Skip to main content

What Is the Personal Data Protection Act (Thailand)?

The Personal Data Protection Act (PDPA) is the first law in Thailand introduced for data protection. In a similar manner to the EU’s General Data Protection Regulation (GDPR), the law covers the aspects of collection, usage and disclosure of personal data. Like with any other law, there are conditions and limitations on how the obtained data can be processed.

Personal Data, under this law, is “any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular” (translation by the Thai Netizen Network).

Such data is obtained mainly for the purpose of observing and monitoring behaviours of Data Owners. The data includes a person’s name, date of birth, address, email, ID card and passport numbers, educational and financial information, medical and criminal records as well as any physical recognition patterns.

More sensitive and confidential data, such as those relating to ethnicity, race, political or philosophical beliefs, sexual behaviour, disabilities and genetic data require special consent from the person prior to collection and should be protected through suitable measures to prevent any occurrence of misuse.

On the other hand, a Data Controller is a natural or juristic person who gains access to data by obtaining consent from the Data Owner, in writing or online, to use the obtained data. This can be an organisation such as a financial institution.

Under the Personal Data Protection Act B.E. 2562, Data Owners have rights such as:

  • the right to be informed
  • the right and means to access their data
  • the right to data portability
  • the right to object to the collection and use of their data
  • the right to the erasure of their data
  • the right to restrict the processing of their data

There are restrictions on the transfer of personal data overseas as well. Furthermore, if there is a breach of personal data, then the Personal Data Protection Commission (PDPC) would normally need to be notified.

Due to the sensitivity of the matter, it is advised to study PDPA laws closely and learn of any prohibitions specific to your intended use of data. For any queries relating to this issue, our PDPA lawyers would be pleased to assist, such as by reviewing your data collection policies, Terms and Conditions, etc.