Privacy & Consent

Thailand’s PDPA: Definition, Similarities with GDPR, and FAQs answered

While the internet and related technology has evolved at a rapid pace, data privacy, and laws to protect users’ privacy have gained momentum only recently. During the last few years, governments and Internet users have become increasingly aware of data privacy and the large scale implications of the misuse of personalized data.

Some governments have taken steps to protect their citizens’ data shared over the internet. Thailand is one of them. The country has enforced an act called PDPA, which aims to protect its citizens’ data and ensure data collected is used only for its intended purpose.

GDPR or General Data Protection Regulation is Europe’s digital privacy legislation, which has been in practice for some time. In this post, we compare Thailand’s PDPA, and it’s similarities to GDPR.

What is Thailand’s PDPA?

Thailand’s PDPA or the Personal Data Protection Act is created to protect the personal data of the citizens of Thailand. 

Thai users have rights to:

  • Question the collection and usage of their data.
  • Provide consent to the use of personal data.
  • Withdraw their consent at a given time.
  • Not to be discriminated against for not providing consent.
  • Access the data collected from them at any given time.
  • Object to how their data is being collected and used
  • Decide what information they want to disclose and what part of it is to be used by organizations.
  • Claim data for correction.
  • Transfer data to another data controller.
  • Have data erased if need be
  • Submit data anonymously

Definition of PDPA

PDPA is a law practiced to ensure that its citizens’ personal information remains safe. The Office of Data Protection Committee oversees the administration of this Act.

Does the law apply to you?

Even though this law is a privacy protection law for Thailand, it is not limited to activities in Thailand. Any data that belongs to the citizens of Thailand no matter where it is being accessed from, inside Thailand or outside, it will come under PDPA.

How Can Publishers Comply with PDPA?

User content is an integral part of data protection. Publishers have to administer the opt-in consent method strictly. Users can also fill a pre-made consent management form to do this manually.

The privacy policy has to state both the reasons for gathering data and the tools used for the same. Regulators and processors should inform users about the use of data.

On the off chance that you are not aware of how to compose the arrangement, you can avail the services of a variety of privacy policy generating devices accessible online. All you have to do is enter the necessary details and specifications, and your privacy policy will be produced. You can then simply replicate it on your online business or website. This is an easy task that needs to be done only once.

PDPA expects publishers to select a Data Protection Officer if large amounts of data are being collected and assorted. At this point, what encompasses large scale data has not been classified yet.

If all the arrangements for GDPR are in place, you will not have to do much regarding compliance with PDFA.

Similarities between PDPA and GDPR

  • All kinds of data, be it individual in nature or a combination of various information that can identify a person, will be considered as personal data.
  • The geographical extent of the two laws is the equivalent. It is of no consequence if your company’s headquarters is in the said region where the law is applicable or not.
  • Both the laws state the requirement of a Data Processing Officer when dealing with large scale organizations. 
  • Both laws have equal rights when it comes to the data of the subjects.
  • Both laws require unambiguous consent from respective parties.
  • Patrons have to notified within three days in the case of a data breach.
  • Both PDPA and GDPR have the same legal framework when it comes to how and why the data is collected.

Comparing PDPA with GDPR

ConceptPDPAGDPR
Personal dataPDPA includes data that can be used to identify the individual, whether real or false. PDPA may consist of videos and photos. Data that belongs to an individual who has passed away for about ten years and data that is used for information regarding the business is excluded.Similar to PDPA, this includes data that can be used to identify the individual directly or indirectly. GDPR may consist of social media posts or even email ids.
ConsentThere are two types of consent:
1.) expressed in writing, 2.) deemed consent. PDPA includes data which is voluntarily provided by the individual himself. Another organization can use this data under certain circumstances.
Consent requests cannot be clubbed with other terms and conditions and need to be explicitly expressed. One consent fits all approach cannot be used. All the third-parties who will use this consent should be explicitly named.Consent withdrawal should be uncomplicated and clear steps should be mentioned for the same. 
Sensitive personal dataNot explicitly statedEthnicity, political or religious inclinations, membership in unions, genetic or biometric data, medical conditions, and sexual preferences cannot be collected, used, or disclosed under any circumstances.
Age of consentNo minimum age specified in the PDPA16-year-old restriction in most states, but some member states may have criteria of 13 to 16 years old.
PurposeThe purpose of data collection should comply with the circumstances of collection.Strictly limited to purposes explicitly mentioned/specified. 
Penalties for persons or individualsA fine of $5,000-10,000 or being incarcerated for a yearPenalty not explicitly indicated  
Penalties for organizationsA fine of $50,000-100,000 Offenders can expect to pay anywhere between €10 million to €20 million, or 2 to 4% worldwide annual revenue, whichever is greater.

Frequently Asked Questions

What is the penalty for breach in data under PDPA?

For individuals, the penalty is $5,000-10,000 or up to a year of incarceration. For organizations the penalty is $50,000-100,000.

What is the need of PDPA?

The PDPA is to ensure the protection of personal data of the citizens of Thailand. 

What is the time limit for notification of a breach?

A notification is to be provided within three days of the breach.

Is there a minimum age for consent for PDPA?

No minimum age has been specified under PDPA.

Can consent be withdrawn under PDPA?

Consent can be withdrawn regardless of circumstances upon request by said individual.

What’s Next?

Publishers who have recently executed other protection laws like GDPR, CCPA will be easily able to comprehend that they need to make changes in the security arrangements similar to the way they did before.

On the off chance that you are beginning without any preparation, you can check out our other resources on these privacy laws:


This is a guest post by Bhumit Gadhavi. He is a Digital Marketing Manager with OLX Group. He writes at Easycowork about finance as side hustles for growth. Other than that, he loves scaling businesses using performance and content-driven marketing.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.