Thailand’s PDPA

Essential Information of PDPA

Thailand’s Personal Data Protection Act B.E. 2562 (“PDPA”) was announced and published in the Royal Thai Government Gazette on May 27th, 2019, to protect data privacy and stipulate the compliance liabilities. Nevertheless, PDPA allows a 1-year transition period for the compliance planning (i.e. deadline to implement all compliance measures is May 27th, 2020). Under PAPA, personal data means any information relating to a person that enables the identification of such person, whether directly or indirectly, but not including the information of the deceased person. The liabilities under PDPA include (i) fine up to THB 5 million, (ii) imprisonment up to 1 year, and (iii) compensation for actual damages plus punitive damages up to 2 times of such actual damages. Please note that the director(s) and a responsible person(s) could also be liable in the event an offender is a juristic person.

The PDPA applies and enforces to any persons or juristic persons having the power and duties to make a decision regarding the collecting, using, or disclosing of personal data that is in Thailand (so-called “Data Controller”) and (b) a person or a juristic person who operates in relation to the collection, use, or disclosure of the personal data pursuant to the orders given by or on behalf of a Data Controller, whereby such person or juristic person is not the Data Controller (or so-called “Data Processor”) regardless of whether such collection, use, or disclosure takes place in Thailand or not.

However, in the event that a Data Controller or a Data Processor is outside Thailand, the PDPA shall apply only where the activities of such Data Controller or Data Processor are (1) the offering of goods or services to the data subjects who are in Thailand, irrespective of whether the payment is made by the data subject OR (2) the monitoring of the data subject’s behavior, where the behavior takes place in Thailand. In addition, if the personal data is sensitive personal information, e.g. racial, political, disability and biometric data, and large amount, a local representative – without any limitation liability – shall be designated in writing to act on behalf of the Data Controller with respect to the collection, use or disclosure of the personal data according to the purposes of the Data Controller.

Key Compliance of PDPA

The key compliances under the PDPA are summarized as follows:

(a) Notification & Consent: the data subject shall be informed about the purpose of the collection, use, disclosure, retention period, categories of such personal data, and the right of the data subject. The request for consent shall be clearly presented by using plain language without any misleading to the data subject. Parental holder’s or custodian’s consent must be obtained in the event the data subject is a minor. The consent of the data subject – freely given and withdrawable – shall be obtained prior to any collection, use, disclosure and/or transfer of personal data.

(b) Collection and Use of Personal Data: The personal data shall be collected, used or disclosed according to the purpose notified to the data subject prior to or at the time of such collection. In the event the personal data is sent or transferred to a foreign country, the destination country or international organization that is receiving such personal data shall have an adequate data protection standard.

(c) Right of Data Subject: The data subject shall be entitled to request access and obtain a copy of the personal data related to him/her or to request the disclosure of the acquisition of the personal data obtained without his/her consent. Subject to certain conditions, the data subject shall have the right to object and/or request the Data Controller to erase or destroy the personal data or anonymize the personal data to become anonymous data.

(d) Protection and Compliance: The Data Controller and Data Personal Controller shall:

Our PDPA Services

Together with our key partner, Solutionistic Co., Ltd., a leading company in the IT risk and control with several past experiences from the Big 4, we have a new vision of PDPA service where we integrate both legal and IT services and focus on the “Real solution that fits” with “Optimistic” attitude that answers the need of our clients. We value our professionalism and quality service to ensure that our clients will receive the best experience with us.

Our approached services include:

Our Specialists

For more details and/or assistance please contact