PDPA - Personal Data Protection Act.

A Practical Overview and Simple Guide to Compliance

gray concrete building under blue sky during daytime

Prestigious paternity...

Origin of the PDPA.

The PDPA, Personal Data Protection Act, is based on European GDPR, legislation created by the European Union to protect the personal data of individuals within the EU. It replaces an older law, the Data Protection Directive, from 1995. The GDPR came into effect on May 25th, 2018 and applies to all businesses that collect or process data from individuals in the EU.

The PDPA is Thailand's version of the GDPR. The PDPA was passed in Thailand in 2019, and has been postponed twice to give time to companies to get relief from the Pandemic before sanctions would apply for non-compliance.

It is based on the same principles as the GDPR but with specific provisions tailored to local Thai laws.

Compliance with the Personal Data Protection Act.

Organizations that do not comply with existing regulations regarding the management of personal data will be subject to administrative fines and potential criminal penalties, depending on the severity of the data breach. In some cases, non-compliance may even result in jail time. 

Companies should take all necessary measures to ensure their policies meet the various standards outlined to protect customers' privacy. This includes implementing and monitoring safeguards such as regularly reviewing internal procedures and processes of personal data, training staff in data protection best practices and performing regular Data Security audits. Additionally, companies must manage customer data securely by storing Sensitive Data safely, limiting access to those who need it and deleting it once it is no longer required.

Always up to date.

enter your email to get updates on the Personal Data Protection laws as they evolve.

Who is concerned?

The PPDPA applies to persons who process personal data collection, use or disclose the personal data of living persons residing in Thailand, Nationals or Foreigners, with certain exceptions (e.g. The personal data protection act covers the collection, processing, disclosure, and transmission of identifying information of data subjects unless otherwise specified). 

The law separates normal personal data and Sensitive personal data and requires different protections and conditions for their respective processing activities by a Data Processor.

The Thai PDPA also has an extra-territorial impact: organizations that have branches abroad and provide goods to Thai residents must comply with the law. Data Controllers are responsible for organising a secure and compliant environment for processing Personal Data.

Personal Data Protection Committee

The Thai PDPA is a law enacted by the personal data protection committee to protect the privacy of a Data Subject and the security of data collected, used, or disclosed by entities operating in Thailand. The PDPA applies to all businesses and organizations that process data of Thai Residents or Data Subjects residing in Thailand. It establishes specific rules for protecting such information and outlines penalties for non-compliance. This law was enacted in 2020 and was delayed two years consecutively. The law addresses normal and sensitive personal data from a Data Subject differently.

The personal data protection committee

The PDPA is intended to give a Data Subject greater control over its data by ensuring that businesses and organizations only process personal data following the Data Subject's consent and in compliance with the principles set out in the Act. It also requires companies to be transparent about how they use, store, or share personal data collected about the Data Subject and to comply with specific security measures, such as the expected data retention period when handling such information.

There are a few guiding principles associated with the Data Protection act by which companies must apply: Lawful, Fair and Transparent - Purpose limitation - Data minimization - Accuracy - Storage Limitation - Integrity and Confidentiality - Accountability. The committee also request and regulate disclosure after a data breach.

The rights of Data subjects.

The Personal Data Protection Act (PDPA) of Thailand is a law enacted by the Personal Data Protection Committee to protect the privacy and security of data collected, used, or disclosed by entities operating in Thailand. The PDPA applies to all businesses and organizations that process data of Thai Residents or Data Subjects residing in Thailand - both nationals and foreigners.

Under the data protection laws, a Data Subject has several rights regarding its data privacy, including the right to access, correct, delete or restrict its data processing, withdraw consent, and the right to data portability. Additionally, the data controller must provide the Data Subject with an explanation of how its data is being used, including for what purpose and with whom it is being shared. This is even more important when it concerns sensitive personal data, like biometric data.

Protecting the privacy and security of Data Subjects

This law represents a significant step forward in protecting the privacy and security of Thai residents’ data. Businesses operating in Thailand must understand their obligations under the PDPA and must take steps to ensure data security with compliant systems and processes. To help companies to meet these obligations, we have compiled a PDPA compliance checklist that outlines the essential requirements of the PDPA and provides tips for the data controller and data processor on achieving compliance, especially over sensitive data.

Data Controllers must also provide Data Subjects with an opportunity to object to any personal data processing that would significantly impact their data privacy, rights, freedom, or legitimate interests. Companies must respond to requests to correct, modify, delete or prevent the transfer of their data.

Other obligations for business operators

The PDPA also imposes data protection obligations on some businesses, such as having a designated DPO responsible for ensuring compliance with the Act and providing guidance and advice about data protection matters. Data Controllers and Data processors can nominate the DPO. Furthermore, entities are prohibited from processing personal data outside of Thailand without express consent from the Data Subject or unless certain conditions are met. A Privacy Notice should always be presented at each individual data collection point.

Personal Data is connected to a Data Subject.

Personal data refers to any data connected to a living human being. The connection may be easy to see, or it might not be obvious. Still, if it is possible to connect the data to an identifiable person, then it counts as the personal data of a Data Subject.

Video Training

PDPA training on Personal Data processing

PDPA Guidelines for Data Processing under PDPA

As a Data Controller, when you understand the Data Classification of personal data, you can now proceed to the next step, understand the rules applicable to the processing of such personal data. This video explains the guidelines that you must strictly adhere before proceeding to any activity on personal Data.

Watch the Video

Introduction to Data Classification

The Personal Data Protection Act (PDPA) classifies personal data into two groups: normal Personal Data and sensitive Personal Data.
Classifying your data is essential, and ignorance of the rules can result in steep fines. Familiarize yourself with how to accurately classify data processing obligations.

Watch the Video

Discover the Lawful Basis for processing Personal Data    

Coming soon!


Data Controllers

The Data Controller is a person, or legal entity that makes decisions regarding collecting, using, and disclosing personal information, especially sensitive data. 

Data Processors

Process personal data per instructions from the data controller. Has no authority over its use. A data processor can not be an employee of the Data Collector.

Data Protection Officer

The data protection officer Is an individual who oversees and ensures compliance with personal data protection laws and regulations. He is also the interface with the PDPC

Key Definitions

Data Controllers are a person or legal entity that holds the authority to make decisions regarding collecting, using, and disclosing personal information. Data Controllers must ensure they take the necessary steps to protect an individual's data, such as providing information on how their data will be used and offering access upon request.

Data Processor manipulates personal data per instructions from the personal data controller and has no authority over its use. The directive comes solely from the Data Controller responsible for collecting and utilizing such information.

DPO: Data Protection Officer (Nominated by DP and DC) is a designated individual who oversees and ensures compliance with data protection laws and regulations. The DPO is responsible for monitoring the processing of personal data, ensuring that any potential risks are identified, and advising on how to mitigate them. They must be knowledgeable about applicable data protection legislation, possess relevant technical expertise, and have the authority to ensure policies are correctly implemented.

Personal Data refers to any details related to a Data Subject that can be used to identify them directly or indirectly. It can be further divided into Normal Personal Data and Sensitive Personal Data. Note that this does not include information on those who have passed away.

Data Subject is a living person identified by the Processed Personal Data.

Sensitive Data includes any personal data related to racial or ethnic origin, political opinions, religious beliefs, sexual behaviour, criminal records, health status, and biometric data. Such personal data also encompasses trade union membership details and genetic data that may similarly affect individuals.

DPIA: Data Protection Impact Assessment (DPIA) helps identify, assess and mitigate any potential risks associated with a processing activity by evaluating all aspects of the project and the risks to the Data Security of the Data Subject. it also includes technical and organizational measures that can be implemented to protect data subjects’ rights

DPA: Data Processing Agreement (Contract) is a legal contract between the data controllers, the organisation or person responsible for collecting personal data, and the processor or service provider who processes it on behalf of that organisation. It outlines the responsibilities of both parties to ensure compliance with applicable laws and regulations covering the processing of personal data.

ePrivacy: Compliance for Web Marketing and Emails is separated from PDPA. It imposes that businesses comply with ePrivacy laws when sending emails, collecting website visitor information and running online marketing campaigns. This includes obtaining opt-in consent from the Data Subject before any marketing activities occur. Furthermore, notices must be placed on websites informing customers of their right to object to the usage of cookies or similar.

Are Data Controllers ultimately responsible?

Yes, the data controller is ultimately responsible for the security of the processed information about the data subject. He is also responsible for organising the processing of data collected in compliance with the PDPA, which means all the processes and the infrastructure supporting them and the cybersecurity where the Data will be kept. 

This means the Data Controller must take all necessary steps to ensure the security of this data, including implementing a PDPA compliance checklist and providing personal data remains accurate.

A Data Controller holds regular reviews and audits, ensuring that data is not kept for longer than necessary and implements a robust data protection policy. The data controller sends clear instructions, as he should also ensure that their data processors comply with the PDPA by establishing data processing agreements. It is also essential for a data controller to avoid any third party disclosing personal data. Also, the Data Controller must ensure that the Data Processor, whom they may share personal data collected with, is compliant.

What are the 7 Guiding Principles of PDPA

The principles of PDPA guide how data controllers and data processors should collect and use personal data. 

Lawful, Fair and Transparent , requires that data collection be carried out transparently and lawfully. 

Purpose Limitation , states that data must only be collected for specific purposes and no other purposes. 

Data Minimisation ensures that the data collected is only the minimum required to fulfil its purpose. 

Accuracy , calls for accurate information-keeping of the collected data. 

Storage Limitation  limits the amount of time personal data can be stored. 

Integrity & Confidentiality requires organizations to protect personal data against unauthorized access or use. 

Accountability puts the responsibility on the organization to adhere to its obligations under PDPA.

PDPA offers six lawful bases under which Personal Data can be processed

Before you process information about a data subject, you must determine which of the six lawful bases is relevant for your processing activities. 

Contractual states that you can process an individual’s data if it is necessary to fulfil an agreement with them. 

Legal obligation states that if there is a statutory obligation or other binding law that requires the processing of personal data, then this forms a lawful basis for such processing. 

Vital interests allow you to process an individual’s data where it is necessary to protect someone’s life or health. 

A public task allows you to process personal data when it is necessary to perform a task which is in the public interest or carried out by the official authority of the controller. 

Legitimate interest allows you to process personal data where there has been a ‘legitimate interest identified by the controller or by a third party’. This means that there must be some benefit from processing this data, and this benefit must outweigh any negative impacts on the Data Subject's rights and freedoms.

Consent requires that individuals have given unambiguous consent for their data to be processed for a specific purpose. This means that the individual has been informed about how their data will be used and has explicitly agreed to it.
Consent is the last resort for processing authorisation. As consent must be given freely and without dependency on any other event, it is best to use Consent when no other basis can be used.


The PDPA sets out a clear framework to protect personal data and develop procedures to prevent anyone discloses personal data. To comply with this legislation, a data controller must take all necessary steps to protect the personal data they collect, use, and store. This includes implementing a PDPA compliance checklist and ensuring that their data processors meet legal requirements. Ultimately, a data controller is responsible for ensuring the security of this data and should take all necessary steps to ensure that any data collected is lawful, secure, and accountable to the Data Processor.

For help with CyberSecurity and preparing your processes and environment in full compliance with the PDPA, visit https://safecoms.com or write to DPO@safecoms.com for a pre-security audit to start you well on your journey.