How Does Blancco Help Organizations Comply with Thailand’s Personal Data Protection Act (PDPA)?

The Thai Personal Data Protection Act (PDPA), B.E. 2562 (2019), sets rules around how
companies should collect, use, share, and dispose of personal data. To comply with
the law, organizations must destroy or anonymize data when they no longer need it, like
when the retention period ends or when someone asks for their data to be removed.

Our Solution Brief explains how to follow the PDPA by fully erasing data that is no longer
needed.

What is the PDPA, and who must follow it?

The PDPA is Thailand’s main law about data privacy. It took effect on June 1, 2022, and
has been updated since then to make data protection rules stronger. The law controls
how businesses handle personal data and protects the privacy of Thai citizens.

The PDPA applies to anyone who collects, uses, shares, or transfers personal data in Thailand for business purposes. This includes:

• data controllers and processors in Thailand, and
• businesses outside of Thailand offering goods or services to individuals in Thailand or monitoring their online behavior.

Some exceptions apply, such as for government activities or other specific cases.

What does the PDPA require?  

The PDPA is similar to Europe’s GDPR, but with some differences. Here are the law’s key rules:

Consent

Businesses must get permission before collecting personal data unless the law allows it for certain tasks, like public interest activities or fulfilling a contract.

In most cases, businesses need clear consent from the person whose data they are collecting.

Data accuracy

Businesses must keep personal data accurate and up-to-date. People can ask businesses to fix incorrect information.

Record keeping and small businesses

Small- and medium-sized businesses may not have to keep detailed records of how they process data unless they handle sensitive data or create risks for individuals’ rights.

Security measures

Data controllers should review their security as technology changes, or as needed.

Data retention

Businesses must tell people how long they will keep their data. After this time, the data must be deleted, destroyed, or anonymized, unless there are special reasons to keep it longer.

Data breach reporting

Data breaches should be reported to the authorities within 72 hours unless certain conditions apply.

Penalties for breaking the rules

The Personal Data Protection Committee (PDPC) enforces the law and publishes guidelines. Breaking the PDPA can lead to criminal, civil, or administrative penalties. Serious violations, like leaking sensitive data, could lead to prison time or fines.

For example, in November 2024, an online sales company was fined 7 million baht ($204,000 USD) for not following the rules. The company was fined for several issues, including not appointing a data protection ofÏcer or having proper security measures.

Data disposal under the PDPA

All organizations that collect, use, or transfer data will eventually need to dispose of it. If they do not do this safely, the data could be accessed by unauthorized people. The PDPA says that data must be safely removed when:

• The retention period ends,
• The data is no longer needed for its original purpose, or
• A person asks for their data to be removed.

The PDPC has issued rules about how data should be deleted, destroyed, or anonymized (Notification on Criteria for Deletion, Destruction, or Anonymization of Personal Data, B.E. 2567 (2024). These rules took effect on November 11, 2024, and include:

• Deadlines: Businesses have 90 days to delete, destroy, or anonymize data after someone requests it. If businesses can’t meet the 90-day deadline, they must limit access to the data until it can be properly destroyed.
• Standards: Data must be disposed of in a way that makes it impossible to recover or re-identify. This includes backups.
• Choice: People can ask for specific disposal methods, but businesses must choose a compliant method and inform the person. If the data subject files a request for data that was unlawfully processed, de-identification is not allowed. In that case, the data controller must use deletion or destruction techniques.

Download our solution brief to learn how Blancco can help you comply with Thailand’s PDPA.

You may be interested in: