Personal Data Protection Act(PDPA)

What is the PDPA and Why Every Business Must Know It?

The Personal Data Protection Act B.E. 2562 (2019), known as the PDPA, came into full effect on June 1, 2022. Its purpose is to safeguard the rights of individuals in Thailand regarding their personal data.


With the PDPA, Thailand has aligned its data privacy standards closer to international frameworks such as the GDPR (General Data Protection Regulation of the European Union). This requires both government and private organizations to adjust and strengthen their data management practices

Legal status of the PDPA

Legal Status of the PDPA

The PDPA is not merely a guideline or standard; it is an Act of Parliament, making it a national law. It applies to both individuals and organizations in Thailand, as well as to actions involving the personal data of people in Thailand.

  • Rights and Duties: The law grants rights to data subjects (individuals) and imposes duties on data controllers and processors (organizations or persons handling personal data).
  • Regulatory Authority: The Personal Data Protection Committee (PDPC) was established to issue regulations, oversee compliance, and enforce the PDPA.

Liabilities and Legal Penalties

Liabilities and Legal Penalties

As a law, the PDPA sets clear penalties for violations to ensure effective enforcement. These include:

a. Civil Liability

  • Individuals affected by a data breach have the right to file a lawsuit for damages.
  • Courts may award punitive damages up to two times the actual loss.

b. Criminal Liability

  • Applies to intentional misconduct, such as misusing or disclosing sensitive personal data for unlawful gain or causing harm.
  • Penalties include imprisonment of up to 1 year, a fine of up to 1 million THB, or both.

c. Administrative Penalties

  • For violations such as collecting personal data without proper consent or failing to implement adequate security measures.
  • Fines may reach up to 5 million THB, depending on the severity of the breach.

Relationship with Other Laws

Relationship with Other Laws

While the PDPA focuses on personal data protection, it interacts with other laws:

Electronic Transactions / Computer Crime Laws: The PDPA emphasizes protecting data and individual rights, while computer-related laws focus on punishing offenses against computer systems and stored data.


Industry-Specific Regulations: Some sectors, such as finance or healthcare, may have stricter data protection rules. Organizations must comply with the most stringent applicable laws.


In summary, the PDPA defines the legal boundaries and requirements for handling personal data in Thailand, ensuring both protection of individual rights and accountability of organizations.

Cases Where the PDPA Applies or May Be Violated

The situations where the Personal Data Protection Act (PDPA) applies, or where a violation may occur, can be divided into four main categories:

1. Unlawful Collection of Personal Data

The PDPA applies when organizations collect personal data without a valid legal basis. Examples include:

  1. Website Cookies: Collecting non-essential cookies without displaying a cookie consent banner or without giving users the option to decline.
  2. Excessive Data Collection: Forcing users to provide unnecessary information unrelated to the requested service (e.g., requiring financial details to subscribe to a general newsletter).
  3. Using Publicly Available Data Improperly: Taking personal data from public sources (such as social media) and using it for other purposes without notifying the data owner.
  4. CCTV without Notice: Installing surveillance cameras without visible signs informing people of the recording purpose, or placing cameras in inappropriate private areas.

2. Unlawful Use or Disclosure of Data

This occurs when organizations use collected data for purposes not consented to by the data subject. Examples include:

  1. Selling or Sharing Customer Lists: Disclosing customer contact details (emails, phone numbers) to third parties for commercial gain without prior consent.
  2. Direct Marketing: Sending promotional emails, calls, or SMS messages to individuals who never consented or who have already opted out.
  3. Disclosing Sensitive Personal Data: Employees unlawfully revealing sensitive information such as health records, criminal history, or racial background of staff or customers.
  4. Cross-Border Data Transfers without Safeguards: Transferring personal data to servers or service providers overseas that lack adequate protection as required under the PDPA.

3. Data Breach and Security Failures

These occur when organizations fail to maintain adequate data security, resulting in damage, loss, or leakage of personal data. Examples include:

  1. Cyber Attacks: Database systems being hacked, exposing sensitive data such as names, addresses, passwords, or national ID numbers.
  2. Employee Errors: Sending emails with customer data to the wrong recipient or losing devices that contain important personal data.
  3. Failure to Report Breaches: Knowing about a data breach but failing to notify the PDPC within 72 hours of discovery, which constitutes a legal violation.

4. Ignoring Data Subject Rights

This occurs when organizations deny individuals rights without a valid legal reason. Examples include:

  1. Refusal to Delete Data: Rejecting a request to erase personal data (Right to Erasure) without a clear legal exemption.
  2. Refusal of Access Requests: Ignoring or failing to provide a copy of the personal data held by the organization within the required timeframe.
  3. Ignoring Objections: Continuing to use data for a specific purpose even after the individual has formally objected.

Key Provisions of the Personal Data Protection Act (PDPA)

Section 19 Consent Principle

The core provision requiring that the collection, use, or disclosure of personal data must be based on the data subjects consent, unless another legal basis applies.

Section 23 Duty to Inform Purpose

Data controllers must clearly inform data subjects of the purpose and details of processing before or at the time of data collection.

Sections 3036 Data Subject Rights

These sections define the rights of data subjects, including:

  • Right of Access (Sec. 30) the right to access personal data held by an organization.
  • Right to Erasure (Sec. 33) the right to request deletion or destruction of personal data.
  • Right to Object (Sec. 32) the right to object to certain processing activities.

Section 37 Duty to Ensure Security

Organizations are required to implement appropriate security measures to safeguard personal data.

Section 37 (4) Data Breach Notification

Data controllers must notify the PDPC (Personal Data Protection Committee) of a data breach within 72 hours after becoming aware of the incident.

Section 78 Criminal Penalties

Provides for imprisonment of up to 6 months or a fine of up to 500,000 THB, or both, for unlawful use or disclosure of personal data causing harm to the data subject.

Section 82 Administrative Penalties

Provides for an administrative fine of up to 5 million THB for violations of key obligations, such as failure to implement adequate security measures under Section 37.

Compare product
0/4
Remove all
Compare
Powered By MakeWebEasy Logo MakeWebEasy