Manage user consent online and meet PDPA compliance
Automate consent management and align your business with regulatory compliance with our no-code, easy-to-use cookie consent solution.
The #1 cookie consent solution, trusted by 1.5 Million+ websites
Check your PDPA Compliance
CookieYes will scan your website and keep you informed on the personal data your website collects through cookies.
The Thailand Personal Data Protection Act (PDPA) is the first data protection law in Thailand that aims to regulate the collection, use, and disclosure of personal data for commercial purposes. The PDPA was enacted in 2019 and was enforced from June 1, 2022, after being postponed due to the pandemic.
PDPA Compliance Checklist for Websites
- Obtain user consent for cookies and trackers
- Record user consents to demonstrate proof
- Include an accurate, up-to-date privacy policy
- Limit data collection only for legitimate purposes
- Notify data breaches to DPAs and users
Comply with PDPA Thailand using CookieYes
Display cookie consent banner for visitors
PDPA Thailand requires businesses to notify users regarding the use and disclosure of personal data at the point of collection and request users for their consent.
With CookieYes you can
Automate consent management
Businesses should also ensure ongoing compliance with PDPA’s obligations for consent and leverage automated tools.
With CookieYes you can
Generate a compliant privacy policy
Under PDPA Thailand, businesses should notify users of the purposes for which they collect personal data and it should be easy to read and understand.
With CookieYes you can
Achieve regulatory compliance with
the #1 cookie consent solution
Learn more about PDPA and take the next
step towards compliance
What is PDPA Thailand?
The Personal Data Protection Act is a data protection law in Thailand. The PDPA was enacted to regulate the collection, use, disclosure, and protection of personal data to safeguard individuals’ rights and privacy. It establishes principles and guidelines for organizations handling personal data, including consent requirements, data subject rights, data security standards, and obligations for data controllers and processors.
The PDPA applies to both Thai and foreign organizations operating in Thailand that process personal data. The PDPA Thailand was enacted in May 2019 and came into full effect on June 1, 2022.
Who does PDPA apply to?
The PDPA Thailand applies to individuals or entities engaged in the commercial collection, use, disclosure, or transfer of personal data within Thailand. However, certain exceptions exist, and the PDPA does not cover personal data collected by government agencies, organizations working for the public interest, the House of Representatives, the Senate, Parliament, or credit bureaus. Data collected for domestic or personal affairs is also not protected under the PDPA.
Entities operating outside Thailand fall under the PDPA’s purview if they collect, use, or disclose personal data of Thai individuals while offering goods or services in Thailand or monitoring activities within the country.
What are consumer rights under PDPA?
Right to be informed
The right to be informed about how their personal data will be used, and to be notified if personal data is disclosed to third parties.
Right to access
The right to access personal data and to have it available in a clear and readable format, free of cost.
Right to opt-out
The right to withdraw their consent to the collection, use or disclosure of their personal data at any moment by providing a reasonable explanation for such request.
Right to erasure
Individuals have the right to request that their personal data be deleted in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
Right to correction
The right to request to correct, update, or complete personal data about them.
Right to data portability
The right to portability of data to another organization, upon request in a commonly used machine-readable format.
What is the penalty for non-compliance?
The penalty for non-compliance with Thailand’s Personal Data Protection Act (PDPA) includes administrative fines and criminal penalties. The maximum administrative fine for non-compliance with the PDPA is up to THB 5 million.
Criminal penalties for non-compliance involve imprisonment terms not exceeding one year, in addition to administrative fines. Moreover, the PDPA also allows for punitive damages up to twice the amount of the actual damages, and civil damages can be multiplied as Thailand allows data subjects to bring a class action lawsuit.
FAQ on PDPA Thailand Compliance
The Thailand Personal Data Protection Act (PDPA) came into full effect on June 1, 2022. The Thai PDPA was originally set to enter into effect on May 31, 2020, but was postponed due to the COVID-19 pandemic.
Personal data is broadly defined as any information relating to a person, that can be used to identify such a person, whether directly or indirectly, but not including the information of deceased persons.
Personal data involves general data, such as name, phone number, physical addresses, credit card numbers, location etc. while data such as racial, sexual, religious, health, political, and biometric information are considered sensitive personal data.
Personal data that is considered ‘sensitive’ under PDPA includes information related to racial or ethnic background, political views, affiliations with cults, religious or philosophical beliefs, sexual conduct, criminal history, health information, disabilities, trade union details, genetic data, biometric information, or any data that might impact the data subject in the same manner.
The PDPA imposes certain restrictions for transferring personal data outside of Thailand. Organizations are allowed to transfer personal data outside of Thailand if they have an adequate data protection standard per the rules of the Personal Data Protection Committee (PDPC). The PDPC will issue the list of countries or organisations based on their “adequacy decision”.
In the absence of an adequacy decision, businesses may rely on the legal basis under PDPA, Binding Corporate Rules (BC) and Standard Contractual Clauses (SCC).
The PDPC published two notifications in December 2023 regarding the cross-border transfer of personal data. Businesses that require international data transfer need to ensure that they comply with the new requirements by 24 March 2024.
The Personal Data Protection Committee (PDPC) is the regulatory authority for the Personal Data Protection Act (PDPA) in Thailand. The PDPC is responsible for drafting and issuing future sub-regulations under the PDPA, promoting and supporting the protection of personal data, issuing notifications or orders regarding PDPA, and establishing rules/guidelines for data controllers and processors.
As GDPR has extra-territorial scope, businesses in Thailand that collect and process the personal data of EU/EEA may be required to comply with the provisions of GDPR.
Meanwhile, the PDPA was heavily influenced by the EU’s GDPR and has extraterritorial applicability. It applies to any organization that collects, uses and discloses the personal data of individuals in Thailand.
Thailand’s Personal Data Protection Act (PDPA) mandates that a data controller should promptly notify any personal data breach within 72 hours to the Personal Data Protection Committee (PDPC) and the data subjects (only if there is a substantial risk to the rights and liberties of the data subject) unless it can be substantiated that no such risk exists.
The PDPC sets out elaborate requirements for personal data breach notification, you can find a summary here.
Here are some links you can refer to for additional reading:
Fast-track your PDPA compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.