Personal Data Protection Act (PDPA), Thailand

Thailand’s Personal Data Protection Act (PDPA) is a law published in the Government Gazette on May 27, 2019. The PDPA regulates businesses that hold personal data related to Thai citizens. The government gave a one-year grace period for businesses to comply with the law. However, the Thailand PDPA was postponed twice to allow more time for businesses to prepare, and due to the COVID-19 pandemic. 

Effective from: June 1, 2022 (expected)

Official text: B.E. 2562 (2019) (in English)

PDPA is the first data protection law in Thailand that protects Thai citizens’ (or data subjects) personal data and gives them their right to privacy. It also regulates the collection, use, disclosure, and/or transfer of personal data by businesses (data controller or data processor) for commercial purposes. 

It appoints a Personal Data Protection Committee (PDPC) to enforce the law and ensure compliance. The Office of the Committee is also responsible for publishing guidelines, standards, and exceptions for data controllers and processors to handle the personal data.

The PDPA applies to a person or business that collects, uses, discloses, or transfer the personal data of a natural person in the Kingdom of Thailand, for commercial purposes. It does not apply to the processing of personal data for personal benefits or household activity. 

Like the EU GDPR, the PDPA has an extraterritorial scope as well. That is, the law applies to businesses outside Thailand that collect, use, and/or disclose personal data of data subjects  if:

• they offer goods or services to the data subjects in Thailand, irrespective of whether the payment is made by the data subject; or
• They monitor the data subject’s behavior that takes place in Thailand.

Personal data in Thailand means “any information relating to a person,” which can identify the person, directly or indirectly. Information related to a deceased person is exempted from the scope of personal data.

Examples of personal data include name, email address, signature physical address, credit card number, license number, medical records, financial records, and location data.

The Act classifies information related to “racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner” as “sensitive” personal data. Such information must be handled with care and require a person’s explicit consent to collect them.

There are some principles, mainly based on the collection and use or disclosure of personal data. 

Data limitation: Data controllers cannot collect personal data more than necessary for its lawful purpose.

Notice: Data Controllers must inform the data subject, before or at the time of collection of personal data, why they want to collect, use or disclose the data, the categories of data to be collected, how long you will store it, the user rights, and the necessary contact details.

Consent: Data controllers cannot collect, use or disclose data without consent from data subjects unless it is for the purpose of a legal or contractual obligation, to protect the life of another person, for scientific or historical research, or the legitimate interest of the data controllers.

Source: Data controllers must collect personal data directly from data subjects unless the data controllers have informed the data subjects of collecting data from other sources or it is necessary to perform tasks falling within the exception to consent.

Sensitive data collection: Data controllers cannot collect, use or disclose sensitive personal data without data subjects’ explicit consent unless it is necessary for the vital interest of people or the task falls within the scope of exceptions to consent. They must ensure appropriate safeguards are in place while collecting such data.

Adequacy level: for cross-border transfers, the recipient country or international organization must have adequate data protection standards and processing should be carried out as per the rules by the PDPC.

There are eight rights that data subjects have under the Thailand Act. 

Right to access

The data subjects have the right to access and get a copy of the personal data held by the data controllers. The data controllers must respond within 30 days of receiving the request, and they can only reject their request with a supporting reason.

The rejection of the request is acceptable if it is permitted by the court of law or if the access to information or obtaining a copy would adversely affect the rights and freedom of others.

Right to receive/port

The data subjects have the right to receive the personal data related to them from the data controller. The copy should be in readable or commonly used formats and can be used or disclosed by automated means. 

They also have the right to request to port data in such formats to other data controllers or directly obtain the data in such formats that the data controller ports to other data controllers.

The data controllers can reject the request with a supporting reason or if porting the data will cause serious harm to the rights and freedom of the data subjects. The right does not apply to data that is being processed for a task in the public interest or to comply with the law.

Right to object

The data subjects have the right to object or opt out of the collection, use, or disclosure of the personal data linked to them; if the data was collected with exemption to consent, on legitimate interest grounds, or to exercise legal claims. The right is also applicable is if the data was collected for direct marketing or scientific, historical, or statistic research unless it is necessary for tasks related to the public interest.

Right to delete

The data subjects have the right to request the data controller to delete or destroy the personal data or de-identify it to make it anonymous so that the data cannot identify them. The right is only applicable if:

• the personal data is no longer necessary to fulfill the purpose for which it was collected, used or disclosed;
• the data subject withdraws consent;
• the data subject opts out  to the collection, use, or disclosure of the personal data; or
• the personal data was not collected, used. Or disclosed unlawfully.

The data subjects have the right to complain to the PDPC in case the data controller fails to comply with their request.

Right to restrict

The data subjects have the right to request the data controller to restrict the use of their personal data. The right applies in case the data controller is still reviewing the requests to exercise other rights, or the data is no longer necessary for the purpose of collection.

The data subjects can complain to the PDPC if the data controllers fail to comply with the request.

Right to correct

The data controllers must ensure that the personal data remains accurate, up to date, complete, and relevant. 

Right to withdraw consent

The data subjects have the right to withdraw their consent at any time, and it should be as easy as it was to give it. The only exception is when there is a restriction by law or a contract. However, the withdrawal of consent should not affect the collection, use, or disclosure of personal data before the withdrawal.

The data controllers must inform the data subjects of the consequence of withdrawing the consent.

The law prohibits the transfer of personal data outside of Thailand unless the recipient business has equivalent data protection standards to the PDPA. 

There are a few exceptions in this case:

• The data controller has consent from data subjects to transfer the data.
• The data transfer is necessary to fulfill  a contract between the data controller and data subject.
• The transfer is necessary to protect the vital interests of the data subject.

Data controllers and data processors should appoint a Data Protection Officer (DPO) if:

• it is a public authority;
• it collects, uses or discloses a large amount of personal data that may require regular monitoring of the data or system; or
• its core activity involves the collection, use or disclosure of sensitive personal data.

The main responsibilities of a DPO are: to advise the data controllers and processors regarding PDPA compliance, investigate how they handle the data, and coordinate with the PDPC if there are any problems with the activities of the data controllers and processors.

In the event of a data breach, the data controllers are liable to notify the Office of PDPC within 72 hours of becoming aware of it; unless the breach is unlikely to risk the rights and freedoms of the affected individuals. 

If the breach poses a high risk to the rights and freedoms of the individuals, the data controller shall also notify the affected individuals without delay. 

The Act does not specify how to draft the breach notification. However, the notification and the exemption to the notification will be according to the standards decided by the PDPC.

Failing to place security measures and notifying the breach could lead to a fine of up to 3 million Baht.

If businesses fail to comply with the Personal Data Protection Act, they could face civil liabilities that include punitive damages, imprisonment for up to one year, or fines that could go up to 5 million Baht ($150,000).

Following are some best practices for your business website to comply with the Thailand PDPA:

• Update your privacy policy and include all the necessary details.
• Get consent when or before collecting personal data.
• Do not collect data more than necessary for your business’s lawful purpose.
• Keep an option for the users to opt out of collecting, using, or disclosing their personal data.
• Allow users to withdraw their consent at any time.
• If your website uses cookies that collect, use or disclose personal data to third parties, you must inform users about it and get their consent. 

• Ensure that information you collect is accurate and relevant to the purpose and is not misleading.
• For cross-border data transfers, ensure that the recipient organization is covered by privacy legislation equivalent to the PDPA.
• Allow users to exercise their rights and respond in due time.
• Keep the personal data collected safe and protected against breach, theft, unauthorized access, or misuse. 
• Train your team on best data processing practices or appoint a DPO if you collect large volumes of data or sensitive data.

Who is protected under Thai PDPA?

The Thailand PDPA protects the personal data of Thai citizens (living) used by businesses for commercial purposes. It also gives them their right to privacy with several rights over their data.

Does GDPR apply in Thailand?

EU’s GDPR has an extraterritorial scope. It applies to businesses operating anywhere that collect, use or disclose personal data of EU residents by offering goods and services to them or monitoring their behavior within the EU territory. If a business established in Thailand falls under the scope, then it will be subject to GDPR.

What are PDPA requirements?

The Thailand PDPA requires businesses to practice data minimization, implementing data collection notification, obtaining user consent for data collection, letting users opt out of it, giving the users their rights over data, and reporting breaches after becoming aware of it.