Are you aware of what PDPA is, and who it applies to? Read all about what PDPA stands for, PDPA penalties, and what to do in case of data breach.
Explore more privacy compliance insights and best practices
The Thailand PDPA stands for the new Personal Data Protection Act B.E.2562 of the Kingdom of Thailand. It was passed in 2019 and was scheduled to take full effect on 27 May 2020.
However, In May 2020, the Thai Cabinet approved a royal directive granting a one-year exemption from certain provisions of the Personal Data Protection Act 2019 (PDPA) up to May 31, 2021, when the new law will be expected to be fully implemented.
PDPA is the most comprehensive Thai data privacy law to date. It expands on the rights of users whose data you collect, which means expanding on your obligations as well.
The Thailand PDPA follows the trend set by the GDPR. It has many similarities with this regulation, as well as with data protection laws of East and South-East Asia, such as Japan's APPI. If your business complies with the GDPR, it would be easy to comply with the PDPA as well. Read more about Thailand PDPA vs. GDPR and what the key differences are.
The Thailand PDPA applies to:
There are two types of penalties for violation of the Thailand PDPA: administrative and criminal penalties.
Most of the violations lead to administrative penalties imposed by the Personal Data Protection Committee. Depending on the severity of the violation, fines may go up to 5 million baht, which is around USD 150,000.
For some violations, PDPA prescribed criminal penalties including imprisonment of up to one year and fines of up to 5 million baht. You may face such penalties if you:
In addition to the penalties, you are liable for the damages that the data subject has suffered due to your non-compliance with the law. If proven responsible, you’d have to compensate them for the damages. Read more about how you can make your website PDPA compliant.
According to Section 6 of the law, personal data is any information relating to a person, which directly or indirectly enables the identification of such a person. This includes names, address, email address, phone number, ID number or another number that identifies a specific person, and others.
Although there is no explicit definition in the PDPA, the law implies that sensitive data is any personal data related to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner.
PDPA protects only living individuals. It excludes deceased persons from protection.
Yes, you have to obtain explicit user’s consent before collecting or processing their data. The request must be presented in a way that clearly differentiates the request from the other content on the website. In addition, you have to inform the user about the purpose of data collection or processing in a clear and non-deceptive way.
This means that you need a cookie banner requesting consent for using cookies. Inserting a link to your privacy policy on that banner is a practical way to inform users about the purpose of data collection.
When collecting consent from a minor, you need to obtain the consent from both the minor and their parent.
If the minor is a child under the age of 10, you need consent only by the parent.
Find your National Data Protection Authority online
A Thailand-PDPA-compliant privacy policy contains at least the following:
This is the minimum that any privacy policy must meet. If you want to be more transparent, you can add more information.
Your users have the right to:
In addition, you have to ensure that the data is accurate, up-to-date, complete, and not misleading.
If you do not allow users to exercise their rights under the PDPA, they have the right to file a complaint to the Personal Data Protection Committee, which may lead to penalties for you.
You can transfer personal data to foreign countries only if the destination country has implemented adequate standards of data protection. If you want to transfer data to an inadequate country, then you have to obtain consent from the data subject for that specific purpose. If you have dilemmas whether your destination country has implemented such standards, you should request the Committee to decide.
When the data controller and the data processor belong to the same business group, they do not need to obtain consent for transferring data between each other.
You need a Data Protection Officer only if you meet any of the following requirements:
When the data controller and the data processor belong to the same business group, they may appoint a joint DPO.
The Personal Data Protection Committee enforces the PDPA. It has the power to impose administrative penalties. Criminal processes arising as a result of non-compliance with this law, however, are handled by the criminal prosecution authorities and courts.
You need to appoint in writing a representative located in Thailand if you are a foreign business that collects or processes personal data of Thai citizens for the purposes of:
The representative shall be authorized to act on your behalf without any limitation of liability regarding the collection, use or disclosure of the personal data according to your purposes.
You have to notify any data breaches to the Office of the Personal Data Protection Committee without delay and, if possible, within 72 hours after having become aware of it, unless such personal data breach is unlikely to cause a risk to the rights and freedoms of the data subjects.
If the breach is likely to cause a risk to the rights and freedoms of the data subjects, then you have to notify without delay the data subjects as well.
