The implementation of Thailand’s Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”) has been delayed until May 31, 2021.

Certain data controllers’ compliance with the main operative provisions concerning personal data protection (including those covering requests for data subjects’ consent; collection/use and disclosure of personal data; rights of data subjects; complaints; and civil liabilities and penalties), which were previously scheduled to come into force this year, has been deferred for another one-year period, i.e., until May 31, 2021.

Those data controllers for whom compliance has been deferred include agencies and operators of prescribed businesses specified in the Royal Decree on Agencies and Businesses Not Subject to the PDPA B.E. 2563 (2020) (the “Royal Decree”). The Royal Decree covers a broad range of agencies and businesses, including governmental authorities, industrial businesses, commercial businesses, transportation businesses, telecommunication/computer/digital businesses, banking and finance businesses, insurance businesses, real estate businesses and professional businesses. If any data controller is unsure as to whether it falls within the scope of those listed in the Royal Decree as being exempt from compliance with the PDPA until May 31, 2021, it may seek advice from the Personal Data Protection Committee.