What is PDPA Thailand: A Comprehensive Guide for Business Compliance

Data protection has been at the forefront of global concerns for many years. As technology advances and becomes more connected, people are providing a startling amount of personal data to companies regularly without a second thought. While this web of data-driven technologies might make life and business more efficient, it does present a significant risk to privacy. In this blog article, we take a look at Thailand’s response to this problem and explore its PDPA law to protect user data. We also look at how the PDPA Thailand legislature is implemented, how it works, and how it affects consumers.

Data protection laws are a vital part of any digital landscape. These policies ensure that personal information cannot be used for fraud or cybercrime. They also instill a crucial level of trust in companies and the government at large. Privacy is a fundamental right for every person and Personal Data Privacy – or PDP – laws are the only legal defense against the misuse of data. In Thailand, PDPA in place to provide individuals with control over how their data is collected, processed, and used – this will ensure that companies remain compliant with privileged data. Let’s try to get a better understanding of what PDPA Thailand is.

What Is the PDPA Thailand?

The Personal Data Protection Act of Thailand – or PDPA Thailand – can be defined as a primary consumer data protection law that protects the data integrity of individuals in Thailand. Officially named the Personal Data Protection Act BE 2562 (2019) (PDPA), the law outlines users' rights over their personal information while providing guidelines to legally collect and use consumer information and listing the penalties for violating those requirements.

The PDPA Thailand is the country’s first consolidated data protection law and was published in the Thai Government Gazette in May 2019. While the law was due to be fully enforced in 2020, the enforcement date was then postponed to June 2022. The PDPA law holds its core purpose to regulate data collection, processing, and storage across local and multinational organizations. Any business in Thailand that collects and processes personal data must comply with the Personal Data Protection Act.

While the PDPA is the most significant and recent data privacy law put in place for Thailand, the country also has other legislatures to protect datasets. These include the Payment System Act for banks, the National Health Act for personal health information, and the Official Information Act to protect personal data held by government agencies. The PDPA law is being upheld by Thailand’s Personal Data Protection Committee – which we’ll now learn more about to fully understand the scope of the legislation.

What Is the Thai Personal Data Protection Committee (PDPC)

The Personal Data Protection Committee – or PDPC – is the official regulator of the PDPA law in Thailand. The PDPC was established in 2022 – a few months before the PDPA came into effect in June. The office is responsible for encouraging the protection of personal data, regulating compliance with the PDPA, prescribing guidelines to safeguard data integrity, and issuing penalties, codes, and sub-regulations. The office of the PDPC consists of a chairperson, vice-chairperson, five commission members, and nine honorary commission members – all appointed based on their knowledge, skills, and experience in relevant fields. Now that we know who enforces the PDPA, let’s try to understand the cornerstones of the law.

Key Components of the PDPA Thailand The PDPA law defines personal data as “any information relating to a person which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.” The PDPA provides guidelines for two categories of this personal data:

• General Personal Data (GPD): General Personal Data refers to any information of a person that allows you to identify them, whether directly or indirectly. This includes names, addresses, contact details, customer ID, age, gender, height, usernames, passwords, and IP addresses.
• Sensitive Personal Data (SPD): Sensitive Personal Data can be defined as information that requires explicit consent - revealing race, ethnicity, political standing, religious beliefs, philosophical beliefs, sexual orientation, criminal records, health data, disabilities, trade union information, or genetic data.

To protect both types of personal data, the PDPA legislation provides an outline for data controllers - defined as people or juristic people having the power and duties to make decisions regarding the collection, use, or disclosure of personal data. Similarly, the law is aimed at data processors – or those who “operate in relation to the collection, use, or disclosure of personal data pursuant to the orders given by or on behalf of a data controller.”

According to the law, these data processors and controllers are obligated to follow specific policies regarding consent requirements, data subject rights, breach notifications, and restrictions on cross-border data transfers. A key element of the legislation mandates that data controllers and processors who use personal data must receive consent from data owners. They can also only use the data collected for expressed purposes. The penalty for non-compliance is an administrative fine of up to THB 5 million and a criminal fine of up to THB 1 million. Some of the main takeaways and points of order from the PDPA law include:

1. Cross-Border Data Transfers: Under the PDPA, personal data cannot be transferred to a jurisdiction or international organization that lacks adequate data protection. These transfers are only allowed if users are aware of the lack of data security and provide explicit consent regardless, or if the data transfer is contractually necessary.
2. Internal Binding Contracts: The PDPC – Personal Data Protection Committee further encourages companies in the same group to implement internal binding corporate rules to govern their intra-group data transfers to ensure that group companies adopt the same high standards of data protection.
3. Appointment of a Data Processing Officer (DPO): Since December 2023, data controllers and data processors have been required to appoint a Data Processing Officer if their core activities involve:
   • Processing a large scale of personal data that requires regular monitoring of personal data or systems. These include tracking, monitoring, analyzing, or predicting behaviors – often found in the processing of personal data by network service providers, telecom operators, membership programs, credit scoring, or fraud prevention.
   • Processing of Sensitive Personal Data regardless of the scale of personal data.
   • Failure to appoint a DPO can result in an administrative fine not exceeding THB1 million.
4. Vendor Privacy Contracts: These are crucial under the PDPA - with specific criteria for data processing agreements when vendors act as data processors, and data sharing or transfer agreements when vendors are data controllers.
5. Multinational Organization Obligations: Businesses outside of Thailand that offer goods or services to individuals in the country and therefore monitor user’s online behavior must also comply with the act - regardless of whether a financial transaction occurs. These entities must comply with the PDPA Thailand and other applicable laws - especially regarding cross-border data transfers, which may involve adequacy decisions, exceptions, Binding Corporate Rules, or Standard Contractual Clauses.
6. Extraterritorial Scope of PDPA: All organizations that collect, use, or disclose personal data in Thailand or of Thai residents - regardless of whether they are formed or recognized under Thai law, and whether they are residents or have a business presence in Thailand – must abide by the policies of the PDPA.
7. Publicizing Consent Withdrawal or Purpose Changes: While data controllers were allowed to process personal data collected if the purpose for which the personal data was collected remained the same before, they must now publicize a consent withdrawal method and notify the data subjects of the same so that data subjects have the option to withdraw their consent or opt-out. Furthermore, if data controllers or processors use or disclose personal data beyond the original purpose for which the data subjects had previously given consent, additional specific consent is required for each separate purpose.
8. Notification of Data Processing Purposes: Under the PDPA, data controllers are also obligated to notify users of the purpose of processing their data. This notification must include the purposes of personal data processing, the details of the data controller and its Data Protection Officer (DPO), the third parties to whom the personal data may be disclosed, and the rights of the data subjects followed by how and when they can exercise those rights.
9. Records of Data Processing: All data controllers or data processors must keep full records of their personal data processing activities under the PDPA law. This will ensure that they are prepared for inspection by or submission to the PDPC (Personal Data Protection Committee).
10. Exceptions to the Rule: The collection, use, or disclosure of Sensitive Personal Data without the explicit consent from the data subject is prohibited except when preventing or suppressing danger to the life, body, or health of the person where the data subject is incapable of giving consent, for whatever reason.

The PDPA law and most data privacy legislations around the world exist to protect users, however, there can be significant limitations when being implemented. To fully understand the magnitude of the PDPA, we’ll now look into some of the challenges faced in trying to implement the law successfully.

Challenges for PDPA Thailand Compliance

With any legislature, there will be challenges with implementation. Data privacy laws can be particularly difficult to enact for several reasons in a dynamic digital landscape. Even the most technologically advanced countries struggle with data privacy policies. According to PricewaterhouseCoopers Consulting (Thailand) Ltd., the scope and requirements of the PDPA law make it uniquely complex – and therefore more challenging. However, the company also surveyed companies in August 2020 to explore how ready they were for PDPA enforcement in June 2021 and the key challenges faced on their PDPA journey.

The 25-question survey was sent to organizations across different industries in Thailand and was available to respondents through September 2020. The results showed that most companies were aware of PDPA requirements but were not yet ready for its enforcement while some companies weren’t even close to completing PDPA preparations in certain areas. To properly explore all the challenges that the PDPA Thailand faced, we’ve summarized some of the main PDPA challenges mentioned in the 2021 PwC survey and also noted some of the findings from the research paper of Damrongsak Naparat who explored the challenges facing the implementation of PDPA. Some of the main obstacles to PDPA implementation included:

• Lack of adequate funding, technology, and other resources to fulfill PDPC requirements.
• Lack of qualified personnel to enforce the law.
• A need for clarity on which Thai privacy laws take precedence and apply in certain circumstances when considering existing sector-specific regulations.
• Lack of awareness or education about the data privacy obligations companies need to abide by – on the part of consumers and companies alike.
• The lack of a Data Protection Officer or a team dedicated to data privacy tasks.
• Companies and users failing to take data privacy issues seriously.

While the challenges that faced PDPA implementation were difficult and might remain an issue for many companies today, there are simpler ways for businesses to ensure that they remain compliant at all times.

How Businesses Can Comply with PDPA Thailand

Compliance is a fundamental cornerstone for any business. Remaining compliant with data privacy laws ensures that companies are legally protected from penalties, lawsuits, and other legal repercussions. Further benefits of compliance with data regulations for businesses include:

• Demonstrating a trustworthy and responsible reputation to customers, the government, and investors.
• Improving efficiency with standardized procedures that follow regulations.
• Mitigating cyber threats and data loss through enforced security protocols.
• Providing a competitive edge amongst peer companies.
• Becoming a priority client for government contracts.
• Creating a culture of ethical behavior within your company.

For the PDPA Thailand law, there are certain key requirements for PDPA compliance to be fulfilled. These requirements allow entities to legally process personal data.

Key Requirements for PDPA Compliance for Businesses:

1. Obtaining clear and informed user consent for data collection. Consent needs to be explicitly given in a written statement or electronically when possible.
2. Providing a notification or disclosure about the data processing when requesting user consent. The user must then freely agree to the processing of their own accord and retain the right to easily withdraw consent at any time.
3. Establishing and maintaining a data privacy policy that fully complies with data processing requirements under the PDPA.
4. Controllers and processors under Thailand’s PDPA must enter into a contractual agreement that requires both parties to follow all requirements outlined by the law.
5. Informing users about how long they retain data at or before the point of data collection and only collecting data that is completely necessary. If unable to provide a date, the company must explain the process used to determine how long the data will be kept.
6. Implementing robust data security measures to mitigate the risk of data breaches and cyber-attacks.
7. Providing data subjects with access and control over their data – this includes facilitating the right to access personal data, the right to withdraw consent at any time, the right to rectify, delete, restrict, or object to the processing of personal data, the right to data portability, and the right to submit a complaint with the PDPC Office.
8. Appointing a DPO - if required by the core activities - to ensure compliance with the PDPA and act as a contact person for data subjects. Under the law, this officer is responsible for giving entities advice for complying with Thailand’s PDPA, investigating if the controller and/or processor fully comply with the law, coordinating with the regulatory authorities who enforce the law as needed, and maintaining confidentiality regarding all personal data acquired while working as a DPO. Data processors and controllers must also provide users with contact information for their DPO.
9. Maintaining a record of processing, historical documents, or archives for public interest or statistical research purposes – this is optional for small businesses.
10. Signing a data processing agreement or data transfer agreement between a data controller and a data processor.
11. Creating a data protection impact assessment to identify data privacy risks and measures to mitigate such risks.

Failure to abide by these requirements will result in fines or penalties being issued by the government. We’ve broken down this process for better understanding.

Fines and Penalties Under Thailand’s Personal Data Protection Act

Violating Thailand’s PDPA law can lead to fines of up to THB 5 million – or US$ 145,000. Businesses can also face criminal penalties and might be forced to cease all data processing activities. A data breach notice must be submitted to the PDPC within 72 hours of becoming aware of the breach - if it is likely to result in a risk to the rights and freedoms of data subjects.

The breach notice must include the nature of the incident, details of the contact person or DPO of the data controller, possible consequences, and measures taken or to be taken to mitigate the potential adverse effects. If the data breach is likely to result in critical threats to the rights and freedoms of data subjects, the data breach notice with remedial measures must be notified to both the PDPC and data subjects without delay. Where a data breach involves several data subjects, the data controller may notify each of the subjects specifically or generally to the public via public media, social media, electronic means, or any other means accessible to the data subjects or the general public.

To demonstrate the seriousness of these penalties, we can simply look at the first PDPA administrative fine in action. In August 2024, the second expert committee appointed under the Thai Personal Data Protection Act issued an administrative fine to a major private company involved in online sales. The company allowed a significant amount of personal data to leak to call center gangs without implementing adequate security measures as required by the PDPA.

The committee imposed the maximum administrative fine of 7 million baht for failure to appoint a Data Protection Officer (DPO), inadequate security measures, and failure to report data breaches. The company was further ordered to enhance its security measures to prevent future data leaks and train its staff - reporting these improvements to the PDPC within 7 days of receiving the order.

For businesses to remain compliant with data privacy laws and policies, they need to invest in the correct infrastructure and platforms to contain and secure data. A few examples of this include:

• Updating privacy policies and cookie policies to meet all requirements for properly informing users about data collection.
• Implementing a consent management platform with a properly configured consent banner that allows users to easily access opt-in and opt-out options – meeting the requirements outlined by the law.
• Ensuring that it’s easy to receive and respond to requests from users to follow through on their rights by adding a Data Subject Access Request (DSAR) form on your site.
• Investing in critical IT infrastructure from a trusted vendor.

Fortunately, Sangfor Technologies provides an array of platforms and services that pointedly ensure data safety. These include services that will:

1. Protect Network Security - Sangfor’s Network Secure Next-Generation Firewall (NGAF) is the world’s first firewall platform to combine AI Technology, Cloud Threat Intelligence, NG-WAF, IoT Security, and SoC Lite - seamlessly eliminating over 99% of external threats at the network perimeter and effectively maintaining data compliance.
2. Defend Against Ransomware and Data Breaches – Ensure data safety with Sangfor’s Anti-ransomware platform is the only security solution that addresses the entire life cycle of ransomware attacks while using AI and the synergy between Network Secure and Endpoint Secure to detect and block ransomware attacks in just 3 seconds. Endpoint Secure is a modern Endpoint Protection Platform (EPP) that further fortifies compliance by combining antivirus, Endpoint Detection and Response (EDR), and endpoint management capabilities into a single solution – for integrated protection in vulnerable spots.
3. ndpoint Secure is a modern Endpoint Protection Platform (EPP) that further fortifies compliance by combining antivirus, Endpoint Detection and Response (EDR), and endpoint management capabilities into a single solution – for integrated protection in vulnerable spots.
4. Securing Critical Data Through Cloud Infrastructure – Companies can further choose to protect data by implementing robust infrastructure. Sangfor’s Hyper-Converged Infrastructure (HCI) and Cloud Managed Services (MCS) provide the ideal platforms for secure and efficient cloud computing. To reinforce this protection, Secure Access Service Edge (SASE) enhances cloud security compliance by integrating advanced security features like Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB) - tools that ensure continuous user authentication, encrypted traffic inspection, and policy enforcement. This allows organizations to seamlessly meet regulatory standards.
5. Providing Disaster Recovery Solutions – A key factor of compliance is disaster recovery capabilities. Sangfor provides an effective disaster recovery management plan that outlines the procedures and protocols during an incident to ensure business continuity and reduce data loss.

These are great measures for businesses to take to ensure compliance, however, the general public needs to also take heed of the intended PDPA meaning and its effects.

How Does Thai PDPA Affect Consumers?

While the PDPA Thailand law is aimed mostly at businesses that control, collect, and store data, the legislation also impacts consumers by granting them certain rights over how their data gets collected and used. The law covers the personal information of natural persons in Thailand - protecting the collection and processing of personal data by controllers or processors based in Thailand - regardless of where the collected data comes from. The rights of consumers protected under the PDPA include:

1. Right to Access Data – Consumers have the right to access their data when it has been collected and processed by a data controller.
2. Right to Request Rectification of Inaccurate Data – Consumers can ask to rectify incomplete or incorrect personal data.
3. Right to Request Erasure of Data - Under certain conditions, users ask for their data to be deleted.
4. Right to Data Portability – Consumers have the right to obtain a portable copy of their data.
5. Right to Withdraw Consent at Any Time – Consumers can choose to opt out of sharing personal data at any time - including direct marketing.
6. Right to Be Informed – Users have the right to be informed about what data is being collected about them, why it is being collected, and what that data’s retention period is.

Who Is Exempt From Thailand’s PDPA?

According to the PDPA, the following entities are exempt from following Thailand’s PDPA:

• Persons conducting data for personal or household activities.
• Public authorities maintain state security, including financial or public safety.
• Persons or juristic persons using data collected for activities of mass media, fine arts, and literature in accordance with professional ethics or for public interest.
• The House of Representatives, the Senate, or the Parliament.
• Trial and adjudication courts.
• Operations undertaken by credit bureau companies.

Conclusion

The PDPA Thailand law is a revolutionary piece of legislation that will protect citizens from the misuse of their sensitive data. Businesses and individuals alike benefit from being compliant – fostering an ethical society and mitigating the risk of security breaches. A survey conducted by Deloitte Thailand showed that 72% of organizations are confident in their ability to comply with PDPA due to adherence to regulations and regular self-assessment of their readiness. This step to a secure data infrastructure will create a disciplined, safe, and efficient digital landscape – untethered by cyber threat concerns.

For companies looking to invest further into compliance, we advise legal counsel to discern how your organization may fully abide by data protection legislation. Sangfor Technologies offers several infrastructure and cybersecurity solutions that will fortify compliance as well. Contact us today for more information or visit www.sangfor.com for more information.

Resources for PDPA Thailand Information

These are some important resources that consumers and businesses can use to get more information about the PDPA Thailand law and its compliance requirements.

• Thailand Personal Data Protection Act. [online] www.trade.gov. Available at: https://www.trade.gov/market-intelligence/thailand-personal-data-protection-act.
• PDPA Thailand. [online] Available at: https://pdpathailand.com/pdpa/index_eng.html?srsltid=AfmBOorOl1_9fwSesg-iuV5pDw5j8OhFpJWe52-JKixpZFFrzqjDnLhi
• Thailand’s Personal Data Protection Act (PDPA) Explained. [online] Termly. Available at: https://termly.io/resources/articles/thailands-personal-data-protection-act/.
• PDPA Core - One-stop Service for PDPA Compliance. [online] Available at: https://pdpacore.com/en