ทนายความ กฎหมายไซเบอร์, ความเป็นส่วนตัวของข้อมูล และการคุ้มครองข้อมูล ที่ดีที่สุดใน ประเทศไทย

About กฎหมายไซเบอร์, ความเป็นส่วนตัวของข้อมูล และการคุ้มครองข้อมูล Law in Thailand

Thailand maintains a triad of laws and regulatory bodies to govern cyberspace, data privacy and data protection. The Personal Data Protection Act B.E. 2562 (PDPA) regulates how personal data is collected, stored and used. The Computer-related Crime Act B.E. 2550 (Cybercrime Act) criminalizes unauthorized access, data theft and online wrongdoing. The Cybersecurity Act B.E. 2562 provides a framework for protecting critical information infrastructure and coordinating responses to cyber threats.

Enforcement is led by distinct authorities: the Personal Data Protection Committee (PDPC) oversees PDPA compliance for data controllers and processors, while the Royal Thai Police Cyber Crime Investigation Bureau enforces cybercrime provisions. Thailand continues to refine guidance on cross-border data transfers and incident reporting as part of ongoing regulatory updates. This guide summarizes how residents and organizations in Thailand can navigate these laws with practical steps.

Enforcement of PDPA in Thailand began on 1 June 2022, with ongoing guidance for cross-border data transfers and DPIA requirements.

Key sources include the Office of the Personal Data Protection Committee (PDPC) at pdpc.go.th and the Cyber Crime Investigation Bureau of the Royal Thai Police at cybercrime.police.go.th. For broader digital governance and policy context, the Ministry of Digital Economy and Society (MDES) and its official channels provide official references.

Why You May Need a Lawyer

Businesses and individuals may need legal help in Thailand to navigate complex privacy and cyber laws. Below are concrete scenarios where a lawyer can add value and reduce risk.

• You receive a PDPA compliance notice or a data breach notification and must respond properly to the PDPC. A lawyer can help prepare a compliant response and remediation plan.
• Your company processes personal data for Thai customers and you need a data processing agreement, consent forms and a privacy policy that meet PDPA requirements.
• You are accused of cyber wrongdoing under the Cybercrime Act, such as unauthorized access or data interception. An attorney can assess charges and build a defense strategy.
• Your organization transfers personal data across borders and requires a robust cross-border data transfer framework with appropriate safeguards and contractual clauses.
• You plan to implement a data protection program, including a DPIA, data retention schedules and staff training. A lawyer can tailor these to your sector and data flows.
• You are accused of or facing a government audit or investigation for insufficient cybersecurity measures under the Cybersecurity Act. Legal counsel can coordinate with authorities and minimize disruption.

Local Laws Overview

Personal Data Protection Act B.E. 2562 (2019) governs the collection, use and disclosure of personal data and applies to data controllers and processors operating in Thailand or processing Thai data. Enforcement began in 2022, with ongoing guidance on data transfers, DPIAs and enforcement actions.

Computer-related Crime Act B.E. 2550 (2007) criminalizes unauthorized access, data interception, hacking, and other computer-related offenses. The Act is enforced by the Royal Thai Police and supports criminal liability for individuals and organizations that misuse information systems.

Cybersecurity Act B.E. 2562 (2019) establishes governance for critical information infrastructure, incident reporting, and national coordination on cyber threats. It places obligations on designated entities to maintain security measures and cooperate with authorities during incidents.

Recent regulatory trends in Thailand include strengthened PDPA enforcement, clearer guidance on cross-border transfers, and ongoing modernization of incident response requirements for critical sectors. These changes affect how companies document compliance, report incidents and manage data processing agreements.

Key references for law text and official guidance can be found through Thailand's government portals, including the PDPC and MDES sites cited above, which provide regulatory summaries and practical checklists for compliance.

Frequently Asked Questions

What is PDPA and who needs to comply in Thailand?

PDPA governs personal data processing by Thai and non Thai entities with Thai data subjects. It applies to data controllers and processors, regardless of location, if data is collected in Thailand or relates to Thai residents.

How does PDPA apply to small businesses in Thailand?

Small businesses must implement basic data protection measures, document processing activities, obtain consent where required, and appoint a data protection officer or delegate if the processing is extensive or sensitive.

When did PDPA enforcement start in Thailand?

Enforcement began on 1 June 2022, with transitional guidance and ongoing updates from the PDPC. The regime continues to evolve with new guidelines for cross-border transfers and DPIAs.

Where can I file a complaint about PDPA violations?

Complaints can be submitted to the Office of the Personal Data Protection Committee (PDPC) through its official channels. The PDPC sets guidelines for complaint procedures and investigations.

Why is data breach notification important under PDPA?

Notification ensures data subjects and authorities can take timely steps to mitigate harm. It also signals to regulators that your organization is responding transparently to incidents.

Can a foreign company process Thai personal data and be compliant?

Yes, foreign entities processing Thai residents data must comply with PDPA. They should appoint local obligations through a Thai representative or local processing agreements where applicable.

Should I appoint a data protection officer in a PDPA context?

Not all organizations are required to, but appointing a DPO is recommended for larger operations or high risk processing. The DPO helps oversee compliance and regulatory interactions.

Do I need consent for processing personal data under PDPA?

Consent is one legal basis among others such as legitimate interests or contract necessity. For sensitive data, stricter consent and safeguards generally apply.

Is the Cybercrime Act applicable to private individuals?

Yes, the Act targets unlawful computer activities, including hacking, data theft and illicit access. Individuals and organizations can face criminal liability.

How long does a PDPA investigation typically take in Thailand?

Investigation duration depends on case complexity and regulator workload. PDPC investigations may take several weeks to months, with formal decisions following inquiries.

What is the difference between PDPA and Cybersecurity Act?

PDPA governs personal data protection and privacy rights; Cybersecurity Act focuses on infrastructure protection, incident reporting and coordinated response to cyber threats.

How much can penalties be under PDPA or Cybercrime Act?

Penalties vary by violation type and severity. Both regulatory avenues may involve fines, orders to remediate and potential criminal liability for serious offenses.

Additional Resources

• Office of the Personal Data Protection Committee (PDPC) - Central regulator for PDPA compliance, guidance, and complaint handling. Website: pdpc.go.th
• Royal Thai Police Cyber Crime Investigation Bureau - Enforces cybercrime provisions, conducts investigations, and coordinates actions against offenses such as hacking and data theft. Website: cybercrime.police.go.th
• Ministry of Digital Economy and Society (MDES) - Government body providing policy context, digital governance resources and regulatory updates relevant to cyber law and data protection. Website: mdes.go.th

Next Steps

1. Assess your data processing activities - List data types, purposes, recipients and processing flows to determine PDPA applicability. Timeline: 1 week.
2. Gather documentation - Collect privacy notices, consent records, data inventories and service provider contracts. Timeline: 1-2 weeks.
3. Consult a Thai lawyer with cyber privacy expertise - Get a tailored compliance plan, DPIA templates and incident response guidance. Timeline: 1-3 weeks to schedule and receive advice.
4. Develop a PDPA compliance program - Create policies, DPIA processes, data retention schedules and vendor due diligence. Timeline: 3-6 weeks to implement initial program.
5. Draft or update data processing agreements - Ensure contractual safeguards for cross-border transfers and third party processing. Timeline: 2-4 weeks per vendor review.
6. Prepare incident response and breach notification plans - Establish roles, timelines and regulator contact points. Timeline: 2-4 weeks for a tested plan.
7. Schedule regular reviews and training - Implement ongoing privacy training and quarterly compliance audits. Timeline: ongoing with quarterly milestones.