THAILAND Law and Practice Contributed by: John Formichella, Naytiwut Jamallsawat, Onnicha Khongthon and Supitchaya Akeyati, Formichella & Sritawat Attorneys at Law
ments should be structured with foreign exchange compliance in mind.
Non-compliance can result in administrative fines of up to THB5 million per violation, civil liability and, in certain cases, personal exposure for responsible
directors or officers. 9.3 Data Privacy
8. Recent Legal Developments 8.1 Significant Court Decisions or Legal Developments Regulators have adopted a more assertive posture in technology-sector supervision. The NBTC has increased scrutiny of foreign-ownership and control structures in telecoms and data infrastructure licen- sees, emphasising that de facto control – such as through voting agreements or nominee arrangements – can constitute foreign dominance even where formal shareholding thresholds appear compliant. Under the PDPA, new subordinate regulations address cross-border transfers, records-of-process- ing exemptions and security standards. Enforcement activity and guidance have heightened expectations for data-processing agreements, breach notifications and third-party risk management. The SEC has enhanced rules on digital-asset interme- diaries, investment-product governance and IT/cyber- security standards, which indirectly affect technology M&A by shaping operational resilience and disclosure obligations for listed companies. Buyers prioritise source code ownership, open source compliance, customer contract assignability, cyberse- curity history and data room hygiene. Confirming IP ownership and ensuring that there are no employee- related IP claims are critical. 9.2 Technology Company Due Diligence PDPA due diligence includes: • mapping personal data flows; • evaluating consent mechanisms; • reviewing cross-border transfer practices; and • assessing breach logs. 9. Due Diligence/Data Privacy 9.1 Due Diligence Process
The PDPA imposes practical limits on the scope of due diligence, particularly when a target company holds significant customer or employee data. While data can be reviewed for the purposes of an M&A transaction, the PDPA requires that disclosures to bid- ders be limited to what is necessary, appropriately anonymised or aggregated, and supported by safe- guards such as NDAs and data-processing clauses. Targets generally do not share raw customer data, personal data, behavioural profiles or identifiable logs unless lawful and necessary. Usually, the lawful basis is “legitimate interests”, requiring a balancing test and data minimisation. Therefore, bidders review sampled, masked or redacted data, summaries of data flows, security details, vendor lists and breach histories, not full datasets. Employee data is restricted, including identifiable HR files, disciplinary records, medical info and IDs, which are usually unavailable during pre-closing diligence. Instead, anonymised summaries and risk assess- ments are used. In regulated sectors, regulators also expect restrictions on logs, metadata and network data that could identify users. In practice, the PDPA does not prevent thorough dili- gence, but it influences it. Buyers should anticipate a two-phase process: a masked or redacted review before signing, followed by access to more detailed data only after signing, under stricter contractual pro- tections or through a clean-team arrangement.
10. Disclosure 10.1 Making a Bid Public
Public company bids become public upon SEC filing of Form 247-4 and a simultaneous press release.
284 CHAMBERS.COM
Powered by FlippingBook