The rationale and necessity to restrict the rights and freedom of a person in accordance with this Act are to efficiently protect personal data and put in place effective remedial measures for data subjects whose rights to the protection of personal data are violated.
Section 4 This Act shall not apply to:
(1) the collection, use, or disclosure of Personal Data by a Person who collects such Personal Data for personal benefit or household activity of such Person only;
(2) operations of public authorities having the duties to maintain state security, including financial security of the state or public safety, including the duties with respect to the prevention and suppression of money laundering, forensic science or cybersecurity;
(3) a Person or a juristic person who uses or discloses Personal Data that is collected only for the activities of mass media, fine arts, or literature, which are only in accordance with professional ethics or for public interest;
(4) The House of Representatives, the Senate, and the Parliament, including the committee appointed by the House of Representatives, the Senate, or the Parliament, which collect, use or disclose Personal Data in their consideration under the duties and power of the House of Representatives, the Senate, the Parliament or their committee, as the case may be;
(5) trial and adjudication of courts and work operations of officers in legal proceedings, legal execution, and deposit of property, including work operations in accordance with the criminal justice procedure;
(6) operations of data undertaken by a credit bureau company and its members, according to the law governing the operations of a credit bureau business. The exceptions to apply all or parts of the provisions of this Act to any Data Controller in any manner, business or entity, in a similar manner to the Data Controller in paragraph one, or for any other public interest purpose, shall be promulgated in the form of the Royal Decree.
The Data Controller under paragraph one (2), (3), (4), (5), and (6) and the Data Controller of the entities that are exempted under the Royal Decree in accordance with paragraph two shall also put in place a security protection of Personal Data in accordance with the standard.
This Act applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not. In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities:
(1) the offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject;
(2) the monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.