Regulations & Frameworks

Thailand recently enacted a Personal Data Protection Act (PDPA) which goes into effect on May 27, 2020. The Thailand PDPA, not to be confused with the Singapore PDPA, outlines requirements for websites to gather consent before the processing of data. The purpose is to protect data subjects from the unlawful collection or use of personal data. Data subjects must know what data is being collected on them and how it is being used. This includes businesses needing to provide transparency into any third party selling or trading of the personal data gathered.  

Last Updated: April 1, 2020

What is the Thailand PDPA?

While the GDPR has the Data Protection Authority (DPA) as its official authority of enforcing the law, the Thai PDPA will have a Personal Data Protection Committee (PDPC) to enforce the law and provide guidance to enforce compliance with the PDPA. 

Like the GDPR, websites will need to include information about what information will be collected as well as give the user the ability to provide consent either before or at the point of collecting the data, using it in any way, or passing it to third parties. Violation of the PDPA can result in fines of up to Baht 5,000,000 and imprisonment for up to one year. 

Despite the law not being translated into English yet, businesses who operate or provide services in any way in Thailand are required to familiarize themselves with the law and be ready to comply as soon as it goes live.  

What is personal data under PDPA?

Personal data is outlined in the Thailand PDPA as the data of people in Thailand that could identify the person either directly or indirectly. Similar to the GDPR, personal data under the Thailand PDPA also applies to data that is factually incorrect or incomplete. If the data can identify the data subject in any way, it is protected by the PDPA and must be disclosed to the data subject. 

Personal data can be collected from a user if there is a legal bases for the collection. The key bases include legal obligations, public interest, or legitimate interest. Legitimate interest is also noted in the GDPR and is intended to allow a business to collect data on a user if they have a specific, lawful, transparent purpose. Examples of legitimate interest include investigating criminal acts, preventing fraud, and protecting public security.  

The legitimate interest basis should also be clear to the benefit of the business and have limited privacy impact to the individual.  

Personal data does not include that which is related to a deceased individual or basic private business information including addresses or titles at the business. 

Sensitive personal data is further protected in the PDPA and broadly includes data in any way related to: 

  • Biometric Data 
  • Health data 
  • Religion  
  • Ethnic origin 
  • Criminal records 

Who needs to comply with the PDPA?

The Thailand PDPA applies to personal data collected from users in Thailand, but it also has extraterritorial reach in its control on data collected even if the data controller or processor doesn’t reside in Thailand, similar to the EU’s GDPR. 

The data collected by a data controller or processor either in Thailand or outside of Thailand if they’re collecting data of a data subject in Thailand for the purpose of offering goods, services, or monitoring the behavior of the data subject in any way.  

How to comply with PDPA

How to comply with the Thailand PDPA 

  • Create a preference center and cookie banner that will inform visitors to your website about what kind of data is collected as well as provide the user with the ability to opt-out of targeted advertising or using cookies on your site. 
  • Create and maintain a form on your site that gives individuals the right to request access to, deletion of, or update to any data you have on them. 
  • Track requests and maintain a record of any requests from users for their data using a dashboard and automate the process. 
  • Understand what cookies or other tracking technologies exist on your page to be fully transparent with your website visitors.  
  • Provide users in Thailand with the following rights: 

The Right to be Informed 

Right to be Informed [Section 23] is the right for Thailand citizens to be informed abou the collection and use of their personal data at the time of collection. Organizations that collect personal data must provide individuals with information about what is being tracked, the purpose of tracking and who it will be shared with. 

The Right to Access 

The Right to Access [Section 30], also known as subject access, gives individuals the right to obtain a copy of their information that an organization holds about them. When the organization receives the subject request, it must provide the data subject information such as the purpose of processing and categories of personal data collected. 

The Right to Rectification 

According to Section 35 of PDPA, individuals have the right to request the modification of their data, including the correction of errors and the updating of incomplete information. 

The Right to Erasure 

Under Article 33 of the PDPA, individuals have the right to have their personal data erased. This is only allowed if the data controller is non-compliant or if it is no longer necessary for data controllers to retain personal data in accordance with the purpose of the collection or use. 

The Right to Restrict Processing 

Article 34 of PDPA gives individuals the right to restrict the processing of their personal data.  If consumers exercise this right, businesses can continue to store the data but must not use or process that data. 

Right to Data Portability 

The right to data portability gives individuals the right to obtain and transfer their data to a different controller or service. 

Right to Object 

Article 32 of the PDPA gives individuals the right to object to the processing of their personal data when visiting your website and always having the option available. 

How CookiePro helps

Use CookiePro to inform and allow visitors to object to the processing of their personal information when they visit your website. Provide visitors with a customized preference center where they can opt-out of the processing of their personal information. Also, provide visitors with a subject access request form to request for their data to no longer be processed. 

Sign up for an account and get started by taking steps to compliance today.