COOKIES. CONSENT. COMPLIANCE
secure privacy badge logo
May 11, 2020

Thailand PDPA vs GDPR: The Key Differences

On 27 May 2020, Thailand’s PDPA will come into effect, two years after the EU set the precedent for global data privacy laws with the adoption of the GDPR. 

While the Thailand PDPA boasts of certain similarities with specific GDPR provisions such as the consumers’ right to be informed or their right to access the data collected about them, the two privacy laws also have significant differences. 

To explore the differences between Thailand PDPA and the GDPR, it is important to examine both privacy regulations based on:

  • The scope
  • Individual’s rights
  • Key definitions
  • Enforcement

The Scope

From a personal scope perspective, Thailand PDPA is not applicable to public agencies that oversee state security including duties such as forensic science, curbing money laundering, and managing cybersecurity issues. In contrast, the GDPR applies to data controllers and processors that may be public agencies

In terms of material scope, Thailand PDPA differs from the GDPR  in three different ways;

Thailand PDPA does not distinguish or identify automated and non-automated means of processing consumer data. In contrast, GDPR applies to handling user information by either automated or non-automated means if the information in question is part of a filing system.

While Thailand PDPA allows consumers to request their data to be anonymized, it does not clearly define it as an exception from its scope. On the other hand, the GDPR exempts anonymized data from its scope. 

The scope of Thailand PDPA does not extend to the House of Representatives, the Senate, Parliament, and respective committees appointed by these entities. Furthermore, it exempts the activities undertaken by any credit bureau company from its scope. On the contrary, GDPR does not explicitly exempt law-making organs, in addition to the fact that it does not refer to the credit bureau companies and their processes. 

Individuals’ Rights

Concerning the right to be informed, Thailand PDPA and GDPR have three specific differences in their provisions;

Thailand PDPA does not spell out the right of consumers to be informed about the existence of automated decision-making and profiling. This aspect differs from the GDPR, which requires consumers to be made aware of automated decision-making, inclusive of profiling at the point of data collection.

Thailand PDPA does not make it clear whether consumers can be informed about their rights orally. On the other hand, GDPR is explicit about consumers being informed orally alongside written and electronic formats.

Concerning legitimate interest, Thailand PDPA does not provide specific instances when it is applicable whereas, GDPR outlines circumstances that can be regarded as ‘legitimate interest.’ 

Regarding the right to access;  

Thailand PDPA does not state what needs to provided in response to an access request. Meanwhile, the GDPR explicitly states that data controllers must provide inform consumers about the purposes of processing their data, the categories of personal information involved, the third parties to whom the data was disclosed. 

Under the right to erasure, Thailand PDPA does not provide a specific timeline within which the data controller needs to address a request, although it allows consumers to notify enforcement authorities about a data controller’s failure to respond to an erasure request. Additionally, under the PDPA, a data controller is not required to institute strategies to identify a data subject that requests the deletion of their data.

In contrast, the GDPR states explicitly that consumer requests in line with this privilege must be addressed without ‘undue delay and in any event within one month from the receipt of the request.’ Furthermore, data controllers are obliged to have measures in place to verify the identity of the data subject making the request. 

Both the GDPR and Thailand PDPA guarantee the right of users to object to the processing of their information as well as the ability to withdraw their consent to the processing at any time. However, Thailand PDPA does not state explicitly define the required duration for a data controller to address a request to limit the processing of personal data. On the other hand, the GDPR makes it clear that data controllers need to address requests for restricting the processing of personal data within 30 days. However, this duration can only be extended for a maximum of two months depending on the complexity and volume of requests.

In terms of individual rights, the last difference between Thailand PDPA and the GDPR is connected to the right to data portability. On the one hand, Thailand’s PDPA imposes an obligation on data controllers to keep the justification of objection to a data portability request for the verification of consumers and the competent authority. In contrast, the GDPR, does not explicitly impose this requirement.

Key Terms 

While personal data is one of the crucial definitions under both Thailand PDPA and GDPR, the Thai privacy law does not specifically consider IP addresses, cookie identifiers, and radio frequency identification tags as part of what constitutes personal information. This aspect differs from the GDPR, which states explicitly that digital identifiers such as IP addresses, cookie identifiers, and radio frequency identification tags constitute personal information.

Secondly, Thailand PDPA does not provide a definition of pseudonymized information. In contrast, the GDPR describes pseudonymized information as the handling of personal data in a way that ensures the information in question cannot be connected to a specific data subject. 

Thailand PDPA does not provide explicit provisions on whether unique protection should be accorded to personal data belonging to children when it is either used for marketing or gathered for the purpose of delivering social services directly to them. This aspect is different from the GDPR, which describes children as ‘vulnerable natural persons.’ Consequently, the EU’s data privacy law creates provisions focused on ensuring that children are accorded special protection when their data is used for marketing or the delivery of social services.

Lastly, Thailand’s data privacy law does not have explicit requirements concerning the collection, utilization, or sharing of personal information on the basis of research. Nonetheless, data controllers are expected to ensure that they safeguard consumer privileges, liberties, and welfare. When it comes to the GDPR, processing user data for research objectives is subject to particular regulations such as the rights to erasure, data minimization, as well as pseudonymization.

Enforcement 

Concerning penalties, non-compliance with Thailand PDPA attracts a fine of not more than $165, 000. In some cases, entities found in violation of Thailand’s data privacy regulation may get imprisoned for a term of not more than one year. Entities that violate the GDPR can be fined either 2% of the global yearly revenue or 10 million euros, whichever is higher, or 4% of global annual turnover or 20 million euros, whichever is higher.

If you have any questions or concerns about Thailand PDPA compliance requirements or GDPR compliance requirements, schedule a call with us today and get personalized support from a data privacy expert.

Image

What Is Cookie Compliance? A Plain English Guide for Website Owners

Your website uses cookies to track visitors, remember their preferences, and analyze behavior. But did you know those innocent-looking cookies come with serious legal obligations? Most website owners discover this the hard way when they receive compliance warnings or face potential fines.

  • Legal & News
  • Data Protection
  • Cookie Consent
  • Cookie banner
Image

Secure Privacy vs OneTrust: 2025 Comparison Guide

Choosing the wrong consent management platform can cost your business thousands in penalties and implementation headaches. With GDPR, CCPA, and LGPD enforcement intensifying, the stakes have never been higher for Secure Privacy vs OneTrust decisions.

    Image

    Secure Privacy vs Usercentrics: 2025 Comparison Guide

    Choosing between Secure Privacy vs Usercentrics for your consent management needs? Both platforms handle core privacy requirements across GDPR, CCPA, and LGPD, but their approaches to implementation, pricing, and user experience differ significantly. This comparison breaks down the key differences between these two popular consent management platforms. We'll examine setup complexity, pricing transparency, automation capabilities, and agency support to help you determine which solution fits your team's specific needs and growth stage. Whether you're managing a single website or multiple client domains, understanding these platforms' strengths and limitations will guide your decision toward the right privacy compliance solution.