Thailand: Processing by Local Establishment

The Processing by Local Establishment factor is a key element in determining the applicability of Thailand's Personal Data Protection Act (PDPA). This factor extends the law's reach to data processing activities conducted by entities established within Thailand, regardless of where the actual processing occurs.

Text of Relevant Provision

PDPA, B.E. Sec.5(1) states:

"This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not."

Analysis of Provision

The provision clearly establishes that the PDPA applies to data processing activities carried out by entities physically located within Thailand. The key aspects of this provision are:

"collection, use, or disclosure": This broad terminology encompasses all types of data processing activities, ensuring comprehensive coverage of personal data handling.
"Data Controller or a Data Processor that is in the Kingdom of Thailand": This phrase explicitly ties the law's applicability to the physical presence or establishment of the entity within Thailand's borders.
"regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not": This clause extends the law's reach beyond Thailand's geographical boundaries, as long as the data controller or processor is established in Thailand.

The rationale behind this factor is to ensure that Thai data protection standards are upheld by entities operating within the country, even if they process data of individuals located outside Thailand or if the actual data processing occurs in foreign jurisdictions.

Implications

This provision has significant implications for businesses:

Local companies: All Thai-based companies must comply with the PDPA for their data processing activities, regardless of where their customers or data subjects are located.
Multinational corporations: Foreign companies with subsidiaries or branches in Thailand must ensure PDPA compliance for data processing activities conducted through these local establishments.
Cloud services: Thai companies using cloud services hosted abroad are still subject to the PDPA, as the law applies based on the company's location, not the data's storage location.
Outsourcing: Thai companies outsourcing data processing to foreign entities remain responsible for PDPA compliance, as they are the data controllers established in Thailand.
Cross-border data transfers: While the provision doesn't directly address data transfers, it implies that Thai companies must ensure PDPA compliance even when transferring data to foreign jurisdictions.

This factor effectively extends Thailand's data protection regime globally for Thai-established entities, requiring them to maintain PDPA standards in all their international data processing activities.

Jurisdiction Overview

Thailand

Judicial Proceedings and Court Records Exemption 👮🏼 National Security and Law Enforcement Exemption 🎯 Exemption for Specific Purposes of Processing 🎦 Monitoring Data Subjects Within Jurisdiction 🏡 Personal and Domestic Use Exemption 📍 Processing by Local Establishment ⚖️ Sectoral Exceptions Regulated by Other Laws 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction Physical Location/Residency of Data Subject in Jurisdiction