All Blog Posts

PDPA Thailand

Thailand’s Personal Data Protection Act (PDPA) regulates the processing of personal data for commercial use. It applies to any company, organization or website located inside Thailand and for businesses with users in Thailand.

Published January 17, 2022.

The PDPA Thailand explicitly requires you to obtain end-user consent before processing any data of personal character. Besides that, it obliges you to inform users in Thailand about the details of your website’s data processing, including how it is being used and who is using it.

In this blogpost, learn more about Thailand’s PDPA and how to make your website compliant with Cookiebot consent management platform (CMP).

Thailand PDPA, quick summary

Thailand’s PDPA, condensed

Thailand’s Personal Data Protection Act (PDPA) was first passed in 2019, delayed in 2020 and again in 2021 and is now set to come into full effect on June 1st, 2022.

The first and foremost thing to understand when it comes to the PDPA Thailand is the concept of end-user consent.

This means that your website is required to obtain express and explicit consent from your website users before any form of cookies and tracking that can process personal data may be activated. In truth, this resembles many of the other key data privacy laws, like the EU’s GDPR and Malaysia’s PDPA to name a few.

The PDPA views consent as something that must be given freely. It has to be obtained in a written form, not orally, and the website user must be accurately informed about the true purposes of the data collection.

In addition to this, the consent-request has to be presented in a clear and plain language, to minimize the risk of misunderstandings. This also means that implied consent is not valid in Thailand’s PDPA, and the banner also needs to include a button for users to refuse cookies.

The PDPA Thailand governs the commercial use of personal data, meaning that it does not apply to the public sector, or the federal or state governments.

While the European GDPR for example applies to any organization processing, including public bodies, the PDPA Thailand excludes from its scope public authorities that maintain state security, such as e.g., public security, security of the state and financial security.

While the Thailand PDPA is very similar to for example the Malaysia PDPA, it differs by having both territorial and extra-territorial application.

The territorial application affects any company, organization or website located inside Thailand using cookies or trackers, while the extra-territorial application relates to entities outside of Thailand that in any way collect, use or disclose personal information for commercial use about residents, companies etc. inside the country of Thailand. This also prohibits transfers of personal data outside of Thailand.

Did you know that a website on average has 21 cookies in use?
Scan your website for free to make sure that your users get the best experience

To sum it up, Thailand’s PDPA is both territorial and extra-territorial. It requires you to inform about how you will process your users’ data, and that you obtain their explicit end-user consent before doing so.

It empowers users by giving them the right to access and correct their data in a way that resembles many already existing laws such as the GDPR.

Illustation of a longtail boat floating on a phone - Cookiebot
The Thailand PDPA is the first of its kind in Thailand and leads the country into a more safe future with data privacy as its cornerstone.

PDPA in Thailand – Timeline

  • Thailand’s PDPA was first published in May 2019 and consists of seven chapters and 96 sections. It was allowed to have a one-year grace period in order for affected parties to adjust.
  • In May 2020 most chapters of the PDPA were postponed for another year. This was being done for two reasons. One, to give the private and public sectors more time to prepare their internal processes, and two, to ease the financial consequences of Covid-19.
  • In May 2021 the cabinet in Thailand approved the postponement of the PDPA for another year. This time the explanation was the state of the country during a difficult time with the pandemic which made it difficult to settle the legislation’s related processes.
  • The PDPA Thailand is now set to come into full effect on June 1st, 2022.

PDPA in Thailand – Quick breakdown

  • Thailand’s PDPA gives Thai residents the right to access and correct their personal data, while also enabling them to withdraw consent whenever they want. In addition to this, they can stop the processing of their data for direct marketing purposes.
  • Thailand’s PDPA applies to any websites, companies or organizations in Thailand who process any kind of personal data for commercial use from the residents of Thailand.
  • Thailand’s PDPA has extraterritorial scope, which means it also applies to entities outside of Thailand that collect, use or disclose personal information for commercial purposes about residents inside Thailand. This also means that transfers outside of Thailand of personal data about entities in Thailand is prohibited.
  • Thailand’s PDPA demands that you get explicit end-user consent before processing any personal data. Hereby meaning that you need to inform your users about everything about the data processing, including its purpose and who it is shared with. This also means that implied consent is in no way valid according to the PDPA Thailand.
  • Thailand’s PDPA differentiates between personal and sensitive data. Personal data pertains to any kind of information that can be related to a human being, while sensitive data includes things like sexual orientation, criminal record and ethnic or racial origin to name a few.
  • Thailand’s PDPA outlines processing as the behavior of collecting, using, sharing, storing, selling etc. of personal data.
  • If you fail to comply with Thailand’s PDPA you could face fines up to 5 million Baht and/or imprisonment for up to one year.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot consent management platform (CMP) for free

Illustration of globe - Cookiebot
The Thailand PDPA has extraterritorial scope, which means that in certain situations it applies to entities outside of Thailand as well.

Thailand PDPA compliance with Cookiebot CMP

Cookiebot CMP by Usercentrics is our world-leading solution that provides transparency and control over all the cookies and similar tracking on your website.

This ensures that your website complies with the major data privacy laws all around the world, including Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and California’s CCPA.

The PDPA in Thailand will, like many laws before it, require you to ask for, and ultimately obtain, an explicit consent from the users in Thailand, before you can use cookies and trackers as an integral part of your website.

For that reason, among others, Cookiebot CMP is considered an optimal solution, for making your domain fully compliant without the need for you to get into any complicated technical implementation.

What is Cookiebot CMP, you might wonder? Simply put, Cookiebot CMP is a plug-and-play compliance solution that helps automate the complete PDPA compliance procedure.

This includes everything from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting the PDPA compliant consents from end-users, and finally safely storing the consents and renewing them at a regular basis. The consent banner looks like the one below.

Cookieboot Pop Up Banner - Cookiebot

We believe that the protection of privacy must be an integrated part of each individual website, and by offering you a simple and yet comprehensive overview of every single cookie on your website, the Cookiebot CMP qualifies your website to meet the requirements necessary for PDPA compliance in Thailand.

The information includes everything from purpose of the cookie, its duration, and where it comes from.

Cookiebot CMP provides you with three, fully automatic functions that are very simple to implement on your website.

Cookie consent, cookie monitoring and cookie control. You can for example customize your consent banners in a way that matches your websites layout. One of the advantages of that being, that it can be shaped to fit the compliance requirements of almost any major privacy law in the world.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for PDPA compliance in Thailand

Get started with Cookiebot CMP and Google Consent Mode

Cookiebot logo over a pagoda illustration - Cookiebot
Cookiebot CMP helps you become compliant with the Thailand PDPA.

PDPA Thailand, in detail

While the above passages work well for bringing a quick overview, the following part of the blog post breaks down the PDPA Thailand in detail, by having a look at both the key requirements of the PDPA and the rights it gives the end-users.

In the process of crafting the PDPA, the Thai government attempted to replicate the GDPR of EU. The purpose was to demonstrate that Thailand is an equal to the EU and other states with similar legislations, when it comes to providing a sufficient level of data protection, in order to obtain adequacy from the GDPR for data sharing.

This means that a lot of the content in the PDPA is very recognizable and probably something you might already be doing, if you’re following the GDPR or similar rules.

The Thailand PDPA does have some key characteristics, however, and these will be outlined below, while also including which rights it gives the end-users.

Key characteristics of the Thailand PDPA

You can roughly distinguish between eight characteristics of the PDPA. This does not mean that they tell the entire story, but they should make sure that you are ready to get compliant and handle the user’s personal data correctly.

The eight key characteristics outlined here are:

  • National Data Protection Authority
  • Extraterritorial effect
  • Operative terms
  • Consent
  • Sensitive personal Data
  • Rights of data subject
  • Transfer of personal data
  • Civil and criminal liability

Thailand’s PDPA characteristic 1 – National Data Protection Authority

In order to make sure that the PDPA is as effective as possible, there has been established a Personal Data Protection Committee to enforce compliance with the PDPA.

The PDPC will among others have the power to determine measures or approaches in relation to personal data protection, issue notification or orders pursuant to the PDPA and promote and support the protection of personal data.

Thailand’s PDPA characteristic 2 – Extraterritorial effect

The PDPA Thailand differs from for example the PDPA Malaysia by not only having territorial effect, but also extraterritorial effect. This is the situation where a state extends its legal power beyond its territorial boundaries. An example of extraterritorial jurisdiction could be if a state maintains jurisdiction over its citizens when they are out of the country.

It is a remarkable case, since extraterritorial application is very rare in Thai law. In fact, extraterritorial jurisdiction is generally one of the most debated issues in the area of human rights, which is why the PDPA is seen as a significant shift from older legal frameworks of Thailand.

The extraterritorial scope applies to entities, including business, organizations and websites, that in any way collects, use or disclose personal information about residents, companies or organizations inside the country of Thailand.

It also prohibits transfers of personal data outside of Thailand. As a result of this, businesses that previously have not considered the applicability of Thai Data protection when processing now may be caught within it.

Thailand’s PDPA characteristic 3 – Operative Terms

When understanding the PDPA Thailand it is important to define some of the operative terms. The PDPA is using the same terminology as the GDPR, when it comes to the following:

Data controller: Just as in the GDPR, a data controller is a “natural or juristic person having the power to make decisions on the collection, use or disclosure of personal data.

Data processor: A “natural or juristic person which collects, uses or discloses personal data in accordance with the instruction of or on behalf of the data controller, provided that such person or juristic person conduction those actions is not the data controller.

Personal Data: “information relating to a person which is identifiable, directly or indirectly”

The PDPA Thailand requires that you ask for and obtain an explicit consent from the users in Thailand. You need this, before you can use cookies and trackers as an integral part of your website, and before you can collect, disclose or use any personal data. It is important that the consent is explicit, and it needs to be in writing or submitted electronically.

Illustration of hand signing a piece of paper - Cookiebot
Explicit consent in writing or in an electronic system is required in the Thailand PDPA.

Thailand’s PDPA characteristic 5 – Sensitive Personal Data

The PDPA Thailand differentiates between personal and sensitive data by establishing a separate category for the latter.

Sensitive data includes personal data that in any way reveals things like political opinions, sexual orientation, criminal records, disability, ethnic or racial origin, health data, genetic data, trade union information, biometric data and cult, religious or philosophical beliefs.

The PDPA prohibits the collection of any of this information without explicit consent from the data subject cf. the previous paragraph.

The only exception to this rule pertains certain prescribed circumstances such as medical emergency or if it is required by law.

Scan your website to see if you have cookies and trackers that process personal or sensitive data

Try our Cookiebot compliance test for PDPA compliance today

Thailand’s PDPA characteristic 6 – Rights of data subjects

In accordance with characteristic 4 about consent, data subjects have the right to access and to correct their personal data, while at the same time being enabled to withdraw consent at any point. This withdrawal also includes the option to stop the processing of their data for marketing purposes.

Thailand’s PDPA characteristic 7 – Transfer of Personal Data

A data controller, which was defined in requirement 3, is very expressly prohibited from transferring any kind of personal data to any third parties. This includes disclosing of personal data but excludes cases in which the data subject has given his or her consent, even though this is also subject to certain, limited, customary exceptions.

Thailand’s PDPA characteristic 8 – Civil and Criminal Liability

If you fail to comply with the Personal Data Protection Act you could face a line of civil liabilities. These liabilities include punitive damages, criminal penalties including imprisonment for up to one year, or administrative fines that could stack up to 5 million Baht.

Illustration of a building with bars over the windows - Cookiebot
Failure to comply with the Thailand PDPA could see you face criminal liabilites such as prison or administrative fines

Summary of Thailand’s PDPA

Thailand’s Personal Data Protection Act (PDPA) is going to join the world’s consent-based data privacy laws.

The goal of it is to empower the residents of Thailand with enforceable rights to their personal data, while at the same time making sure that websites, companies, organizations etc. do not abuse the data they receive about their users/customers.

Thailand’s PDPA was first approved in May 2019 with a one-year grace period. Since then, it has been postponed twice and is now set to be in full effect by June 2022.

Cookiebot CMP by Usercentrics enables compliance with most of the worlds major data privacy laws, including Thailand’s PDPA.

Try Cookiebot CMP for PDPA compliance

Scan your website to see if you process personal data in Thailand

Learn about GDPR compliance

Get started with Cookiebot CMP and Google Consent Mode

FAQ

What is Thailand’s PDPA?

The Thailand Personal Data Protection Act of 2019 (PDPA Thailand) was first published on May 27, 2019. The PDPA Thailand is the first of its kind governing data protection in the country of Thailand. It describes in detail the specific requirements for websites on how to collect consent prior to processing personal data.

The PDPA’s purpose is to protect the users of the websites from unlawful gathering and use of any personal data without their consent. To ensure this, the law states that website users must be aware of what data is being collected on them, how it is used and who is using it.

See how the PDPA Thailand affects your website and how you can become compliant

How can my website be in compliance with Thailand’s PDPA?

To comply with Thailand’s PDPA on your website you are required to obtain an explicit consent from your Thai users before processing any of their personal data. Additionally, you need to notify them about what you collect, what it is going to be used for and who you share it with. It is also important that you give the users the option to access and correct their personal data and even enable them to withdraw their consent, whenever they wish to.

Is your website in compliance with Thailand’s PDPA? Try our free website scanner

What is personal data and what is sensitive data under Thailand’s PDPA?

The PDPA Thailand differentiates between personal and sensitive data. The former applies to any kind of information that can be related to a human being, which would enable others to identify such a person. However, the PDPA does not apply to any information about deceased persons. Examples of personal data could be names, phone numbers or addresses.

Sensitive data on the other hand includes data of any kind that pertains the following: Political opinions, sexual orientation, criminal records, disability, ethnic or racial origin, health data, genetic data, trade union information, biometric data and cult, religious or philosophical beliefs.

Scan your website to see if you process personal or sensitive data in Thailand

Who does Thailand’s PDPA apply to?

The PDPA Thailand differs from the Malaysia PDPA by having both territorial and extra-territorial application. The territorial scope applies to any company, organization or website located inside Thailand, while the extra-territorial scope applies to entities (i.e., businesses, organizations, websites) outside of Thailand that in any way collect, use or disclose personal information about residents, companies etc. inside the country of Thailand. This also prohibits transfers of personal data outside of Thailand.

Does Thailand’s PDPA apply to you? Try our free website scanner

What is the penalty for breaching the PDPA in Thailand?

If you fail to comply with the Personal Data Protection Act you could face a line of civil liabilities. These liabilities could include punitive damages, criminal penalties including imprisonment for up to one year, or administrative fines that could stacker up to 5 million Baht.

Don’t want to breach the PDPA? Try our free website scanner

How Can I scan my website for cookies and trackers?

By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.

Try our free website scanner

Resources

See the full Thai Personal Data Protection Act law text (In English)

Learn more about extraterritorial effect

Learn more about the EU’s GDPR and consent

Learn more about the postponement of the PDPA Thailand

Learn more about the key differences between the GDPR and the PDPA

Get started with Cookiebot CMP and Google Consent Mode

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.