• Admin

Summary of PDPA laws that Entrepreneurs Should Know 企業家應該知道的個人資料保護法摘要

Personal Data Protection Act (“PDPA”) is a law that aims to preserve personal information in order to prevent malicious people from infringing personal information and intimidating or seeking benefits either from the owner of the data himself or from the person in charge of the data. The Personal Data Protection Act B.E.2562 (2019) came into force on May 1, 2020 but only in some categories. Due to the impact of the Covid-19, the original enforcement has been postponed to May 31, 2021, and has been officially announced on June 1, 2022.

《個人資料保護法》(“PDPA”)是一項旨在保護個人資訊、防止惡意人員侵犯個人資訊,用於恐嚇或向數據所有者或數據負責人謀取利益的法律。佛曆2562年(2019)《個人資料保護法》於 2020 年 5 月 1 日生效,但僅限於某些類別。受Covid-19的影響,原執行時間推遲到2021年5月31日,並已於2022年6月1日正式宣布。

Ø Penalties for non-compliance with PDPA

未遵守 PDPA 的處罰

The Data subject should consider carefully before providing his/her personal information each time to prevent the personal data from being used in unlawful ways. In addition, data controller must know the extent of access to the customer's personal information. A company should have a system to control or to verify the identity of access of information, and it is necessary to set corporate policies for those who are responsible for keeping or accessing customer personal information to comply with PDPA. Failure to comply with PDPA will be considered an offense under the following laws:


· Civil penalties: for actual damages and may be subject to additional compensation up to a maximum of 2 times the actual damages;


· Criminal penalties: imprisonment for a maximum of 1 year or a fine of not more than 1 million baht, or both;


· Administrative penalties: a maximum fine of not more than 5 million baht;


Ø Who will be deemed to be involved in personal data?


Private and Government (individuals or juristic persons), including juristic persons established in foreign countries which collect, use, disclose and /or transfer the personal information of persons in Thailand, which can be divided into 4 parts as follows:


· Data Subject is the owner of the information;


· Data Controller is an individual or juristic person who has the authority to make “decisions” regarding the collection, use, or disclosure of personal data;


· Data Processor is an individual or juristic person that processes the collection, use, or disclosure of personal data. “According to the order or on behalf of the Personal Data Controller”, the person or legal entity doing so must not be a controller of personal data;


· Data Protection Officer is an officer of a government agency to check whether the operator has complied with the PDPA or not;


Ø How can organizations use information legally?


For information that the company can use for various marketing activities that does not violate PDPA, it must be information that the owner of the information has already given consent to or be allowed to use it. Such information is prohibited from obtaining from other sources without the consent or permission of the data subject. The permission to use information from the data owner can be either being requested in written or online data collection, provided that the content about permission must be easy to read and understand clearly.[1]

公司可用於各種營銷活動且未違反PDPA的資訊,必須是資訊所有者同意或允許使用的資訊。 未經當事人同意或許可,嚴禁從其他來源獲取此資訊。向當事人請求使用資訊的許可,可以通過書面或線上資訊收集,前提是許可的內容必須易於閱讀和清楚地理解。

Ø The exceptions to which the Company can disclose personal information of customers are as follows:[2]


1. Obtain consent of the owner of the personal data;


2. Prepare historical documents or archives for the public benefit research studies or statistical preparation;


3. Prevent or suppress danger to life, body, or health of a person;


4. Necessary to perform a law or contract;


5. Necessary for the legitimate interests of the personal data controller or of another person;


6. Necessary for the public interest and the performance of duties in the exercise of state power;


The existence of the Personal Data Protection Act B.E.2562 (2019) is to protect the right for the unauthorized use of personal data and to prevent exploitation from the misuse of the information. The data owner or the data controller should know the details of PDPA. This Act is intended for the benefit and security of personal information for businesses to be more respectful of the use of customer information in order to prevent misuse or exploitation of customer's personal information.


[1] Section 19 of the Personal Data Protection Act B.E. 2562. [2] Section 24 of the Personal Data Protection Act B.E. 2562.

#personaldataprotection #PDPA #personaldataprotectioninthailand #personaldataprotectionact #thaicourt #civillawsuit #criminallawsuit #個人資料保護 #泰國個人資料保護 #個人資料保護法 #泰國法院 #民事訴訟 #刑事訴訟 #泰國中文律師 #IBC法律金融會計事務所 #泰國律師 #泰國法律事務所 #泰國律師事務所 #泰國會計 #泰國審計 #泰國會計事務所 #泰國審計事務所 #法律顧問 #泰國會計師 #泰國華人律師事務所 #thaiaccountant #thailawyer #thailaw #泰國稅務 #IBCFirm #ThaiLawFirm #ThaiAccountingFirm #thaiauditfirm

33 views0 comments

Recent Posts

See All


本次泰國民商法修法重點 1. 發起人的最低人數從三個人減少到兩個人 2. 公司必須在登記章程後3年內成立,否則視為無效 3. 董事會會議現在可以以電子方式召開,除非公司章程禁止此方式 4. 會議的法定人數將減少到兩名股東或代理人 5. 有限公司的合併必須經股東特別會議批准