Skip to content

Personal Data Protection Act
Thailand

Schedule a Free Consulation
Request a Free Quote
Home
Services
Personal Data Protection Act, Thailand

Supervisory authority

  • Data Protection Committee, Ministry of Digital Economy and Society

Liabilities under the PDPA

  • Fine up to THB 5 million
  • Imprisonment up to 1 year
  • Compensation for actual damages plus punitive damages up to twice the amount of the actual damages
  • Directors and other responsible persons could also be liable if the offender is a juristic person

Enforced with effect from

  • 1 June 2022
msps features

Who will have to comply?

  • All organizations established in Thailand
  • Organizations outside of Thailand which collect, use, disclose and/ or transfer personal data of individuals in Thailand.

What type of data is protected?

  • Personal data - any data that could, directly or indirectly, identify an alive person, including customers, employees, suppliers, business partners, etc.
  • Sensitive personal data - Sensitive personal data - e.g. racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal records, health data, genetics/biological data, etc.

Interested in learning more?

Schedule a Free Consulation

PDPA Key Compliance

Certain key protection methods

  • Consent must be obtained for any collection, use, disclosure and/or transfer of personal data, except others as permitted by laws.
  • Consent (if required) must be freely given, specific, informed and unambiguous, and can be withdrawn by the personal data owner.
  • Privacy notice at the time of collection, e.g. purpose(s) of the collection, any potential disclosure/transfer of personal data, etc.

Use and disclosure

  • Use and disclosure must be in line with the purpose(s) as consented by the owner.
  • Transfer of personal data to foreign country must comply with the PDPA’s requirements.

Other requirements

  • To ensure the persons’ rights under the PDPA, including the right to data portability and the right to erasure.
  • To protect personal data with appropriate security measures.
  • Data Protection Officer could be required for organizations that process personal data at a large scale, or process sensitive personal data.
  • A registry documenting all personal data processing activities must be maintained.
  • To notify data breaches to the Data Protection Committee within 72 hours, along with data subjects in case of high risks for them.
  • Data controllers must ensure that sub-contractors/processors comply with the PDPA.
initiatives
data analysis free tools

How to start?

  • Review the legal basis for your data processing activities
  • Ensure that the consent and privacy notice meet the PDPA requirements
  • Ensure that your contracts with vendors/suppliers/third parties consist of adequate personal data protection provisions
  • A registry documenting all personal data processing activities must be maintained.
  • Have appropriate data governance policies and training