Reduction of Government Fees

W hat marketers and business owners should know about the Thailand’s Personal Data Protection Act (PDPA)?

Thailand has adopted the principals of the EU General Data Protection Regulation (“GDPR”). The Personal Data Protection Act (“PDPA”) legislation was approved and published in the Royal Gazette on May 27, 2019.

A one-year grace period has been given, while the committee and office are being formed, so there is only a short time to prepare for regulatory impacts.

The PDPA will not only have an impact on digital marketing and how marketers effectively target customers, but will also impact all businesses collecting data from persons residing in Thailand.

What is the Personal Data Protection Act (PDPA)?

By default, PDPA is the territorial recognition of GDPR and is designed to protect personal data in digital format against identity theft and misuse. Personal data being collected, processed, distributed, and transmitted or transformed in any manner and for any purpose is also governed by the PDPA. As such, marketers and business units who collect and make use of their customers’ personal data in the course of operation are required to comply with the PDPA.

What is personal data?

PDPA defines personal data as associated data, which can identify a natural person either directly or indirectly, except for the deceased. In other words, personal data is any kind of customers’ or users’ identity having been received with or without notice, including biological data e.g. fingerprint, voice recognition, face detection, etc.

Personal data is generally collected by a data controller and analyzed by a data processor for commercial and business development purposes despite consideration or any payment in kind. It could be the product of paper-based or online registration, customer warranty registration, services or credit application form, exhibition registration, cookies, or even a digital footprint. Protection extends to those who have been compelled to provide their data subject to early services or product acceptance procedures and later, having their data gradually collected by implied consent in terms of users’ behavior. Additionally, personal data shared across marketing or business units as a secondary source to enhance customer engagement is also subject to the law.

Who is subject to the PDPA?

Basically, it is the data controller and the data processor that are regulated by the PDPA. PDPA defines the ‘Data Controller’ as a natural or juristic person who is authorized to collect, use, or disclose personal data, and the ‘Data Processor’ is the person who proceeds with collection, usage, or disclosure of such data on behalf of or according to the data controller’s instructions. However, the data processor is not the data controller. Simply, one person cannot function as the data processor and the data controller at the same time and under the same body. The core function must be carried out independently, even though, they are under the umbrella of affiliated companies.

The data controller can be the business owner or brand that acquires the users’ or customers’ personal data through a registration or membership system. On the other hand, the data processor can be an agency or hosting service provider.

What are duties of the data controller and data processor?

The data controller and the data processor are distinguished by their duties under the PDPA, even though the descriptions seem to be overlapping to some extent.

In general, the processor has lesser duties than the controller, provided that the processor could be held liable as if they were a controller, should they fail to comply with the controller’s instructions with regards to the collection, usage, and disclosure of personal data.

PDPI Data Controller vs. Data Processor Duties

* The content of this table is merely a summary of concerning sections of the PDPA. Crucial details must be further sought for implementation.

Multi-national corporations including their branch and representative offices are subject to the PDPA, either as the controller or the processor. The former would be most likely the case when they engage with local customers or engage in business-related activities internally and externally. The main concerns are the restrictions on personal data transmission overseas, particularly sensitive data, such as biological data, health records, labour union data, political comments, sexual behavior, etc.

How to prepare for the PDPA regulatory impact?

PDPA generally applies to the online and offline businesses as long as personal data is collected and processed in the course of their business operations. The act is extensive to the universal personal data including those of the customer, business partner, user, target research, employee, etc., either retrieved from primary or secondary sources.

With the PDPA less than 12 months away, businesses must make the collection and management of personal data a priority. Here are 4 practical steps that businesses can follow to prepare for the regulatory impact:

  1. Implement a privacy policy and inform personal data owners of the personal data collection, usage, or discloser purposes upon engagement. The privacy policy can be equivalent to the ordinary cookies policy to make the visitors aware of tracking and records. There is not as of yet strict wording under the PDPA nor minimum requirements, which would be subject to the committee’s announcement. As such, the simple communication containing all legal requirements is fine for now.

  2. Obtain the personal data owners’ explicit consent. It can typically be demonstrated by a landing page or first page privacy policy acceptance form prior agreed in order to enjoy the product or service. It is advised to bear in mind that this take-it or leave-it scheme may not last very long, because it can be viewed as a blatant obstacle by the seller against the products or services already purchased. Thus, it is highly recommended to obtain consent before payment or landing.

  3. Create a contact channel where the data owners can withdraw their consent, request an update, or erase their data, should they wish. Currently there are no specific requirements for the contact channel. Thus, it can be a hotline, e-mail, tied-in links, or even a letter. However, it must allow the data owners to express their will as easily as possible. The data log must be created and maintained in an appropriate manner.

  4. Start looking at internal audit policies and creation of a personal data protection unit according to the PDPA’s requirements. This additional cost is unavoidable. Thus, advanced budget planning would prevent redundancy and associated deficiency.

There is an exemption for ‘Small Enterprise’. However, the criteria are not yet set and will be further defined by the committee. The minimum requirements and subordinate rules are predicted to be known as soon as the committee is formed, so are the following administrative procedures and law enforcement when the office is in place.

What are the penalties for non-compliance?

PDPA outlines strategic and common duties between the high data controller and the data processor. Any failure to comply with the PDPA would subject them to the maximum imprisonment up to 1 year and/or fine penalty up to 5 million Baht, although, some of these are rarely compoundable offenses. As such, integrated collaboration is essentially required to mitigate the legal exposures.

What will happen with the personal data obtained before the PDPA?

Previously obtained data may be kept and used according to the original purposes. However, data owners must be informed that they can erase the data or withdraw their prior consent. Other than that, disclosure and related activities e.g. transmission, sharing, processing, etc. of such data must comply with the PDPA regulations.

Final Thoughts

In the past, personal data has been exploited in various ways as data controllers and data processors could do as they please due to lack of regulatory controls, legal protection, and law enforcement. That will change after the PDPA comes into force.

We recommended businesses collecting personal data of persons residing in Thailand to familiarize themselves as early and as comprehensive as possible with the PDPA and reconsider their policies and procedures for handling personal data.

We will monitor the development of the PDPA subordinate laws and regulations and we will provide you with updates once these will become available.


We hope that the information provided was helpful to you. If you have any further questions, please do not hesitate to contact us. We will make sure that your question will be brought to the right person’s attention and we will deliver a prompt response.


The above information is intended to highlight an overview of key issues for ease of understanding and cannot substitute a personal consultation with a qualified lawyer. We highly advise you to read this article in conjunction with appropriate advice from your legal counsel to determine the legal implications this article might have on your business and how to mitigate exposures as much as possible.

Despite applying due care when selecting and producing the information published on this newsletter, we accept no liability in case such information is not accurate, up-to-date or complete.
Under no circumstances shall any company of the Antares Group or any of its directors, partners, lawyers or any other professionals be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information provided.