In brief

The Cabinet has acknowledged the necessity to postpone the effective date of the Personal Data Protection Act (PDPA).

We have recently learned from various public sources that Thailand’s Cabinet has acknowledged the necessity to pass a Draft Royal Decree to postpone the effective date of the Personal Data Protection Act B.E. 2562 (2019) (PDPA) for 1 year, as proposed by the Ministry of Digital Economy and Society (MDES).

In summary, the enforcement of key legal obligations and penalties imposed on data controllers and data processors, including data subject rights, will be delayed for 1 year counting from 27 May 2020. The 1-year postponement will particularly include Chapter 2 (Personal Data Protection), Chapter 3 (Rights of Data Subject), Chapter 5 (Complaints), Chapter 6 (Civil Liability), Chapter 7 (Penalties), section 95 (grandfather clause or transitional clause) and section 96 (issuance of sub-regulations and notifications).


The PDPA was first published in the Government Gazette on 27 May 2019 and was originally scheduled to become fully effective on 27 May 2020. However, the COVID-19 outbreak and its aftermath were cited as major obstacles for all affected sectors. The postponement will alleviate the impact on the public and private sectors and the general public.  Companies who are considered data controllers or data processors under the Act will now have until 27 May 2021 to become compliant.

According to the Deputy Government Spokesperson, the MDES will propose the Draft Royal Decree for the Cabinet’s further consideration. If the Cabinet approves, then the Decree will follow the remaining procedural steps, before being signed by the King and published in the Government Gazette, which will mark its official passage. In the meantime, the MDES is currently in the process of nominating the Personal Data Protection Committee to the Cabinet, and preparing subregulations.

We will continue to monitor this development.

Download alert

Previous articleCanada: Competitor collaborations during the COVID-19 pandemic: Almost business as usual
Next articleBelgium: DPA decisions on DPO requirements