Until recently, Thailand had no specific legislation regarding personal data protection. Instead, personal information was protected by: general laws (eg, the Constitution and laws pertaining to wrongful acts specified by the Civil and Commercial Code); and specific laws which protect only certain information (eg, the Official Information Act 1997 (BE 2540), which protects only personal information that a state agency possesses or controls). In 2009 the first Personal Data Protection Bill was introduced, followed by various drafts and amendments thereto. On 28 February 2019 the National Legislative Assembly approved the latest version of the Personal Data Protection Bill. On 28 May 2019 the first consolidated Personal Data Protection Act (PDPA) (BE 2562) took effect.