Learn about Thailand's Personal Data Protection Act (PDPA) and how to become compliant


What is PDPA?

What Does PDPA Stand For?


The Thailand PDPA stands for the new Personal Data Protection Act B.E.2652 of the Kingdom of Thailand. It was passed in 2019 and affects businesses starting from 28 May 2020.

PDPA is the most comprehensive Thai data privacy law to date. It expands on the rights of users whose data you collect, which means expanding on your obligations as well.

Is it similar to other data protection laws, such as the GDPR or the CCPA?


The Thailand PDPA follows the trend set by the GDPR. It has many similarities with this regulation, as well as with data protection laws of East and South-East Asia. If your business complies with the GDPR, it would be easy to comply with the PDPA as well.

Who does PDPA apply to?


The Thailand PDPA applies to:

  • Thai businesses that collect or process personal data in Thailand from users from anywhere in the world
  • Any business from all around the world that collects or processes personal data of Thai citizens for the purposes of:
  • the offering of goods or services to data subjects on the territory of Thailand, irrespective of whether the payment is made by them or not
  • the monitoring of the data subject’s behaviour, where the behaviour takes place in Thailand.

What are the penalties for non-compliance?


There are two types of penalties for violation of the Thailand PDPA: administrative and criminal penalties.

Most of the violations lead to administrative penalties imposed by the Personal Data Protection Committee. Depending on the severity of the violation, fines may go up to 5 million baht, which is around USD 150,000.

For some violations, PDPA prescribed criminal penalties including imprisonment of up to one year and fines of up to 5 million baht. You may face such penalties if you:

  • Disclose to another person the personal data obtained while performing the duties under this Act
  • Disclose sensitive personal data without data subject’s consent or for a purpose other than what the consent has been given for a personal benefit or in a way that may cause them damage, or
  • Transfer sensitive personal data to a country without adequate personal data protection standards for a personal benefit or in a way that may cause damage to data subjects.

In addition to the penalties, you are liable for the damages that the data subject has suffered due to your non-compliance with the law. If proven responsible, you’d have to compensate them for the damages.

Who enforces the Thailand PDPA?


The Personal Data Protection Committee enforces the PDPA. It has the power to impose administrative penalties. Criminal processes arising as a result of non-compliance with this law, however, are handled by the criminal prosecution authorities and courts.

What is personal data according to the PDPA?


According to Section 6 of the law, personal data is any information relating to a person, which directly or indirectly enables the identification of such a person. This includes names, address, email address, phone number, ID number or another number that identifies a specific person, and others.

Although there is no explicit definition in the PDPA, the law implies that sensitive data is any personal data related to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner.

PDPA protects only living individuals. It excludes deceased persons from protection.

Do I need to obtain prior consent before collecting and processing users’ data?


Yes, you have to obtain explicit user’s consent before collecting or processing their data. The request must be presented in a way that clearly differentiates the request from the other content on the website. In addition, you have to inform the user about the purpose of data collection or processing in a clear and non-deceptive way.

This means that you need a cookie banner requesting consent for using cookies. Inserting a link to your privacy policy on that banner is a practical way to inform users about the purpose of data collection.

What about obtaining consent from minors?


When collecting consent from a minor, you need to obtain the consent from both the minor and their parent.

If the minor is a child under the age of 10, you need consent only by the parent.

 

Is our privacy policy compliant with the Thailand PDPA?


A Thailand-PDPA-compliant privacy policy contains at least the following:

  • Information on the purpose of collection, use, or disclosure of personal data
  • Notification if the user is obliged to provide their personal data for compliance with law or contract or entering a contract, if applicable
  • The personal data to be collected and the retention period
  • The categories of persons or entities to whom the collected personal data may be disclosed
  • Your information, address, and the contact channel details or your representative or data protection officer, if applicable, and
  • The rights of the data subject.

This is the minimum that any privacy policy must meet. If you want to be more transparent, you can add more information.

What rights do my visitors and users have?


Your users have the right to:

  • Be informed about the purpose of collection and processing of data
  • Withdraw the consent given for the collection and processing of their personal data
  • Non-discrimination for not giving consent for data collection and processing
  • Access and obtain a copy of their data
  • Object to the collection, use, and disclosure of their data
  • Restrict the use of their data
  • Correct their data
  • Have their data transferred to another data controller
  • Have their data erased, destroyed, or anonymized

In addition, you have to ensure that the data is accurate, up-to-date, complete, and not misleading.

If you do not allow users to exercise their rights under the PDPA, they have the right to file a complaint to the Personal Data Protection Committee, which may lead to penalties for you.

Can we transfer personal data freely abroad?


You can transfer personal data to foreign countries only if the destination country has implemented adequate standards of data protection. If you want to transfer data to an inadequate country, then you have to obtain consent from the data subject for that specific purpose. If you have dilemmas whether your destination country has implemented such standards, you should request the Committee to decide.

When the data controller and the data processor belong to the same business group, they do not need to obtain consent for transferring data between each other.

Do we need a Data Protection Officer?


You need a Data Protection Officer only if you meet any of the following requirements:

  • You are a public authority
  • You collect, use, or disclose large amounts of personal data (the Committee has yet to decide what does ‘large amount’ mean) and your activities require regular monitoring on the personal data or the system
  • Your core activity includes the collection, use, or disclosure of sensitive personal data

When the data controller and the data processor belong to the same business group, they may appoint a joint DPO.

 

Do we need a representative in Thailand?


You need to appoint in writing a representative located in Thailand if you are a foreign business that collects or processes personal data of Thai citizens for the purposes of:

  • The offering of goods or services to data subjects on the territory of Thailand, irrespective of whether the payment is made by them or not
  • The monitoring of the data subject’s behaviour, where the behaviour takes place in Thailand.

The representative shall be authorized to act on your behalf without any limitation of liability regarding the collection, use or disclosure of the personal data according to your purposes.

 

What should we do in case of a data breach?


You have to notify any data breaches to the Office of the Personal Data Protection Committee without delay and, if possible, within 72 hours after having become aware of it, unless such personal data breach is unlikely to cause a risk to the rights and freedoms of the data subjects.

If the breach is likely to cause a risk to the rights and freedoms of the data subjects, then you have to notify without delay the data subjects as well.

How can we make our organization PDPA-compliant?


Like the GDPR and other similar laws, the PDPA requires a proactive and risk-based approach. You need to put in place all the preventive measures you can in order to protect your business from non-compliance.

For start, ensure that you have a PDPA-compliant privacy policy and that you collect consent from every single user who visits your website.

How do I make a website PDPA compliant?


You can make your website PDPA-compliant by using a risk-based approach, in the same way as with the GDPR or the LGPD. You need to implement a set of preventive measures suitable for the data collection and data processing activities you undertake. The more data you collect and process, the more serious measures you should take.

The PDPA introduces principles such as transparency, accountability, purpose limitation, data minimization, security measures, and others we’ve seen already in other laws.

For a start, any website owner should update the privacy policy, analyze the data trackers they use, and ensure they collect consent for data collection the right way. 

 

Is our website affected by PDPA?


Your website is affected by the Thailand PDPA if:

  • Your business is based in Thailand and you collect or process personal data in Thailand from people from anywhere in the world
  • Your business is based anywhere in the world and you collect or processes personal data of Thai citizens for the purposes of offering products and services to users in Thailand or monitor their behaviour

Are you aware of what trackers you have on your website?


Many websites use tracking technologies for gathering data that could help them make data-driven decisions for business improvement. If you have installed any plugins on your website, you are likely to use such tracking technologies already.

Laws such as Thailand PDPA aim to regulate the way data is being collected and processed, hence they prescribe certain obligations to website owners. That’s why you, as a website owner, have to be aware of the trackers you have on your website. Only if you know what trackers you use, you can meet your obligations under the Thailand PDPA.

If you are not aware of these trackers, use our free tool to audit your website. It will provide you with the results in less than 5 minutes at no cost at all.

 

Are you gathering consent the right way?


Obtaining consent for collection and processing of personal data must meet the following requirements:

  • The consent must be given freely
  • It must be obtained in a written form, including electronic means
  • The user must be informed about the purpose of collection and processing of data
  • The request must be clear, in plain language, non-deceptive, and non-misleading

Are your privacy banners affirmative?


Since implied consent is not valid, you have to ensure that your cookie banners are affirmative. You have to include buttons for giving explicit consent for the use of cookies.

Have you made it easy to withdraw consent?


Users can withdraw the consent they’ve given. Website owners have to allow them to do that in a way that is as easy as the way they have given the consent.

Can visitors contact you for exercising their PDPA data subject rights?


You have to enable visitors to contact you easily for exercising their PDPA data subject rights (the right to access, get a copy, correction, objection, portability, erasure). Ensure to provide them with the means of exercising their rights. This may be a contact form on your website, an email address, a phone number, or another communication channel.
If you are required to appoint a Data Protection Officer, include their name and contact information in the privacy policy.

Do you have evidence of valid consent?


The PDPA requires you to keep records of all the collected consents. Maintaining proper records will keep you out of trouble with the law when you need to prove that you have obtained consent from users.

Have you updated your data and privacy policies?


With so much noise around data protection laws in the last couple of years, you are likely to have a privacy policy already in place. But, is it up-to-date with the Thailand PDPA? If not, make sure you update it as necessary.
Moreover, the PDPA requires the data controller (i.e. the website owner) to take care of the accuracy of the collected data. You may need to update your data policy to ensure compliance with this requirement.

Have you cleaned up your mailing lists?


To clean up your email lists of email addresses collected against the PDPA standards, you may need to contact your users again to obtain the necessary consent or provide them with an opportunity to opt-out.

Are you collecting too much information?


If you collect personal information that is not necessary for your processing purposes, then you are collecting too much of it. The PDPA, as well as other personal data protection laws you may comply with, require data minimization, which means to collect the minimum necessary information.