferred to work at the Office with approval from their original supervisor, working in the Office is considered reimbursement under the scholarship contract. The period worked at the Office shall count towards the scholarship compensation period.
If any government agency requests that an Office officer working under a scholarship compensation be appointed as a civil official or government official in their agency, such a request must first be approved by the Secretary-General. Working in such a government agency is considered reimbursement under the scholarship contract, and the period worked at the government agency shall count towards the scholarship compensation period.
Section 68 The Office’s accounting shall adhere to international standards according to forms and rules prescribed by the Commission Supervising the Office of the Personal Data Protection Committee.
Section 69 The Office shall prepare financial statements and accounting reports and submit them to the auditor within one hundred and twenty days from the fiscal year-end.
The Government Audit Office or a certified public accountant approved by the Government Audit Office shall audit the Office’s expenditures and assets annually, reporting the audit results to the Commission Supervising the Office of the Personal Data Protection Committee for certification.
Section 70 The Office shall prepare an annual operations report and submit it to the Commission Supervising the Office of the Personal Data Protection Committee and the Minister within one hundred and eighty days from the fiscal year-end, and shall disseminate this report to the public.
The annual operations report in paragraph one must include details of the balance sheet audited by the auditor, as well as the Office’s achievements and performance evaluation report for the preceding year.
The evaluation of the Office’s performance under paragraph two must be conducted by a third party approved by the Commission Supervising the Office of the Personal Data Protection Committee.
Chapter V
Complaints
Section 71 The Committee shall appoint one or more expert committees based on their field of expertise, or as deemed fit by the Committee. The qualifications, prohibitions, term of office, vacation from office, and other operations of the expert committee shall be in accordance with the Committee’s notification.
Section 72 The expert committee shall have the following duties and powers:
(1) Consider complaints under this Act.
(2) Investigate any actions of the Data Controller or the Data Processor, including employees or contractors of the Data Controller or the Data Processor, related to Personal Data that causes damage to the data subject.
(3) Settle disputes related to Personal Data.
(4) Perform any other acts stipulated as the duty and power of the expert committee under this Act or as assigned by the Committee.
Section 73 The data subject has the right to file a complaint if the Data Controller or the Data Processor, including employees or service providers of the Data Controller or the Data Processor, violates or fails to comply with this Act or notifications issued under this Act. The filing, refusal of acceptance, dismissal, consideration, and timeframe for consideration of complaints shall be in accordance with the Committee’s rules, considering the refusal of acceptance or dismissal if the matter falls under the authority of other laws.
Section 74 If a complainant does not comply with the rules provided in section 73, paragraph two, or if the complaint filed cannot be accepted for consideration under those rules, the expert committee shall not accept such complaint.
If, after consideration of the complaint under section 72(1) or investigation under section 72(2), it is found that the complaint or action has no grounds, the expert committee shall issue an order dismissing such complaint or investigation.
If, after consideration or investigation under paragraph two, it is found that the complaint or action can be settled and the parties are willing to settle the dispute, the expert committee shall proceed with dispute settlement. However, if settlement fails or the complaint cannot be settled, the expert committee shall have the power to issue the following orders:
(1) Directing the Data Controller or the Data Processor to perform or rectify their actions within a specified period.
(2) Prohibiting the Data Controller or the Data Processor from carrying out actions causing damage to the data subject, or requiring the Data Controller to cease such actions within a specified period.
If the Data Controller or the Data Processor fails to comply with orders under paragraph three (1) or (2), provisions regarding administrative enforcement under the law on administrative procedure shall apply mutatis mutandis. If seizure, attachment, or auction of the properties of the Data Controller or the Data Processor is required under the law on administrative procedure, the expert committee may order such measures for that purpose. The issuance of orders under paragraph one, two, or three (1) or (2) shall follow criteria and methods set forth in the Committee’s notification. The orders of the expert committee shall be signed by the Chairperson of the expert committee. Orders issued under this Section shall be final.
Upon issuing the result of consideration, the expert committee shall inform the complainant of the outcome and reasons. If a complaint is not accepted for consideration or dismissed because it is already under consideration by another official authority under different laws, the expert committee shall inform the complainant accordingly. If the complainant wishes to pursue the matter with the official authority under other laws, the expert committee shall facilitate this process, and the complaint shall be deemed received by that authority from the date it was received by the expert committee.
Section 75 The expert committee shall have the power to order any person to submit documents or information related to the subject matter of a complaint or any other matter concerning the protection of Personal Data under this Act. The expert committee shall also have the power to request any person to provide a statement of facts.
Section 76 In order to act in accordance with this Act, the Competent Officer shall have the following duties and powers:
(1) Request the Data Controller, the Data Processor, or any person in writing, to provide information or submit any documents or evidence in connection with actions or offenses under this Act.
(2) Investigate and collect facts, and report to the expert committee if the Data Controller, the Data Processor, or any person has committed an offense or caused damage due to their violation of or non-compliance with this Act or notifications issued in accordance with this Act.
In carrying out duty (2), if it is necessary to protect the interests of the data subject or the public interest, the Competent Officer shall file a complaint with the competent court to obtain an order granting permission for the Competent Officer to enter the premises of the Data Controller or any person involved in the offense under this Act. This can occur between sunrise and sunset or during the business hours of such premises, to investigate and collect facts, seize or attach documents, evidence, or any other items related to the offense, or which there is reason to believe are used to commit such offense.
To appoint the Competent Officer, the Minister shall consider appointing such a person from civil officials or other government officials whose position is not lower than that of a civil official at the operational level or equivalent, and who possesses qualifications in accordance with the notification issued by the Committee.
During the performance of duties under this Section, the Competent Officer shall present his or her identification card to the relevant persons and be provided with reasonable facilitation by them. The identification card of the Competent Officer shall comply with the form required by the notification of the Committee.
Chapter VI
Civil Liability
Section 77 The Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provisions of this Act causing damages to the data subject, shall compensate the data subject for such damages, regardless of whether such operation is intentional or negligent. This is except where the Data Controller or the Data Processor can prove that such operation was due to:
(1) force majeure or the data subject’s own act or omission;
(2) an action taken in compliance with an order of a government official exercising its duties and powers under the law.
Compensation under paragraph one includes all necessary expenses incurred by the data subject to prevent likely damages or to suppress occurred damages.
Section 78 The court shall have the power to order the Data Controller or the Data Processor to pay punitive damages in addition to the actual compensation rendered by the court as deemed appropriate. However, such punitive damages shall not exceed twice the amount of the actual compensation. This decision shall take into account circumstances such as the severity of damages incurred by the data subject, benefits gained by the Data Controller or the Data Processor, financial status, remedies provided, or the data subject’s contribution to the damages.
The claim for compensation arising from wrongful acts related to Personal Data under this Act shall be barred by prescription after three years from the date the injured person became aware of the damages and the identity of the liable Data Controller or Data Processor, or after ten years from the date of the wrongful act against Personal Data.
Chapter VII
Penalties
Part I
Criminal Liability
Section 79 Any Data Controller who violates the provisions under section 27, paragraph one or paragraph two, or fails to comply with section 28, which relates to Personal Data under section 26 in a manner likely to cause another person to suffer damage, impair their reputation, or expose them to scorn, hatred, or humiliation, shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
Any Data Controller who violates the provisions under section 27, paragraph one or paragraph two, or fails to comply with section 28, which relates to Personal Data under section 26 in order to unlawfully benefit themselves or another person, shall be punished with imprisonment for a term not exceeding one year, a fine not exceeding Baht one million, or both.
These offenses are compoundable offenses.
Section 80 Any person who, as a result of performing duties under this Act, comes to know the Personal Data of another person and discloses it to any other person, shall be punished with imprisonment for a term not exceeding six months, a fine not exceeding Baht five hundred thousand, or both.
Paragraph one shall not apply in the following circumstances:
(1) where it is a performance of duty;
(2) where it is for the benefit of an investigation or trial in court;
(3) where it is a disclosure to a domestic or foreign government agency with authority under the law;
(4) where written consent of the data subject has been obtained for the specific disclosure occasion;
(5) where it relates to a legal lawsuit openly disclosed to the public.
Section 81 In cases where the offender committing an offense under this Act is a juristic person, and the offense results from instructions given by, or acts of, any director, manager, or person who should be responsible for such acts of the juristic person, or where such person had a duty to instruct or perform an act but omitted to do so until the juristic person committed the offense, such person shall also be punished with the prescribed punishment for such offense.
Part II
Administrative Liability
Section 82 Any Data Controller who fails to comply with section 23, section 30, paragraph four, section 39, paragraph one, section 41, paragraph one, or section 42, paragraphs two or three, or fails to obtain consent using a form or statement set forth by the Committee under section 19, paragraph three, or fails to notify the impact of the withdrawal of consent under section 19, paragraph six, or fails to comply with section 23, which applies mutatis mutandis according to section 25, paragraph two, shall be punished with an administrative fine not exceeding Baht one million.
Section 83 Any Data Controller who violates or fails to comply with section 21, section 22, section 24, section 25, paragraph one, section 27, paragraph one or two, section 28, section 32, paragraph two, or section 37, or who obtains consent by deceiving or misleading the data subject about the purposes, or fails to comply with section 21, which applies mutatis mutandis according to section 25, paragraph two, or fails to send or transfer Personal Data in accordance with section 29, paragraphs one or three, shall be punished with an administrative fine not exceeding Baht three million.
Section 84 Any Data Controller who violates section 26, paragraph one or three, or section 27, paragraph one or two, or section 28 in relation to Personal Data under section 26, or fails to send or transfer Personal Data under section 26 to comply with section 29, paragraphs one or three, shall be punished with an administrative fine not exceeding Baht five million.
Section 85 Any Data Processor who fails to comply with section 41, paragraph one, or section 42, paragraphs two or three, shall be punished with an administrative fine not exceeding Baht one million.
Section 86 Any Data Processor who fails to comply with section 40 without appropriate reasons, or fails to send or transfer Personal Data in accordance with section 29, paragraphs one or three, or fails to comply with section 37, paragraph five, which applies mutatis mutandis according to section 38, paragraph two, shall be punished with an administrative fine not exceeding Baht three million.
Section 87 Any Data Processor who sends or transfers Personal Data under section 26, paragraph one or three, without complying with section 29, paragraphs one or three, shall be punished with an administrative fine not exceeding Baht five million.
Section 88 Any representative of the Data Controller or Data Processor who fails to comply with section 39, paragraph one, which applies mutatis mutandis according to section 39, paragraph two, and section 41, paragraph one, which applies mutatis mutandis according to section 41, paragraph four, shall be punished with an administrative fine not exceeding Baht one million.
Section 89 Any person who fails to comply with the order given by the expert committee, fails to provide a statement of facts under section 75, fails to comply with section 76, paragraph one, or fails to facilitate government officials under section 76, paragraph four, shall be punished with an administrative fine not exceeding Baht five hundred thousand.
Section 90 The expert committee shall have the power to impose the punishment of an administrative fine prescribed in this Part. If deemed appropriate, the expert committee may issue an order for rectification or a warning initially.
In determining whether to issue an order to impose an administrative fine, the expert committee shall consider the severity of the circumstances of the offense, the size of the Data Controller’s or Data Processor’s business, or other circumstances as per the rules prescribed by the Committee. If a person subject to an administrative fine refuses to pay, the provisions regarding the execution of administrative orders under the administrative procedure law shall apply mutatis mutandis. If there is no officer to execute an administrative order, or if such an order cannot be executed otherwise, the expert committee shall have the right to file a lawsuit with the Administrative Court to demand payment of such fine. In such event, if the Administrative Court finds the order imposing an administrative fine lawful, it may issue a judgment and order the seizure or attachment of assets for sale by auction to pay such fine.
The order imposing an administrative fine and administrative execution shall apply mutatis mutandis according to section 74, paragraph six, and administrative execution under paragraph three shall apply mutatis mutandis according to section 74, paragraph four.
Transitional Provisions
Section 91 At the early stage, the Committee shall consist of committee members under section 8(2) and (3), and the Secretary-General shall be the committee member and secretary, who shall perform duties as necessary for the time being, but not more than ninety days from the effective date of this Act. A Vice-Chairperson shall temporarily act as Chairperson.
The Office shall manage to appoint a Chairperson under section 8(1) and an honorary director under section 8(4) within ninety days from the effective date of this Act.
Section 92 A commission supervising the Office of the Personal Data Protection Committee shall be set up within ninety days from the date when the Chairperson and the honorary director are appointed in accordance with section 91.
The Secretary-General shall be appointed within ninety days from the date when the Office has been set up in accordance with section 93.
Section 93 The Office shall be set up to operate in accordance with this Act within one year from the effective date of this Act. During the period when the Office has not yet been duly set up, the Office of the Permanent Secretary of the Ministry of Digital Economy and Society shall perform the duties in accordance with this Act, and the Minister shall appoint a Deputy Permanent Secretary of the Ministry of Digital Economy and Society to perform the Secretary-General’s duties until the Secretary-General is appointed in accordance with section 92, paragraph two.
Section 94 At the early stages, the Cabinet shall allocate the initial budget for the Office as necessary. The Ministry shall propose to the Cabinet to consider procuring a civil official, official, staff, or any other operating officer from other government organizations to temporarily act as an official of the Office within the period specified by the Cabinet.
It shall be deemed that the civil official, official, staff, or any other operating officer from other government organizations who temporarily acts as an official of the Office in accordance with paragraph two remains in his or her own position and continues to receive salary or wages, as the case may be, from his or her original department. The Committee may also determine special remuneration for the civil official, staff, official, or any other operating officer from other government organizations in accordance with paragraph two during his or her operation in the Office. Within one hundred and eighty days from the date on which the Office has been set up, the Office shall proceed to recruit the civil official, official, staff, or any other operating officer from other government organizations in accordance with paragraph two to be a permanent official of the Office afterward. Any civil official, official, staff, or any other operating officer from other government organizations who has been recruited and seated in accordance with paragraph four shall have his or her working period for his or her previous department continued and counted together with his or her working period for the operation in the Office under this Act.
Section 95 For Personal Data that has been previously collected by a Data Controller before the effective date of this Act, the Data Controller shall be entitled to continue to collect and use such Personal Data for the original purposes. However, the Data Controller shall prepare and publicize a consent withdrawal method to facilitate the data subject who does not wish the Data Controller to continue collecting and using his or her Personal Data, to notify his or her withdrawal of consent easily. The disclosure and other acts, apart from the collection and use of Personal Data under paragraph one, shall be in accordance with the provisions hereunder.
Section 96 The issuance of regulations and notifications in accordance with this Act shall be completed within one year from the date this Act enters into force. If this cannot be carried out, the Minister shall report to the Cabinet on the reasons thereof.
Countersigned by General Prayut Chan-o-cha
Prime Minister