Skip to content
Schedule a Call
Call Now

What does Thailand’s PDPA have in store?

Article by Tsaaro

7 min read

Personal data privacy is a global hot problem that is quickly becoming a priority for Thailand’s leaders. They understand that changes to their organizations’ procedures must be carefully planned and well-considered. There is no alternative method to manage and secure personal data in order to assure compliance and demonstrate accountability.

The Personal Data Protection Act (PDPA) has certain requirements that are similar to those found in the GDPR. These include standards for data controllers and processors, as well as equivalent legal bases for processing personal data. The PDPA and the GDPR, on the other hand, have some major distinctions, such as in the PDPA there’s lower monetary penalties as compared to the GDPR and there has been an addition of criminal penalties of up to one year imprisonment in the PDPA. The Thailand’s PDPA also establishes the Personal Data Protection Committee (‘PDPC’) to create and issue data protection sub-regulations, among other things.

Does the Thailand’s PDPA Apply to Your Organization?

The PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural, living person with exceptions such as when the activity is performed as part of household activity.

Territorial scope

The PDPA applies to processing activities conducted by a data controller or data processor that is based in Thailand.

Regarding the extra-territorial scope of the PDPA, the law applies to organizations outside of Thailand when their processing activities relate to offering of goods and/orservices to individuals in Thailand or when monitoring the behavior of individuals residing in Thailand.

Material scope

Data that falls under the material scope of the PDPA includes general personal data such as name, date of birth, email address, etc. Furthermore, specific requirements and exemptions apply to the processing of certain types of personal data, such as racial, sexual, and health data.

Data Subject Rights under the PDPA

The PDPA outlines several rights to the data subjects that closely resemble to those found in the GDPR. Furthermore, the PDPA requires organizations to inform the data subjects of their rights prior to or at the time of the collection of their personal data.

Following are the rights of a Data Subject under the PDPA-

  1. Right to be informed

The data controller must inform the data subject with details of the processing activity such as the purpose of the collection, data retention periods, etc.

  1. Right to access

The data subject has the right to access or request a copy of their personal data collected, used, and disclosed by the data controller.

  1. Right to rectification

The data subject has the right to correct- incomplete, inaccurate, misleading, or outdated personal data held by the data controller.

  1. Right to erasure

The data subject has the right to request the data controller to delete or de-identify their personal data. There are some exceptions to this right whereby data controllers are required to retain the data to comply with a legal obligation or to establish, exercise, or defend legal claims.

  1. Right to object/opt-out

The data subject has the right to object to the collection, use, and disclosure of their personal data in certain circumstances such as for direct marketing purposes.

  1. Right to data portability

The data subject has the right to obtain the personal data that the data controller holds about them in a structured electronic format and can request to send or transfer such data to another data controller.

  1. Right not to be subject to automated decision making

The PDPA does not explicitly provide for the right not to be subject to automated decision-making. However, the data subject has the right to restrict the use of their personal data in certain circumstances.

Few Steps to Thai PDPA Compliance

  1. Appoint a Data Protection Officer (‘DPO’)

Section 41 of the PDPA requires organizations to appoint a DPO in certain circumstances whose responsibilities include informing and advising the organization of their obligations, monitoring the performance of the data controller and data processors, and acting as a point of contact with the Personal Data Protection Committee.

  1. Implement Data Subject Rights Request (DSAR)

The PDPA provides data subjects with specific rights relating to the collection and use of their personal data. Implementing an automated DSAR process can help streamline the intake and fulfill DSARs and can help manage, track, and report on the requests your organization receives.

  1. Monitor and measure personal data risks

Developing internal processes to monitor potential risk to personal data is critical for organizations looking to comply with the PDPA and for avoiding the monetary penalties ranging up to THB 5 million (approx. €129,000). By monitoring potential risks across the data ecosystem, organizations can identify gaps, reduce the risk of potential data breaches, and assist in the fulfillment of data subjects’ rights.

  1. Optimize data collection and survey risk across your business

Section 39 of the PDPA requires businesses to maintain records of data collected and specify the purpose for its use. Implementing PDPA-specific Privacy Impact Assessments (PIAs) helps organizations to comply with the data minimization and purpose limitation principles specified in the PDPA and helps to understand risk across processing activities.

Implementation & Conclusion :

The Ministry of Digital Economy and Society has been preparing 29 laws linked with the PDPA over the past two years of the PDPA’s delay, with 10 being treated as a priority. The enforcement of the PDPA is scheduled to take place on 1st June 2022, while the Personal Data Protection Committee was finalized on 18th January 2022.

To summarise, the PDPA focuses on balancing between fairness and protection, while also ensuring that it does not discourage innovation or new business because data is the future and offers opportunity. The PDPA will be enforced against those who abuse the flow of personal data, whereas it will support those who properly handle personal data of the users’ to facilitate their business.

1,122 thoughts on “What does Thailand’s PDPA have in store?”

  402. Bradleyfaw

    Deneme Bonusu Veren Siteler [url=https://casinositeleri25.com/#]deneme bonusu veren casino siteleri[/url] casino bahis siteleri

Leave a Reply

Your email address will not be published. Required fields are marked *

Eu Ai act
First Rules of the EU AI Act Come into Effect: What Does it Mean?
Krishna

First Rules of the EU AI Act Come into Effect: What Does it Mean?

The evolving digital landscape in the 21st century have placed a challenge for governments and organizations as they attempt to …

March 7, 2025
Digital Personal Data Protection (DPDP) Act
Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  
Tsaaro Consulting

Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  

Introduction  The Digital Personal Data Protection (DPDP) Act, 2023, and the Digital Personal Data Protection Rules, 2025 establish a comprehensive …

February 27, 2025
cybersecurity,
WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 
Tsaaro Consulting

WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 

In today’s interconnected world, cybersecurity plays a crucial role in protecting our digital lives. From protecting personal data to safeguarding …

February 21, 2025
Transfer Impact Assessments
Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 
Tsaaro Consulting

Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 

Introduction  A Transfer Impact Assessment (TIA) is a critical evaluation conducted under the General Data Protection Regulation (GDPR) to assess …

February 20, 2025
Draft DPDP Rules
The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?
Tsaaro Consulting

The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?

Introduction The Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 have ushered in a new …

February 12, 2025
Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

© 2024 Tsaaro Consulting. All rights reserved.
Linkedin Instagram Youtube

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands

Tsaaro Pune Office

Tech Centre, Rajiv Gandhi Infotech Park, Hinjewadi, Pune, Maharashtra

Tsaaro Noida Office

302, Tower C, ATS Bouquet, Noida Sector – 132, Uttar Pradesh, India

Tsaaro Bengaluru Office I

Manyata, Embassy Business Park, Outer Ring Road, Bengaluru, Karnataka

Tsaaro Bengaluru Office II

Second State, CMH Road, Indiranagar, Bengaluru, Karnataka

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.