Prologue - The Personal Data Protect Act acknowledges individual Data Subjects' rights to control how their personal data is collected, stored, processed and disseminated by Data Controllers and Data Processors. It provides the lawful basis for the processing of the Data Subjects' personal data as well as prescribes the duties and responsibilities of Data Controllers and the Data Processors. The road ahead may be murky but Companies will need to take the steps set out below in order to become compliant.

Steps To PDPA Compliance

Professional Corporate Services can help Companies with all the legal aspects on the road to PDPA compliance. It is imperative that Companies understand PDPA, then assess their data processing practices and take the necessary action to ensure that they comply with the PDPA. These steps may include:

Step 1 - Data Management

  • Companies should start by mapping their data to understand how they collect, transmit and process the data. They should also identify the legal basis for collecting and using the personal data of Thai residents. Support from local lawyers is required to ensure compliance.
  • All internal policies, agreements, and practices pertaining to personal data must be reviewed and updated accordingly. Needs to be managed at a local level with support from local lawyers to ensure compliance.
  • Data management processes (data flow sheets) and operating systems must be implemented to ensure compliance. This will need to be managed at a local level with the support of local lawyers and the IT Security team will need to offer support where needed.
  • Companies’ privacy policy will need to be updated to include all the provisions for PDPA. This will need the support of local Thai lawyers in order to ensure compliance.
  • Provide proper training to employees on the relevant requirements of the PDPA. Local lawyers will need to supply Companies with the required information so that they may train their employees.

Step 2 - Employee Data

  • Among the data subject’s rights of the PDPA is the “Right to be informed.” Therefore, Companies, as employers, must inform employees about the required details before or at the time of the collection of personal data. The employees must be informed of the required information, the purpose of collecting the information, and how long the information will be retained by the company. This is achieved by publishing both an external and internal Privacy Policy Local lawyers will need to assist to ensure compliance with PDPA.
  • Other rights of the data subject are as follows; the ability to easily request access and to obtain a copy of the Personal Data related to them; the right to request that their Personal Data be erased or destroyed, or anonymized so that it cannot identify the data subject. This will involve the Company's IT team to create the system required to provide this ability. Local lawyers will need to assist with the wording required to release the data.
  • Companies may also collect sensitive information about their employees, such as health conditions, religion, criminal background checks, biometrics and other sensitive data. However, Companies must obtain prior consent from their employees before collecting such sensitive information. Consent letters should be prepared by local lawyers to ensure compliance with PDPA.

Step 3 - International Data Transfers

Under the PDPA, personal data may not be transferred outside of Thailand unless the country receiving the data has adopted data protection standards that match the PDPA. International data transfers may be exempted under the following conditions:

  • If the data transfer is necessary for compliance with a legal obligation.
  • If the data owner has provided consent and has been informed of the destination country’s inadequate data protection standards.
  • The data transfer is necessary to perform a contract between the data controller and the data subject.
  • The transfer is required to safeguard the vital interests of the data subject.

This will need to be managed at a local level with local lawyers as it is one of the most complex parts of PDPA compliance.

Summary - Personal Data Protection Act (PDPA)

Professional Corporate Services Co., Ltd. has been diligently studying PDPA B.E. 2562 since its inception back in 2019. We have assembled an all inclusive Personal Data Protection package to help companies get compliant quickly. Please do not hesitate to contact us. At PCS your 1st consultation is always totally FREE of charge. Please use the contact form below. We are looking forward to working with you you!

Contact PCS

Our Address

253 Sukhumvit 21 Road (Asoke), 25th Floor

Email Us

Call Us

+66 2 109 5160

Your message has been sent. Thank you!

We would like your permission to collect, review and process the information you are supplying us with for the purpose of personalizing an answer to your question or for providing you with more information on the subject you stated. By checking on the box below you confirm that you allow us to collect, process and use the information you supplied and that you have read our Personal Data Protection Policy. Additionally, by clicking on the Send Message button you agree to receiving a response from us.