BLOG | Cookie Compliance | November 20, 2020

Data Protection in Thailand: A Summary of the PDPA

The Personal Data Protection Act 2019 (‘PDPA’) is the first consolidated legislation providing general data protection...

Post Featured Image

The Personal Data Protection Act 2019 (‘PDPA’) is the first consolidated legislation providing general data protection within Thailand and was originally expected to come into full effect on May 27, 2020. This date, however, was postponed until May 27, 2021 due to the COVID-19 pandemic. The PDPA is based on the GDPR and contains many similar provisions. Read this blog post to gain an understanding of the PDPA and its requirements for websites to remain compliant.

Who Does the PDPA Apply To?

The PDPA applies to the collection, use, or disclosure of personal data by organisations that are in Thailand regardless of whether the collection, use or disclosure of personal data takes place in Thailand or not.

In relation to extraterritorial scope, the PDPA applies to data controllers and data processors that are outside of Thailand where the collection, use or disclosure of personal data of data subjects who are in Thailand, where their activities relate to the offering of goods or services to data subjects in Thailand, regardless of whether payment is required or where the data subject’s behavior is being monitored in Thailand.

If required businesses don’t comply with the PDPA, the maximum penalty for non-compliance under Sections 26-28 is a fine not exceeding THB 5 million (approx. €149,000) can be issued by the expert committee. Depending on the violation that has occurred under Sections 26-28 of the PDPA, the penalty may be imprisonment for a term not exceeding one year

What is Personal Information According to PDPA?

The PDPA defines ‘personal data’ as any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including information of the deceased persons. The PDPA also specifies that a ‘person’ means a ‘natural person.’

The PDPA does not define special categories of personal data. However, Section 26 requires that explicit consent be obtained for the collection of ‘personal data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the PDPC.’ 

Do I Need a Cookie Banner to Comply with PDPA?

According to the PDPA, it’s required to obtain explicit user’s consent before collecting or processing their data. The banner should be presented in a clear way. In addition, you have to inform the user about the purpose of data collection or processing in a clear and non-deceptive way. Inserting a link to your privacy policy on that banner is a practical way to inform users about the purpose of data collection.

How To Ensure Your Website is Compliant

Understand Trackers on Your Website

Understanding what trackers you use on your website is the first step toward compliance. Scan your website to gain an understanding of your website’s privacy health. Detect and categorize cookies and other tracking technologies on your website.

Capture and Store Consent

Obtaining consent for collection and processing of personal data must meet the following requirements:

  • The consent must be given freely
  • The user must be informed about the purpose of collection and processing of data
  • The request must be clear, in plain language, non-deceptive, and non-misleading

Since implied consent is not valid, you have to ensure that your cookie banners are affirmative. Additionally, users should be able to withdraw the consent they’ve given easily.

Provide the Ability to Practice Data Subject Rights

Website owners must provide visitors to contact you easily for exercising their PDPA data subject rights (the right to access, get a copy, correction, objection, portability, erasure). Ensure to provide them the ability to exercise their rights through a request intake form to capture requests based on regulation-specific requirements.

Sign Up Today to Fast Track Your PDPA Compliance Journey

You Might Also Like


10 Steps to Master Consent Management

View Resource
Blog Post

What are Website Cookies?

View Resource
White Paper | 15 minutes

The Privacy Professional’s Guide to Digital Advertising...

View Resource
Webinar | 1 hour

Consent Rate Optimization: How to Maximize Opt-Ins...

View Resource
Onetrust All Rights Reserved