In line with the intent of the law under the Electronic Transactions Act B.E. 2544 (2001) (ETA) to maintain financial and commercial security and strengthen the reliability and credibility of data message systems, the Royal Decree on Regulating the Digital Platforms which are Subject to Prior Notification B.E. 2565 (2022) (the Digital Platform Royal Decree) was enacted under the ETA. It was recently published in the Government Gazette on December 23, 2022. After a 240-day grace period, the Digital Platform Royal Decree will become fully effective on August 20, 2023.

Kritiyanee Buranatrevedhya and Thananya Chaikamonsuk, from Baker & McKenzie Limited Attorneys at Law, dissect the Digital Platform Royal Decree, with a particular focus on obligations of digital platform service operators.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

Part one provides an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. As part three of the Insight series on the operationalisation of the PDPA, Dhiraphol Suwanprateep and Thananya Chaikamonsuk, from Baker & McKenzie Limited Attorneys at Law, explore the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') came into full force and effect on 1 June 2022. It governs the processing (i.e. the collection, use, and disclosure) of personal data of data subjects residing in Thailand carried out by businesses, defined as persons or legal entities who are data controllers or data processors. The PDPA protects the rights of data subjects and recognises the need of businesses for processing personal data for appropriate and limited purposes.

As part one of the Insight series on the operationalisation of the PDPA, Kowit Somwaiya and Usa Ua-areetham, from LawPlus Ltd., provide an overview of the key notification and consent requirements that businesses must meet to comply with the PDPA. Part two discusses the requirements set out in the PDPA in relation to data transfers and localisation. Part three explores the PDPA's provisions on vendor management, breach reporting, and legal liability. Part four gives an overview over lawful bases for processing, sensitive personal data, and data processing safeguards under the PDPA.

The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and aims to ensure the protection of personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.

Similar to part one and part three of this three-part series on the PDPA, this article intends to highlight key provisions of the PDPA, focusing on the obligations of data controllers and data processors, including data protection officer appointment ('DPO'), breach notification, and data transfers to foreign countries. In addition, the Secondary Draft Laws to the PDPA provide further information on data controller obligations.

The Personal Data Protection Act 2019 ('PDPA') is Thailand's first comprehensive data protection legislation, which was originally set to enter into effect on 27 May 2020. However, following two rounds of postponement due to the COVID-19 pandemic, the PDPA has entered into effect on 1 June 2022. The PDPA is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and aims to ensure the protection of personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.

Similar to part two and part three of this three-part series on the PDPA, this article intends to highlight key provisions of the PDPA, focusing on its scope of application, important definitions, and the grounds on which the collection, use, and disclosure of personal information may be based.