Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Regulation

Thailand Personal Data Protection Act (PDPA)

The Thailand PDPA is a comprehensive data protection law that addresses requirements around consent, use and disclosure of data, individual rights, transparency, and complaint-handling. The law also introduces a number of recordkeeping obligations.

Are you subject to the PDPA?

The Thailand PDPA applies to the collection, use, or disclosure of personal data by a controller or processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not.

In the event that a controller or processor is outside the Kingdom of Thailand, the Act shall apply to the collection, use, or disclosure of personal data of data subjects who are in the Kingdom of Thailand, where the activities of such controller or processor include the following:

  • the offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject
  • the monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.

Obligations & Rights under the Thailand’s PDPA

Consents & Opt-outs

Consent must be obtained prior or at the time of collection, use, or disclosure of personal data, and individuals must be informed of both the purposes and details of the personal data handling, among other specific requirements. Organizations must provide a mechanism for individuals to easily withdraw consent and stop the further processing of their personal data. The Act prescribes different consent requirements for processing minors’ personal data. Where the age of the minor is under 10, his/her personal data can only be processed after obtaining consent from parents or guardians.

Data Subject Rights & Requests

Individuals are guaranteed with a comprehensive set of rights that include, (1) right to be informed (of the purpose of collection, data retention period, etc.); (2) right to access their personal data; (3) right to rectification (of inaccurate or misleading information); (4) right to objection (from inappropriate uses at any time); (5) right to restrict processing; (6) right to erasure; and (7) right to data portability.

Policies & Notices

Organizations must inform individuals about the processing of their personal information prior to or at the time it is collected unless the individual already knows the necessary information.

Vendor Management

Under the Thailand PDPA, organizations must execute appropriate contracts with third parties that require them to only use or disclose personal information lawfully and with authorization.

Webinar

Building Trust and Competitive Advantage: The Value of Privacy Certifications

As privacy concerns continue to grow, businesses are under increased pressure to demonstrate their commitment to protecting personal data.

Achieve compliance

Data Inventory Hub & Risk Profile

Complete and maintain a data inventory

Automate with a Data Inventory Hub. Save time and reduce risk with automated data flow mapping, risk analysis, and remediation for personal data processes and general activities associated.
Assessment Manager

Mitigate risks

Use pre-built DPIAs and vendor assessments to mitigate risks with TrustArc’s Assessment Manager.

Individual Rights Manager

Exercising individual rights

Enjoy Data Subject Request (DSR) automation with TrustArc’s Individual Rights Manager. Easily operationalize individual rights according to specific jurisdictions, leverage automated workflows to save time, and keep an audit trail of requests/actions.

FAQs

  • What does the PDPA refer to?

    Thailand’s PDPA aims to protect the personal data and ensure privacy of its citizens. It also regulates the collection, use, disclosure, and/or transfer of personal data by businesses for commercial purposes.

  • What is personal information under the PDPA?

    Personal information means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular. Examples include a first and last name, email address, or phone number.

  • Under Thailand’s PDPA, is it mandatory for businesses to appoint a Data Protection Officer?

    The Act requires businesses to appoint a Data Protection Officer under the following circumstances:

    • The controller or the processor is a public authority
    • The activities of the controller or processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data
    • The core activity of the controller or the processor is the collection, use, or disclosure of the Personal Data according to section 26.

Related Resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top