Published January 17, 2022.
Thailand’s Personal Data Protection Act (PDPA) regulates the processing of personal data for commercial use. It applies to any company, organization or website located inside Thailand and for businesses with users in Thailand.
The PDPA Thailand explicitly requires you to obtain end-user consent before processing any data of personal character. Besides that, it obliges you to inform users in Thailand about the details of your website’s data processing, including how it is being used and who is using it.
In this blogpost, learn more about Thailand’s PDPA and how to make your website compliant with Cookiebot consent management platform (CMP).
Thailand PDPA, quick summary
Thailand’s PDPA, condensed
Thailand’s Personal Data Protection Act (PDPA) was first passed in 2019, delayed in 2020 and again in 2021 and is now set to come into full effect on June 1st, 2022.
The first and foremost thing to understand when it comes to the PDPA Thailand is the concept of end-user consent.
This means that your website is required to obtain express and explicit consent from your website users before any form of cookies and tracking that can process personal data may be activated. In truth, this resembles many of the other key data privacy laws, like the EU’s GDPR and Malaysia’s PDPA to name a few.
The PDPA views consent as something that must be given freely. It has to be obtained in a written form, not orally, and the website user must be accurately informed about the true purposes of the data collection.
The PDPA Thailand governs the commercial use of personal data, meaning that it does not apply to the public sector, or the federal or state governments.
While the European GDPR for example applies to any organization processing, including public bodies, the PDPA Thailand excludes from its scope public authorities that maintain state security, such as e.g., public security, security of the state and financial security.
While the Thailand PDPA is very similar to for example the Malaysia PDPA, it differs by having both territorial and extra-territorial application.
The territorial application affects any company, organization or website located inside Thailand using cookies or trackers, while the extra-territorial application relates to entities outside of Thailand that in any way collect, use or disclose personal information for commercial use about residents, companies etc. inside the country of Thailand. This also prohibits transfers of personal data outside of Thailand.
Did you know that a website on average has 21 cookies in use?
Scan your website for free to make sure that your users get the best experience
To sum it up, Thailand’s PDPA is both territorial and extra-territorial. It requires you to inform about how you will process your users’ data, and that you obtain their explicit end-user consent before doing so.
It empowers users by giving them the right to access and correct their data in a way that resembles many already existing laws such as the GDPR.
PDPA in Thailand – Timeline
- Thailand’s PDPA was first published in May 2019 and consists of seven chapters and 96 sections. It was allowed to have a one-year grace period in order for affected parties to adjust.
- In May 2020 most chapters of the PDPA were postponed for another year. This was being done for two reasons. One, to give the private and public sectors more time to prepare their internal processes, and two, to ease the financial consequences of Covid-19.
- In May 2021 the cabinet in Thailand approved the postponement of the PDPA for another year. This time the explanation was the state of the country during a difficult time with the pandemic which made it difficult to settle the legislation’s related processes.
- The PDPA Thailand is now set to come into full effect on June 1st, 2022.
PDPA in Thailand – Quick breakdown
- Thailand’s PDPA gives Thai residents the right to access and correct their personal data, while also enabling them to withdraw consent whenever they want. In addition to this, they can stop the processing of their data for direct marketing purposes.
- Thailand’s PDPA applies to any websites, companies or organizations in Thailand who process any kind of personal data for commercial use from the residents of Thailand.
- Thailand’s PDPA has extraterritorial scope, which means it also applies to entities outside of Thailand that collect, use or disclose personal information for commercial purposes about residents inside Thailand. This also means that transfers outside of Thailand of personal data about entities in Thailand is prohibited.
- Thailand’s PDPA demands that you get explicit end-user consent before processing any personal data. Hereby meaning that you need to inform your users about everything about the data processing, including its purpose and who it is shared with. This also means that implied consent is in no way valid according to the PDPA Thailand.
- Thailand’s PDPA differentiates between personal and sensitive data. Personal data pertains to any kind of information that can be related to a human being, while sensitive data includes things like sexual orientation, criminal record and ethnic or racial origin to name a few.
- Thailand’s PDPA outlines processing as the behavior of collecting, using, sharing, storing, selling etc. of personal data.
- If you fail to comply with Thailand’s PDPA you could face fines up to 5 million Baht and/or imprisonment for up to one year.
Thailand PDPA compliance with Cookiebot CMP
This ensures that your website complies with the major data privacy laws all around the world, including Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and California’s CCPA.
For that reason, among others, Cookiebot CMP is considered an optimal solution, for making your domain fully compliant without the need for you to get into any complicated technical implementation.
This includes everything from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting the PDPA compliant consents from end-users, and finally safely storing the consents and renewing them at a regular basis. The consent banner looks like the one below.
We believe that the protection of privacy must be an integrated part of each individual website, and by offering you a simple and yet comprehensive overview of every single cookie on your website, the Cookiebot CMP qualifies your website to meet the requirements necessary for PDPA compliance in Thailand.
The information includes everything from purpose of the cookie, its duration, and where it comes from.
Cookiebot CMP provides you with three, fully automatic functions that are very simple to implement on your website.
Cookie consent, cookie monitoring and cookie control. You can for example customize your consent banners in a way that matches your websites layout. One of the advantages of that being, that it can be shaped to fit the compliance requirements of almost any major privacy law in the world.
PDPA Thailand, in detail
While the above passages work well for bringing a quick overview, the following part of the blog post breaks down the PDPA Thailand in detail, by having a look at both the key requirements of the PDPA and the rights it gives the end-users.
In the process of crafting the PDPA, the Thai government attempted to replicate the GDPR of EU. The purpose was to demonstrate that Thailand is an equal to the EU and other states with similar legislations, when it comes to providing a sufficient level of data protection, in order to obtain adequacy from the GDPR for data sharing.
This means that a lot of the content in the PDPA is very recognizable and probably something you might already be doing, if you’re following the GDPR or similar rules.
The Thailand PDPA does have some key characteristics, however, and these will be outlined below, while also including which rights it gives the end-users.
Key characteristics of the Thailand PDPA
You can roughly distinguish between eight characteristics of the PDPA. This does not mean that they tell the entire story, but they should make sure that you are ready to get compliant and handle the user’s personal data correctly.
The eight key characteristics outlined here are:
- National Data Protection Authority
- Extraterritorial effect
- Operative terms
- Sensitive personal Data
- Rights of data subject
- Transfer of personal data
- Civil and criminal liability
Thailand’s PDPA characteristic 1 – National Data Protection Authority
In order to make sure that the PDPA is as effective as possible, there has been established a Personal Data Protection Committee to enforce compliance with the PDPA.
The PDPC will among others have the power to determine measures or approaches in relation to personal data protection, issue notification or orders pursuant to the PDPA and promote and support the protection of personal data.
Thailand’s PDPA characteristic 2 – Extraterritorial effect
The PDPA Thailand differs from for example the PDPA Malaysia by not only having territorial effect, but also extraterritorial effect. This is the situation where a state extends its legal power beyond its territorial boundaries. An example of extraterritorial jurisdiction could be if a state maintains jurisdiction over its citizens when they are out of the country.
It is a remarkable case, since extraterritorial application is very rare in Thai law. In fact, extraterritorial jurisdiction is generally one of the most debated issues in the area of human rights, which is why the PDPA is seen as a significant shift from older legal frameworks of Thailand.
The extraterritorial scope applies to entities, including business, organizations and websites, that in any way collects, use or disclose personal information about residents, companies or organizations inside the country of Thailand.
It also prohibits transfers of personal data outside of Thailand. As a result of this, businesses that previously have not considered the applicability of Thai Data protection when processing now may be caught within it.
Thailand’s PDPA characteristic 3 – Operative Terms
Data controller: Just as in the GDPR, a data controller is a “natural or juristic person having the power to make decisions on the collection, use or disclosure of personal data.
Data processor: A “natural or juristic person which collects, uses or discloses personal data in accordance with the instruction of or on behalf of the data controller, provided that such person or juristic person conduction those actions is not the data controller.
Personal Data: “information relating to a person which is identifiable, directly or indirectly”
Thailand’s PDPA characteristic 4 – Consent
Thailand’s PDPA characteristic 5 – Sensitive Personal Data
The PDPA Thailand differentiates between personal and sensitive data by establishing a separate category for the latter.
Sensitive data includes personal data that in any way reveals things like political opinions, sexual orientation, criminal records, disability, ethnic or racial origin, health data, genetic data, trade union information, biometric data and cult, religious or philosophical beliefs.
The PDPA prohibits the collection of any of this information without explicit consent from the data subject cf. the previous paragraph.
The only exception to this rule pertains certain prescribed circumstances such as medical emergency or if it is required by law.
Thailand’s PDPA characteristic 6 – Rights of data subjects
In accordance with characteristic 4 about consent, data subjects have the right to access and to correct their personal data, while at the same time being enabled to withdraw consent at any point. This withdrawal also includes the option to stop the processing of their data for marketing purposes.
Thailand’s PDPA characteristic 7 – Transfer of Personal Data
A data controller, which was defined in requirement 3, is very expressly prohibited from transferring any kind of personal data to any third parties. This includes disclosing of personal data but excludes cases in which the data subject has given his or her consent, even though this is also subject to certain, limited, customary exceptions.
Thailand’s PDPA characteristic 8 – Civil and Criminal Liability
If you fail to comply with the Personal Data Protection Act you could face a line of civil liabilities. These liabilities include punitive damages, criminal penalties including imprisonment for up to one year, or administrative fines that could stack up to 5 million Baht.
Summary of Thailand’s PDPA
Thailand’s Personal Data Protection Act (PDPA) is going to join the world’s consent-based data privacy laws.
The goal of it is to empower the residents of Thailand with enforceable rights to their personal data, while at the same time making sure that websites, companies, organizations etc. do not abuse the data they receive about their users/customers.
Thailand’s PDPA was first approved in May 2019 with a one-year grace period. Since then, it has been postponed twice and is now set to be in full effect by June 2022.
What is Thailand’s PDPA?
The Thailand Personal Data Protection Act of 2019 (PDPA Thailand) was first published on May 27, 2019. The PDPA Thailand is the first of its kind governing data protection in the country of Thailand. It describes in detail the specific requirements for websites on how to collect consent prior to processing personal data.
The PDPA’s purpose is to protect the users of the websites from unlawful gathering and use of any personal data without their consent. To ensure this, the law states that website users must be aware of what data is being collected on them, how it is used and who is using it.
How can my website be in compliance with Thailand’s PDPA?
To comply with Thailand’s PDPA on your website you are required to obtain an explicit consent from your Thai users before processing any of their personal data. Additionally, you need to notify them about what you collect, what it is going to be used for and who you share it with. It is also important that you give the users the option to access and correct their personal data and even enable them to withdraw their consent, whenever they wish to.
What is personal data and what is sensitive data under Thailand’s PDPA?
The PDPA Thailand differentiates between personal and sensitive data. The former applies to any kind of information that can be related to a human being, which would enable others to identify such a person. However, the PDPA does not apply to any information about deceased persons. Examples of personal data could be names, phone numbers or addresses.
Sensitive data on the other hand includes data of any kind that pertains the following: Political opinions, sexual orientation, criminal records, disability, ethnic or racial origin, health data, genetic data, trade union information, biometric data and cult, religious or philosophical beliefs.
Who does Thailand’s PDPA apply to?
The PDPA Thailand differs from the Malaysia PDPA by having both territorial and extra-territorial application. The territorial scope applies to any company, organization or website located inside Thailand, while the extra-territorial scope applies to entities (i.e., businesses, organizations, websites) outside of Thailand that in any way collect, use or disclose personal information about residents, companies etc. inside the country of Thailand. This also prohibits transfers of personal data outside of Thailand.
What is the penalty for breaching the PDPA in Thailand?
If you fail to comply with the Personal Data Protection Act you could face a line of civil liabilities. These liabilities could include punitive damages, criminal penalties including imprisonment for up to one year, or administrative fines that could stacker up to 5 million Baht.
How Can I scan my website for cookies and trackers?
By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.