Personal Data Protection Act (PDPA) Thailand

    Overview

    The Thailand Personal Data Protection Act (PDPA), officially enacted on May 27, 2019, and fully enforced on June 1, 2022, establishes comprehensive rules for collecting, using, and disclosing personal data. It aims to protect the rights of data subjects while ensuring businesses comply with clear privacy principles. Modeled on the European Union’s General Data Protection Regulation (GDPR), the PDPA outlines obligations for data controllers and processors operating in or offering services to Thailand.

     

    Regulation Summary

    Timeline
    • May 27, 2019: PDPA enacted following publication in the Government Gazette.
    • June 1, 2022: Full enforcement of the PDPA begins, after delays for compliance preparation.
    What Businesses Are Affected
    • Businesses operating in Thailand or targeting Thai residents, including e-commerce platforms and service providers.
    • Data controllers and processors located outside Thailand, if they collect, use, or disclose personal data of individuals in Thailand.
    • All sectors, except those covered by exemptions (e.g., national security, journalism, and household activities).
    Exemptions
    • Government Agencies: Activities for state security, public safety, and forensic science.
    • Personal Use: Data collection for non-commercial personal activities.
    • Media and Arts: Activities under professional ethics for mass media, arts, or literature.
    Responsibilities for Businesses

    Under the PDPA, businesses must adhere to the following principles:

    • Consent: Obtain explicit consent before collecting personal data, unless an exception applies.
    • Transparency: Inform individuals about data collection purposes, retention periods, and recipients.
    • Purpose Limitation: Use personal data only for specified purposes.
    • Security: Implement safeguards to protect personal data against unauthorized access.
    • Accountability: Appoint a Data Protection Officer (DPO) if processing large-scale or sensitive data.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Display banners to inform and obtain consent for cookies.
    • Privacy Notices: Publish clear and accessible privacy policies on websites.
    • Data Subject Requests: Facilitate rights to access, rectify, and delete personal data through online tools.
    Additional Requirements
    • Data Transfers: Prohibit international transfers unless the destination ensures adequate protection.
    • Data Breach Notification: Notify the Office of the Personal Data Protection Committee (PDPC) and affected individuals within 72 hours of a breach.
    • Record-Keeping: Maintain detailed records of data processing activities.
    Data Subject Rights
    • Access and Correction: Request access to and correction of their personal data.
    • Data Portability: Transfer personal data to another controller.
    • Erasure: Request deletion or anonymization of personal data.
    • Objection: Object to data processing in specific circumstances.
    • Complaint: File complaints with the PDPC for violations.
    Enforcement
    • Oversight Body: The Personal Data Protection Committee (PDPC) monitors compliance.
    • Penalties:
      • Criminal fines up to THB 1,000,000 (approximately USD 28,000).
      • Civil damages, including punitive damages up to two times the actual compensation.
      • Administrative fines up to THB 5,000,000 (approximately USD 140,000).
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596