PDPA Compliance

The Personal Data Protection Act

Consult Our Experts

What is the PDPA and Why Every Business Must Know It?

The Personal Data Protection Act B.E. 2562 (2019), known as the PDPA, came into full effect on June 1, 2022. Its purpose is to safeguard the rights of individuals in Thailand regarding their personal data.

With the PDPA, Thailand has aligned its data privacy standards closer to international frameworks such as the GDPR. This requires both government and private organizations to adjust and strengthen their data management practices.

The PDPA is not merely a guideline or standard; it is an Act of Parliament, making it a national law. It applies to both individuals and organizations in Thailand, as well as to actions involving the personal data of people in Thailand.

  • Rights and Duties: The law grants rights to data subjects (individuals) and imposes duties on data controllers and processors (organizations or persons handling personal data).
  • Regulatory Authority: The Personal Data Protection Committee (PDPC) was established to issue regulations, oversee compliance, and enforce the PDPA.

Relationship with Other Laws

While the PDPA focuses on personal data protection, it interacts with other laws:

  • Electronic Transactions / Computer Crime Laws: The PDPA emphasizes protecting data and individual rights, while computer-related laws focus on punishing offenses against computer systems and stored data.
  • Industry-Specific Regulations: Some sectors, such as finance or healthcare, may have stricter data protection rules. Organizations must comply with the most stringent applicable laws.

In summary, the PDPA defines the legal boundaries and requirements for handling personal data in Thailand, ensuring both protection of individual rights and accountability of organizations.

Liabilities and Legal Penalties

As a law, the PDPA sets clear penalties for violations to ensure effective enforcement. These include:

⚖️
a. Civil Liability

Individuals affected by a data breach have the right to file a lawsuit for damages. Courts may award punitive damages up to two times the actual loss.

🚔
b. Criminal Liability

Applies to intentional misconduct, such as misusing sensitive data. Penalties include imprisonment of up to 1 year, a fine of up to 1 million THB, or both.

🏦
c. Administrative Penalties

For violations like lacking proper consent or security measures. Fines may reach up to 5 million THB, depending on the severity of the breach.

Cases Where the PDPA Applies or May Be Violated

The situations where the Personal Data Protection Act (PDPA) applies, or where a violation may occur, can be divided into four main categories:

1. Unlawful Collection of Data

Applies when organizations collect personal data without a valid legal basis.

  • Website Cookies: Collecting non-essential cookies without a consent banner.
  • Excessive Data Collection: Forcing users to provide unnecessary information.
  • Improper Public Data: Taking personal data from public sources (like social media) without notifying the owner.
  • CCTV without Notice: Installing cameras without visible signs informing people.

2. Unlawful Use or Disclosure

Occurs when organizations use collected data for purposes not consented to.

  • Selling Customer Lists: Disclosing contact details for commercial gain.
  • Direct Marketing: Sending promotional emails/SMS to individuals who never consented.
  • Disclosing Sensitive Data: Unlawfully revealing health records or criminal history.
  • Cross-Border Transfers: Transferring data overseas lacking adequate protection.

3. Data Breach & Security Failures

Occurs when organizations fail to maintain adequate data security.

  • Cyber Attacks: Database systems being hacked, exposing sensitive data.
  • Employee Errors: Sending emails to the wrong recipient or losing devices.
  • Failure to Report: Failing to notify the PDPC within 72 hours of discovering a breach.

4. Ignoring Data Subject Rights

Occurs when organizations deny individuals rights without a valid legal reason.

  • Refusal to Delete Data: Rejecting a request to erase data without legal exemption.
  • Refusal of Access: Failing to provide a copy of personal data held.
  • Ignoring Objections: Continuing to use data after the individual has objected.

Key Provisions of the Personal Data Protection Act

  • Section 19 (Consent Principle): The core provision requiring that the collection, use, or disclosure of personal data must be based on the data subject's consent.
  • Section 23 (Duty to Inform): Data controllers must clearly inform data subjects of the purpose and details of processing.
  • Sections 30-36 (Data Subject Rights): Defines rights including Right of Access (Sec. 30), Right to Object (Sec. 32), and Right to Erasure (Sec. 33).
  • Section 37 (Ensure Security): Organizations are required to implement appropriate security measures.
  • Section 37(4) (Breach Notification): Data controllers must notify the PDPC of a data breach within 72 hours.
  • Section 78 (Criminal Penalties): Imprisonment of up to 6 months or a fine of up to 500,000 THB for unlawful use causing harm.
  • Section 82 (Administrative Penalties): Fine of up to 5 million THB for violations of key obligations.
Ensure Your Business is PDPA Compliant
Failure to comply with Thailand's Personal Data Protection Act can result in catastrophic fines and criminal liability. Protect your organization by consulting with our data privacy experts today.
Schedule a Compliance Audit
Verified Legal Content
Pacific Law Legal Expert Team
Our legal guides are meticulously audited and compiled by registered corporate attorneys at Pacific Law Thailand, specializing in international private law, corporate legal instruments, and data privacy compliance.