Thailand Personal Data Protection Act (PDPA)

About Thailand PDPA

Thailand’s Personal Data Protection Act (PDPA) enforcement begins on June 1, 2022. This Act ensures that personal data is protected and not misused.

Thailand’s PDPA is its first national data protection law. Among its provisions are requirements for data controllers and data processors, including both public and private entities, are required to obtain consent from data subjects before processing, collecting, or disclosing personal data under the provisions of Thailand’s data privacy law.

Who must comply with Thailand Personal Data Protection Act (PDPA)? (Section 5)

Thailand Privacy Law applies to the collection, use, or disclosure of Personal Data by a Data Controller or a Data Processor that is in the Kingdom of Thailand, regardless of whether such collection, use, or disclosure takes place in the Kingdom of Thailand or not.

If a Data Controller or a Data Processor is outside the Kingdom of Thailand, the Thailand Data Protection Law shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities:

  1. The offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject.
  2. The monitoring of the data subject’s behavior, where the behavior takes place in the Kingdom of Thailand.

Enforcement under Thailand Personal Data Protection Act

Civil Liability (Section 77 and 78)
The Data Controller or the Data Processor, whose operation in relation to Personal Data violates or fails to comply with the provisions of the Thailand pdpa act which causes damages to the data subject, shall compensate the data subject whether such operation is performed intentionally or negligently.

The compensation includes all necessary expenses incurred by the data subject for the prevention of the damages likely to occur, or which was spent to suppress the damages occurred.

Criminal Liability (Section 79-81)
Any Data Controller who violates the provisions under section 27, or fails to comply with section 28, which relates to the Personal Data under section 26 can be punished with imprisonment for a term not exceeding one year and fine ranging from few thousand baht to 5 million depending upon the nature of violation.

Personal Data Protection Act - Mandatly Inc.

Key highlights of PDPA:

Personal DataAny information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.
Data Subject RightsThe PDPA provides the data subject rights, which largely mirror those provided by the GDPR.
Data ControllerA Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.
Privacy AssessmentsControllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper
Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Data Subject Rights under Thailand Personal Data Protection Act (PDPA) (Section 30-35)

  1. Right to information access (Section 30)
    The data subject is entitled to request access to and obtain copy of the Personal Data related to him or her, which is under the responsibility of the Data Controller, or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent.
  2. Right to data portability (Section 31)
    The Data Controller shall arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means.
  3. Right to object the collection use or disclosure of personal data (Section 32)
    The data subjects have the right to object or opt out of the collection, use, or disclosure of the personal data linked to them; if the data was collected with exemption to consent and the Data Controller is unable to prove that it was for legitimate interest grounds, or to exercise legal claims.
  4. Right to erasure (Section 33)
    The data subject shall have the right to request the Data Controller to erase or destroy the Personal Data or anonymize the Personal Data to become the anonymous data which cannot identify the data subject.
  5. Right to ask data controller to restrict the use of the personal data (Section 34)
    The data subjects have the right to request the data controller to restrict the use of their personal data when it is no longer necessary to retain such Personal Data for the purposes of such collection.
  6. Right to accurate and up-to-date personal data (Section 35)
    The Data Controller shall ensure that the Personal Data remains accurate, up-to-date, complete, and not misleading
  7. Right to withdraw consent (Section 19)
    The data subject may withdraw his or her consent at any time. The withdrawal of consent shall be as easy as to giving consent, unless there is a restriction of the withdrawal of consent by law, or the contract which gives benefits to the data subject.

Appointment of Data Protection Officer (Section 41)

The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:

  1. The Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee.
  2. The activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data as prescribed and announced by the Committee.
  3. The core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data according to section 26.

How Mandatly helps you achieve Thailand's PDPA compliance?

Mandatly’s PDPA compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.

Data Subject Rights (DSR) - Mandatly Inc.
Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.
Data Inventory and Mapping - Mandatly Inc.
Data Inventory and MappingMaintain your data sources and map data flows to meet the PDPA "Lookback" requirements.
Assessment Portal - Mandatly Inc.
Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.
Privacy Notices - Mandatly Inc.
Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.
Automated 'Do Not Sell' Requests Handling - Mandatly Inc.
Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.
Reporting and Governance - Mandatly Inc.
AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

Get Started Free

No credit card required

Recent Articles

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024Understanding New Data Privacy LawIn the ever-ex...
Read more
The Role of Employee Training in GDPR Compliance and Data Security - Mandatly Inc.

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Read more
The Intersection of GDPR & Cybersecurity - Mandatly Inc.

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
Read more
Cross Border Data Transfer & Legal Framework - Mandatly Inc.

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
Read more
Future Data Privacy Trends in the Digital Age - Mandatly Inc.

Navigating the Complex Landscape of Data Privacy Compliance

Data Privacy Compliance in E-commerce: Navigating the Complex LandscapeIn the digital age, data privacy has emerged as a crit...
Read more
The GDPR and the EU-U.S. Data Privacy Framework: A Symbiotic Relationship - Mandatly Inc.

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
Read more