Thailand’s PDPA: Essential Compliance Guidelines

What is Thailand’s Personal Data Protection Act?

Thailand’s PDPA (Personal Data Protection Act) regulates the collection, use, disclosure, and storage of personal data by businesses and organizations operating in Thailand. The law was enacted in May 2019 and came into full effect on June 1, 2021.

Under the PDPA, businesses and organizations are required to obtain consent from individuals before collecting and using their personal data. They must also ensure that the data they collect is accurate, relevant, and necessary for the purpose of its collection.

Businesses and organizations are also required to implement measures to protect personal data from unauthorized access, use, disclosure, or destruction. In the event of a data breach, they must notify affected individuals and relevant authorities within 72 hours.

The PDPA also gives individuals certain rights, such as the right to access their personal data, the right to request that their data be deleted or corrected, and the right to withdraw their consent for the collection and use of their data.

Non-compliance with the PDPA can result in significant fines and penalties, including imprisonment in some cases.

Who regulates Thailand’s PDPA?

Thailand’s PDPA (Personal Data Protection Act) is regulated by the Office of the Personal Data Protection Committee (OPDC), which is an independent regulatory body established under the law. The OPDC is responsible for overseeing and enforcing the PDPA, including developing regulations, guidelines, and codes of conduct to help businesses and organizations comply with the law.

The OPDC also has the authority to investigate and impose penalties on businesses and organizations that violate the PDPA. Its aim is to protect the privacy and personal data of individuals in Thailand, while also promoting the responsible use of personal data by businesses and organizations.

Ensure PDPA compliance today

Regulating data cross borders

Thailand’s PDPA (Personal Data Protection Act) applies to businesses and organizations that collect, use, disclose, or store personal data of individuals in Thailand, regardless of where the business or organization is based. This means that if a business or organization outside of Thailand collects personal data from individuals in Thailand, it must comply with the PDPA.

In addition, the PDPA requires that businesses and organizations obtain consent from individuals before transferring their personal data outside of Thailand. This means that if a Thai business or organization wants to transfer personal data to a business or organization in the EU or the United States, it must obtain consent from the individuals whose data is being transferred.

Businesses and organizations that transfer personal data outside of Thailand must ensure that the recipient of the data provides an adequate level of protection for the data, as required under the PDPA. This may involve entering into contractual agreements with the recipient that include provisions for data protection and security.

It’s important to note that the PDPA is not equivalent to data protection laws in the EU or the United States, and there may be some differences in terms of the requirements and obligations under each jurisdiction’s laws. However, businesses and organizations that operate across borders should be aware of the different data protection requirements and ensure that they comply with all applicable laws and regulations.

Thailand Data Privacy Compliance - PDPA — Download whitepaper.

Thailand PDPA Enforcement Examples

A financial services company in Thailand collects personal data, such as names, addresses, and financial information, from its customers for the purpose of providing banking services. Under the PDPA, the company is required to obtain consent from its customers before collecting and processing their personal data. It must also ensure that the data it collects is accurate, relevant, and necessary for the purpose for which it is being collected. The company must implement measures to protect the personal data from unauthorized access, use, disclosure, or destruction, and in the event of a data breach, it must notify affected individuals and relevant authorities within 72 hours.
An online retailer based in the United States collects personal data, including names, addresses, and payment information, from customers in Thailand for the purpose of processing orders and delivering products. Under the PDPA, the retailer is required to obtain consent from its Thai customers before collecting and processing their personal data. It must also ensure that any transfer of personal data from Thailand to the United States is done in accordance with the law, such as obtaining the necessary consent and ensuring an adequate level of protection for the data. The retailer must comply with any requests from its Thai customers for access, correction, or deletion of their personal data, and it must also ensure that any third-party service providers that it uses for data processing also comply with the PDPA.

Thailand’s Personal Data Protection Act (PDPA) sets the age requirements for the collection and processing of personal data of minors. According to the law, businesses and organizations must obtain consent from parents or guardians for the collection and processing of personal data of minors who are under the age of 20.

If a minor is 20 years old or above, they have the legal capacity to give their own consent for the collection and processing of their personal data.

The PDPA also requires businesses and organizations to take special care when processing sensitive personal data of minors, such as information related to their health, sexuality, or criminal records. In such cases, businesses and organizations must obtain explicit consent from the parent or guardian of the minor.

Overall, the age requirements under the PDPA aim to protect the privacy and personal data of minors in Thailand, while also ensuring that businesses and organizations are accountable and responsible in their data processing practices.

Test drive BigID

Leveraging BigID to Comply With Thailand’s PDPA

Comply with PDPA (Personal Data Protection Act) by providing a range of tools and capabilities for data discovery, classification, and protection.

Here are some ways that organizations can leverage BigID to achieve compliance with the PDPA:

Data discovery: BigID can help organizations discover and identify personal data that is being collected, processed, or stored in all of its forms, whether structured or unstructured. This can include data stored in databases, file shares, and cloud environments. By using BigID to discover data, organizations can gain a better understanding of what personal data they hold and where it is located.
Data classification: Once personal data has been discovered, BigID ML classification automatically and accurately classifies it based on various attributes, such as data type, sensitivity, and location. This can help organizations understand the risk associated with each type of personal data and prioritize their compliance efforts accordingly.
Consent management: The PDPA requires organizations to obtain consent from individuals before collecting and processing their personal data. BigID manages the consent process by providing tools for obtaining, storing, and tracking consent from individuals.
Data protection: The PDPA requires organizations to implement appropriate measures to protect personal data from unauthorized access, use, disclosure, or destruction. BigID can help organizations ensure that personal data is protected by identifying risks and vulnerabilities, such as data breaches, and providing recommendations for mitigation.
Reporting and auditing: The PDPA requires organizations to maintain records of their data processing activities and to provide reports to the Personal Data Protection Committee upon request. BigID can help organizations generate reports and audit trails that demonstrate compliance with the PDPA.