The personal data protection act (PDPA)

What is PDPA? Why Every Business in Thailand Must Comply

The Personal Data Protection Act B.E. 2562 (PDPA) is Thailand's data privacy law that came into full effect on June 1, 2022. Its purpose is to protect the rights of individuals over their personal data and to set clear standards for how businesses and organizations collect, use, and disclose such data.


By enacting the PDPA, Thailand aligns itself with global standards such as the EUs GDPR, ensuring both public and private sectors adopt stronger data protection practices and build customer trust.

Who is involved in PDPA?

  1. Data Subject : An individual whose identity can be directly or indirectly identified (e.g., name, phone number, email, IP address).
  2. Data Controller: A person or organization that decides the purpose and means of collecting, using, or disclosing personal data (e.g., a company storing customer details).
  3. Data Processor: A person or organization that processes data on behalf of a controller (e.g., cloud providers, call centers, outsourcing companies).
  4. Data Protection Officer (DPO): A mandatory role for certain organizations, responsible for monitoring compliance and advising on data protection.

Key Principles of PDPA

  • Transparency: Businesses must clearly inform individuals about why and how their data will be collected and used.
  • Consent: Consent must be explicit, freely given, and revocable at any time.
  • Data Minimization: Only necessary data should be collected and processed.
  • Security: Organizations must ensure appropriate technical and organizational measures to prevent data leaks or misuse.

Sensitive Personal Data

Some categories of data are considered highly sensitive and require extra protection, such as:


  • Race or ethnicity
  • Political opinions
  • Religion, beliefs, or philosophy
  • Sexual orientation or behavior
  • Health and disability information
  • Criminal records
  • Genetic or biometric data (e.g., fingerprints, facial recognition)


These can only be collected or used with explicit written consent, or under legal exceptions such as protecting life, health, or fulfilling legal obligations.

Rights of Data Subjects

Under PDPA, individuals have strong rights over their personal data, including:


  • Right to be informed - Must be informed before data is collected
  • Right of access - Request to view or obtain a copy of their data
  • Right to rectification -Correct inaccurate or incomplete data
  • Right to erasure (Right to be forgotten) - Request deletion of data
  • Right to object- Refuse processing in certain situations (e.g., direct marketing)
  • Right to data portability - Request transfer of data to another provider
  • Right to restrict processing -Temporarily stop the use of data
  • Right to lodge a complaint - File a complaint with regulators if rights are violated

Responsibilities of Businesses and Organizations

To comply with PDPA, organizations must:


  • Publish a clear Privacy Policy
  • Maintain a Record of Processing Activities (RoPA)
  • Appoint a DPO (when required by law)
  • Implement technical and organizational security measures
  • Report data breaches within 72 hours to authorities and inform affected individuals if there is a high risk
Compare product
0/4
Remove all
Compare
Powered By MakeWebEasy Logo MakeWebEasy