Thailand’s Personal Data Protection Act (PDPA)

The Personal Data Protection Act (PDPA) of Thailand became effective on May 27, 2019, after being published in the Thai Government Gazette. It is the newest law regulating how businesses in Thailand must handle personal data related to Thai citizens. The law provided a one-year grace period for businesses to prepare for compliance. However, it was postponed twice due to the COVID pandemic and to allow more time for businesses to prepare for the law’s implementation.

Effective from: June 1, 2022

Official text: B.E. 2562 (2019) (in English)

PDPA is the first data protection law in Thailand that protects Thai citizens’ (or data subjects) personal data and gives them their right to privacy. It also regulates the collection, use, disclosure, and/or transfer of personal data by businesses (data controller or data processor) for commercial purposes.  It appoints a Personal Data Protection Committee (PDPC) to enforce the law and ensure compliance. The Office of the Committee is also responsible for publishing guidelines, standards, and exceptions for data controllers and processors to handle the personal data.

PDPA consists of 7 chapters with 96 sections. The scope covers all personal data including online, offline, paper-based documents, and others. All businesses operating in Thailand, as well as foreign businesses who offer products or services to people in Thailand, must comply with PDPA whether they process the personal data themselves or outsource it to a third party.

The PDPA of Thailand applies to any person or organization that collects, uses, discloses, or transfers personal data in Thailand for commercial purposes, except when the personal data is collected by:

• government agencies;
• organizations for the public interest;
• the House of Representatives, the Senate, and the Parliament; or
• credit bureaus.

The PDPA also applies to foreign-owned entities operating outside Thailand that collect, use, or disclose personal data of Thai people if they offer goods or services to individuals in Thailand or monitor behavior taking place in Thailand.

The personal data collected must be used for commercial purposes. Data collected for domestic or personal affairs is exempted from PDPA protection.

Personal data as defined by PDPA includes any personally identifiable information related to a person that can identify or be used to identify an individual, either directly or indirectly. This personal data is exempted from the scope of protection if it pertains to a deceased person. Name, physical addresses, credit card numbers, location, and medical records qualify as personal data. 

The PDPA considers information related to racial or ethnic origin, political opinions, cult or religious beliefs, sexual behavior, criminal records, or health data, as sensitive personal data. 

There are eight rights that data subjects have under the Thailand Act. 

Right to access

Data subjects have the right to access and obtain copies of personal information that data controllers hold about them. Data controllers must respond to requests within 30 days unless they can demonstrate a legitimate reason for an extension. They must provide a valid reason for their denial. The rejection is acceptable if it is permitted by law or if the information could put another person’s rights or interests in jeopardy.

Right to receive/port

Data subjects have the right to receive personal data in readable or commonly used formats. They can request that data be ported in such formats directly to another controller, and should the controller refuse, it must state its reasons for doing so. 

The right does not apply to data processed for a task in the public interest or to comply with the law.

Right to object

Data subjects have the right to object or opt-out of the collection, use, or disclosure of their personal data if the data was collected with an exception to consent, for legitimate interest, for fulfilling legal claims, or for direct marketing or scientific, historical, or statistical research—except in cases where it is necessary for tasks related to the public interest.

Right to delete

Data subjects have the right to request deletion of their data, or de-identification to make it anonymous, only in certain situations, such as:

• the personal data is no longer necessary for the purpose for which it was collected, used, or disclosed;
• the data subject has withdrawn consent;
• the data subject has opted out of the further collection, use, or disclosure of personal data; or
• the personal data has not been collected, used, or disclosed lawfully.

In case the controller fails to comply with such a request from a data subject, they may complain to the PDPC.

Right to restrict

Data subjects have the right to request the data controller to restrict the use of their personal data, e.g. in case the data controller is still reviewing the requests to exercise other rights, or in case the data is no longer necessary for the purpose of collection. Data subjects may complain to the PDPC if they find that the data controller has not complied with their requests.

Right to correct

Data controllers must keep the personal data they hold accurate, up-to-date, complete, and relevant.

Right to withdraw consent

Data subjects can withdraw the consent given at any time, with no direct consequences to the actions taken before the withdrawal. The withdrawal is not allowed when a law or contract places restrictions on it. 

Data controllers must inform all data subjects of the consequences of withdrawing their consent.

There are some principles, mainly based on the collection and use or disclosure of personal data. 

Data limitation

Data collected must be limited to what is necessary for the purpose of collection.

Notice for data collection

Data Controllers must inform the data subject, before or at the time of collection of personal data, why they want to collect, use or disclose the data, the categories of data to be collected, how long you will store it, the user rights, and the necessary contact details.

Consent

Data controllers cannot collect, use or disclose data without consent from data subjects unless it is for the purpose of a legal or contractual obligation, to protect the life of another person, for scientific or historical research, or the legitimate interest of the data controllers.

Minor’s personal data

If the user is below 10 years of age or is not able to consent, you must obtain consent from their parent or legal guardian.

Source of personal data

Data controllers must collect personal data directly from data subjects unless the data controllers have informed the data subjects of collecting data from other sources or it is necessary to perform tasks falling within the exception to consent.

Sensitive personal data collection

Data controllers cannot collect, use or disclose sensitive personal data without data subjects’ explicit consent unless it is necessary for the vital interest of people or the task falls within the scope of exceptions to consent. They must ensure appropriate safeguards are in place while collecting such data.

Cross-border data transfer

Data controllers cannot transfer personal data outside of Thailand, except when:

• the recipient country has data protection standards equivalent to the PDPA;
• data subjects have given consent for the transfer;
• the transfer is necessary to fulfill a contractual obligation between the data controller and data subject; or
• the transfer is necessary to protect the vital interests of the data subject.

The requirement of a DPO under PDPA is the same as what it is in GDPR. Organizations are only required to appoint a DPO if they are a public authority or if they collect, use, or disclose personal data in large volumes. A DPO is also necessary if you collect or use sensitive personal data.

DPOs are responsible for guiding the organizations on how to handle personal data and supervise such activities. They also have to work together with the PDPC if there is any problem associated with how the organization is handling the personal data.

In the case of a data breach, data controllers must notify the Office of Personal Data Protection Commission within 72 hours of discovering the breach. The notification should be consistent with the standards laid down by the Commission. 

If the breach may put the rights and freedoms of individuals at risk, the data controller must notify the affected individuals without delay. 

Inadequate notification or notification delayed beyond the legal time limit can lead to fines of up to 3 million Baht.

• Add or update the privacy policy to disclose how you deal with personal data.
• Get consent from users before collecting their personal data.
• Data collected must be limited to what is required for the purpose for which it is being collected.
• Let users opt out of your organization collecting, using, or disclosing their personal data.
• Users must be able to revoke their consent at any time they want.
• Keep the personal data that you hold accurate and relevant to the purpose.
• In case of international data transfer, the recipient country/organization must have a governing privacy law or standards equivalent to the PDPA.
• Users must be able to exercise their rights easily.
• Keep the personal data protected against the breach or any kind of misuse, and be prepared with possible preventive measures.
• Appoint a DPO if your organization collects large volumes of personal data or works with sensitive personal data.

There are civil and criminal penalties for businesses that fail to comply with the Personal Data Protection Act, including, punitive damages, imprisonment for up to one year, or fines of up to 5 million Baht (approx. USD 150K).

Does Thailand have a data protection law?

Yes, Thailand has its Personal Data Protection Act (PDPA), which will take effect on June 1, 2022. It is similar to GDPR in that it applies to any business with operations in Thailand or dealing with the personal data of Thai citizens.

Who is protected under Thailand PDPA?

The Thailand Personal Data Protection Act (PDPA) protects the personal data of Thai residents. However, the PDPA does not apply to organizations that collect personal data for public interests and/or organizations that are state agencies with regulatory or administrative roles. The Act grants users several rights over their data that they can exercise at any time and the organizations are liable to facilitate it. The law requires organizations to take necessary measures to protect the data and keep it safe.

Who is subject to Thailand PDPA?

The PDPA applies to any “data controller” that collects, uses, or discloses personal data of Thai residents.

The PDPA does however exempt from the requirements of the PDPA government agencies, credit bureaus, parliamentary bodies, and data collected in the public interest.

The PDPA also applies to a “data processor”, i.e. an entity which handles personal data on behalf of a data controller.

Does Thailand PDPA apply to other countries?

Yes, the PDPA applies to other countries, if the organizations operating in the other country process personal data of Thailand residents to offer goods and services or to monitor their behavior occurring in Thailand.

Does GDPR apply in Thailand?

Yes, GDPR may apply in Thailand. GDPR applies to non-EU/EEA companies that offer goods and services to EU/EEA residents. Even if the processing takes place outside the EU/EEA, GDPR will apply as long as the company targets data subjects in the EU/EEA. 

What is the difference between PDPA and GDPR?

There are a few handfuls of differences between the Thailand PDPA and EU GDPR. For example, in the PDPA, personal data does not include online identifiers. Although it is to be inferred that any information that can lead to your identification is considered personal data.