Download PDPA documents including Company Policy and Consent Form to collect, store, and utilize personal data from your business's clients, users, and/or employees.
Learn more about PDPA Company Policy and Consent Form in Thailand
Safeguard your business in Thailand with our PDPA Consent Form and Privacy Policy templates. Designed to align with the Personal Data Protection Act (PDPA) in Thailand, these tools ensure you collect, store, and use personal data legally and responsibly. The PDPA Consent Form secures explicit consent, promoting transparency, while the Privacy Policy outlines your commitment to safeguarding privacy. By using these templates, you not only comply with Thai data protection laws but also build trust with your clients and employees.
Personal data, as defined in Article 6 of the PDPA, is any data that directly or indirectly identifies a person. This includes a person’s name, address, e-mail address, phone number, identification number, and any other information that identifies them. The PDPA provides additional protection for sensitive personal data, which includes information about:
➤ Health information, biometric information, and genetic information
➤ Gender, sexual orientation, and disability are all factors to consider
➤ Ethnicity, race, and religion
➤ Information about trade unions and political opinions
If the data collected by a business, a website or an employer about someone can be used to identify this person (the data subject), this person is protected under the PDPA. If there is a legal basis, personal data about customers, clients, website users or employees, may be obtained. Legal obligations, public interest, legitimate interest, or consent are all examples of this.
What is the Thailand PDPA?
The Thai Personal Data Protection Act 2019 (PDPA) was published in the Royal Gazette of Thailand on May 27, 2019. The PDPA is Thailand’s first data protection legislation. Personal data privacy is a major topic around the world, and it is quickly becoming a priority for Thai politicians. They understand that their organizations’ procedures require thorough preparation and thoughtful improvements. There is no other way to ensure compliance and demonstrate accountability than to handle and preserve personal data.
Thai businesses are fully aware of data privacy risks and requirements, and they have made significant progress in this area. We can see that the foundation has been laid, yet there is still more to be done. Companies must take a comprehensive approach across all key areas and functions, with enough resources and clearly defined duties, in order to be completely prepared for June 2022 and beyond.
ℹ️ To treat data privacy and protection as a basic compliance exercise is to miss out on the opportunities that data may provide. It may help businesses expand faster and solve challenges, as well as establish trust among consumers, partners, employees, and investors. Personal data security takes time, but it’s well worth the effort.
Who does the PDPA apply to?
All individuals, corporations, and websites that gather personal data from Thai users are subject to the PDPA. However, the law also applies to international enterprises who conduct business with Thai citizens or gather personal data for the purpose of providing products or services to them or monitoring their behavior.
A data controller may continue to use personal data gathered before June 1, 2022, under the PDPA. The data controller, on the other hand, must:
➤ Allow current data subjects to object to the continuous usage of their personal information. This can be accomplished by making available a way for data subjects to withdraw consent, allowing them to tell the data controller that they no longer wish the data controller to use their personal data
➤ if no objection is received, only use the Personal Data for the original reason it was gathered
How to comply with the Data Protection Act?
Personal data must be collected, used, and disclosed in accordance with one of the six legal bases stated below. In all other circumstances, the data subject’s consent is required for the collection, use, and dissemination of personal data. The following are the legitimate goals:
1. for the creation of historical or archival materials of public interest, or for research or statistics, provided that suitable safeguards for the data subject’s rights and freedoms are in place, and in accordance with any notification mandated by the Office;
2. to avoid or remove a threat to a person’s life, body, or health;
3. it is required for the fulfilment of a contract to which the data subject is a party, or to act at the data subject’s request prior to entering into a contract;
4. where the data controller’s execution of a duty in the public interest or the exercise of official power vested in the data controller necessitates it;
5. for the data controller’s or any other person’s legitimate interests, unless those interests are overridden by the data subjects’ basic rights with relation to their Personal Data; or
6. where it is required by any law to which the data controller is subject.
PDPA Consent
The consent requests must now be separated from the other documents and presented in plain English and Thai. This means that consent requests cannot be hidden in small print or bundled with other terms and conditions. If the consent is only written in one language, there is a real risk that it will be challenged by native speakers of other languages as not being requested in accordance with the PDPA. The following criteria must be completed for PDPA consent to be valid:
➤ The data subject must be informed of the purpose of the collection, use, or disclosure of personal data in a written statement or by electronic means
➤ In a written statement or by electronic means, the data subject must be informed of the purpose of the collection, use, or disclosure of personal data
➤ The consent request must be distinct from any other material sent to the data subject
➤ The permission request form must be basic and easy to understand
➤ The consent request must be stated in clear and plain language
➤ The consent request must not be misleading or deceptive to the data subject as to its goals
PDPA Privacy Notice
Before or at the time of collecting personal data, a data controller must provide a privacy notice to the data subject. The notice must include the following information:
➤ The Personal Data to be collected
➤ The purpose of the collection, use, or disclosure of the Personal Data, including the legal basis relied on
➤ Whether the data subject is required to provide Personal Data, including the consequences if the data subject does not provide Personal Data
➤ The period for which the Personal Data will be retained and, if this is not possible, the period of data retention provided for under the data retention standard
➤ The types of individuals or entities to whom the Personal Data may be disclosed
➤ The data controller's contact details and, if applicable, the data controller's representative or the data protection officer's contact details
➤ The data subject's rights, which include the right to withdraw consent, the right to access and obtain a copy of the Personal Data, the right to request that the Personal Data be transferred to other data controllers in machine
➤ Readable formats, the right to object to the collection, use, and disclosure of Personal Data, the right to request erasure, the right to request suspension of use, the right to have Personal Data accurately maintained, and the right to lodge a complaint
Notification of breaches
A data controller must notify the Office within 72 hours of becoming aware of a data breach affecting personal data. If the breach is considered to pose a high risk to the data subject’s rights and freedoms, the latter must be notified as soon as possible.
Security obligations
A data controller has an obligation to protect Personal Data, which includes:
➤ Ensuring that suitable security measures are in place to protect Personal Data from unauthorized or unlawful loss, access, use, alteration, correction, or disclosure
➤ Whether the data subject is required to provide Personal Data, including the consequences if the data subject does not provide Personal Data
➤ Prevent the recipient of the Personal Data (e.g., a data processor) from using or disclosing the Personal Data in an unauthorized or unlawful manner
➤ The types of individuals or entities to whom the Personal Data may be disclosed
➤ Ensure that a system is in place to remove Personal Data once the retention period has passed
Cross-border data transfer
Unless an exemption is met, when a data controller sends or transfers personal data to a foreign jurisdiction, the destination country that receives the data must have acceptable data protection standards (e.g. consent of the data subject is obtained for the transfer of personal data to a country with inadequate data protection standards, or the transfer is to comply with the law). The sufficient data protection standards guideline has yet to be released.
Sanctions
A violation of the PDPA can result in civil, criminal, and administrative penalties. A data controller who collects, uses, or discloses personal data without the data subject’s consent (where consent is necessary) faces fines of up to THB 5 million (or up to 4% of a company’s total revenue) and criminal penalties of up to one year in prison.
5 steps to comply with the PDPA?
Step 1: Determine if the PDPA applies to your company and its operations. If you are subject to the PDPA, you must take the following steps:
Step 2: Create a flowchart for your data (e.g. what data does the organization collect and how is it collects and how is it used).
Step 3: Allow data subjects to object to the continuous use of their personal data for existing personal data, and only use personal data for the intended purpose. However, if the data controller has not already given a privacy notice to its data subjects containing the relevant information, it must do so by June 1, 2022.
Step 4: Determine the legal basis for future collection, use, or disclosure of personal data to see if data subjects’ consent is required. Your customers, business partners, or any other party from whom you receive personal data will require a privacy notice and, if necessary, a consent request.
Step 5: Follow the PDPA’s other requirements for the data controller.
Suggestions for assessing compliance with the PDPA
When it comes to PDPA compliance, we propose that businesses (i.e. data controllers) focus on obtaining consent from their individual consumers as little as possible, because consent is a vulnerable legal basis that can be revoked at any time. Because the PDPA is still new, some people believe that consent is always required, however this is not the case. In truth, data controllers can depend on a number of more long-lasting legal basis, such as contractual need, legitimate interest, and legal responsibilities, which should be used wherever possible.
Furthermore, when preparing a privacy notice to comply with the PDPA’s notification requirements (under section 23 of the Act), businesses must ensure that the notice contains “clear and sufficient information” so that data subjects can understand and reasonably expect the consequences of their personal data being shared.
It should be noted that, unlike other criteria, the idea and rules for personal data belonging to children (minors) deviate from international standards since they have been expressly localized for Thailand to match with the Thai Civil and Commercial Code’s restrictions on minors.
International and local multinationals with subsidiaries in various countries may consider drafting binding corporate standards (or localizing them where appropriate) for cross-border transfers of personal data within their corporate group in light of the PDPA’s cross-border transfer requirements.
The Data Protection Commission will issue additional regulations in the near future to clarify the requirements for 72-hour notice of data breaches and the credentials necessary of the Data Protection Officer (DPO).
Finally, the PDPA contains a grandfathering clause that may allow businesses to continue collecting and using personal data for their original purposes after the PDPA takes effect in 2022. When implementing their compliance plan, companies should pay special attention to these requirements and their implications for existing practices and processes.
What are the current security standards for personal data?
The Thai Ministry of Digital Economy and Society (MDES) published a notification in the Government Gazette on July 17, 2020, outlining the Personal Data Protection Act’s minimum security criteria for personal data (PDPA). This MDES notice is valid from July 18, 2020, through May 31, 2022.
The notification’s minimal standards are roughly in line with widely accepted security standards around the world, as stated in the International Standards Organization’s ISO/IEC: 27001 information security standard (ISO). Those who are familiar with ISO/IEC standards, on the other hand, may observe that the MDES notification is less thorough and provides less assistance.
For convenience of reference, comparisons of the essential elements of the MDES notification with the comparable aspects of ISO/IEC: 27001 are provided below.
When using personal data, the security standards defined by the MDES notification require the adoption of administrative, technical, and physical protections for access control. Implementing the measures indicated in the left-hand column below (always in connection to the corresponding ISO/IEC: 27001 measures) is required to achieve these protections.
The standards outlined in the notification are the very minimum that data controllers must follow, and there are no restrictions on standards or actions that go above and beyond the basic criteria (such as ISO/IEC 27001). As a result, many multinational organizations may explore adopting data protection standards that go above the new Thai notification’s criteria in order to harmonize their data protection responsibilities across several jurisdictions and ensure legal compliance. This notification can be enforced by the Minister of MDES.
What does the extension mean for businesses?
This extension allows businesses additional leeway in preparing for PDPA compliance. Companies should continue to watch additional regulations that will be published for public hearings prior to adoption throughout the extension period. The government has publicly stated that the supplementary regulations will recognize and follow international data protection standards, similar to the principles recognized in the PDPA itself, which are heavily influenced by international data protection standards particularly the EU’s General Data Protection Regulation (GDPR).
➤ Companies headquartered outside of Thailand may be subject to the PDPA if they provide goods or services to Thai data subjects (with or without the exchange of money or other valuable items) or if they monitor data subjects' behavior in Thailand. This is referred to as "extraterritoriality" and is akin to a GDPR principle that is universally recognized.
➤ Companies that have not to undertake their GDPR compliance self-assessment should take advantage of this opportunity to start the process, identify compliance gaps, and build mitigation measures to close those gaps.
Ask our Lawyers
Ask your question and receive legal advice from a qualified lawyer