thailand-pdpa
Installation
SKILL.md
Thailand PDPA Compliance
Overview
Thailand's Personal Data Protection Act B.E. 2562 (PDPA), published in the Royal Gazette on 27 May 2019, became fully effective on 1 June 2022 after two postponements from the original 2020 effective date. The PDPA applies to the collection, use, and disclosure of personal data by data controllers and data processors in Thailand, and extraterritorially where activities target data subjects in Thailand (Section 5).
The Personal Data Protection Committee (PDPC, คณะกรรมการคุ้มครองข้อมูลส่วนบุคคล) is the supervisory authority established under Section 8. The Office of the Personal Data Protection Committee (OPDPC) serves as the operational secretariat.
Lawful Bases for Processing (Section 24)
| Basis | Section | Detail |
|---|---|---|
| Consent | Section 19 | Explicit consent; freely given, specific, informed; written or electronic; may be withdrawn at any time |
| Contract performance | Section 24(3) | Necessary for performance of a contract to which the data subject is a party |
| Vital interests | Section 24(4) | Necessary to prevent or suppress danger to life, body, or health |
| Public task | Section 24(4) | Necessary for public interest tasks or exercise of official authority |
| Legitimate interest | Section 24(5) | Legitimate interests of the controller or third party, balanced against data subject's fundamental rights |
| Legal obligation | Section 24(6) | Compliance with a law to which the controller is subject |
| Archiving/research | Section 24(1) | Necessary for archiving, research, or statistics in the public interest with appropriate safeguards |
Sensitive Data (Section 26)
Sensitive data categories: racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union membership, genetic data, biometric data, health data, disability data, sexual orientation, and any other data prescribed by the PDPC.
Processing requires explicit consent unless:
- Necessary to prevent or suppress danger to life, body, or health (Section 26(1))
- Relating to lawful activities of non-profit organisations regarding members (Section 26(2))
- Personal data manifestly made public by the data subject (Section 26(3))
- Necessary for legal claims (Section 26(4))
- Necessary for compliance with employment law (Section 26(5))
Consent Framework
Consent Requirements (Section 19)
| Requirement | Detail |
|---|---|
| Explicit | Must be an express statement or conduct clearly indicating agreement |
| Freely given | Must not be a condition of service where unnecessary; no bundling with T&Cs (Section 19(4)) |
| Specific | Consent per purpose; blanket consent is invalid |
| Informed | Full disclosure of purpose, data items, recipients, retention period |
| Written or electronic | Written request for consent must be clear, not misleading, easily accessible |
| Withdrawal | Data subject may withdraw at any time; withdrawal must be as easy as giving consent (Section 19(5)) |
| Children | Under 10 years: consent from parent/legal guardian; 10 years and above: may consent if age-appropriate understanding demonstrated |
Implementation at Zenith Global Enterprises
| Processing Activity | Consent Type | Mechanism |
|---|---|---|
| Customer freight services | Contract performance (Section 24(3)) — consent not required | N/A |
| Marketing communications | Explicit consent (Section 19) | Opt-in checkbox in Thai and English |
| Employee health data processing | Explicit consent for sensitive data (Section 26) | Written consent form at onboarding |
| Cross-border transfer to EU HQ | Explicit consent with transfer disclosure (Section 28) | Dedicated transfer consent form |
DPO Requirements (Section 41-42)
When DPO Appointment is Required
The PDPC Notification on DPO Appointment Criteria (2022) requires a DPO when:
- The data controller or processor is a public authority (except courts acting in judicial capacity)
- Core activities require regular and systematic monitoring of data subjects on a large scale
- Core activities consist of processing sensitive data or criminal records on a large scale
DPO Responsibilities (Section 42)
| Responsibility | Detail |
|---|---|
| Advise on compliance | Advise the controller/processor on PDPA compliance obligations |
| Monitor compliance | Monitor compliance with the PDPA and internal policies |
| Audit coordination | Cooperate with the OPDPC; act as the contact point for the OPDPC |
| Confidentiality | Maintain confidentiality of personal data accessed in the course of duties |
| Independence | Must be able to perform duties independently; no dismissal for performing duties |
Zenith Global Enterprises DPO
| Element | Detail |
|---|---|
| DPO (Thailand) | Siriporn Chaiyaporn, Compliance Manager — Bangkok office |
| Contact | dpo-thailand@zenithglobal.co.th |
| Reporting line | Reports to Chief Privacy Officer; independent reporting access to Board of Directors |
Cross-Border Transfer (Section 28)
Transfer Conditions
Personal data may be transferred to a foreign country or international organisation only if:
| Condition | Section | Detail |
|---|---|---|
| Adequate protection | Section 28(1) | Destination has adequate personal data protection standards as determined by the PDPC |
| Compliance with group rules | Section 28(3) | Transfer within a group of undertakings conducting business together, with appropriate data protection policies inspected and certified by the OPDPC (BCR equivalent) |
| Contract necessity | Section 28(4)(a) | Necessary for contract performance with the data subject |
| Consent | Section 28(4)(b) | Data subject's consent after being informed of inadequate standards |
| Vital interests | Section 28(4)(c) | Necessary to prevent or suppress danger to life, body, or health |
| Legal obligation | Section 28(4)(d) | Necessary for important reasons of public interest |
| Legal claims | Section 28(4)(e) | Necessary for establishing, exercising, or defending legal claims |
| Appropriate safeguards | Section 28(2) | Appropriate protection measures prescribed by the PDPC are in place |
PDPC Adequacy Determinations
As of March 2026, the PDPC has not published a formal list of adequate countries. Transfers primarily rely on consent, contract necessity, or appropriate safeguards.
Data Subject Rights (Sections 30-36)
| Right | Section | Response Deadline | Implementation |
|---|---|---|---|
| Right of access | Section 30 | Within 30 days | Privacy portal in Thai and English |
| Right to data portability | Section 31 | Within 30 days | Structured format (JSON/CSV) |
| Right to object | Section 32 | Without unreasonable delay | Objection mechanism in customer portal |
| Right to erasure | Section 33 | Without unreasonable delay | Automated deletion with legal hold check |
| Right to restriction | Section 34 | Without unreasonable delay | Processing flagging system |
| Right to rectification | Section 35 | Without unreasonable delay | Self-service correction in portal |
| Right to withdraw consent | Section 19(5) | Without unreasonable delay | One-click withdrawal mechanism |
Breach Notification (Section 37(4))
| Element | Requirement |
|---|---|
| OPDPC notification | Within 72 hours of becoming aware of the breach |
| Data subject notification | Without delay if the breach is likely to affect rights and freedoms |
| Content | Nature of breach, DPO contact, likely consequences, remedial measures |
| Cross-border | Notify the OPDPC even if the breach occurred outside Thailand if Thai data subjects are affected |
Enforcement (Sections 90-91)
Administrative Fines
- Up to THB 5 million (approximately USD 140,000) per violation
Criminal Penalties
- Imprisonment up to 1 year and/or fine up to THB 1 million for certain violations (Section 90)
- Apply to natural persons responsible for the violation
Punitive Damages
- Court may award punitive damages up to double the actual damages (Section 78)
Notable PDPC Actions
- The PDPC has issued multiple compliance guidance documents since 2022
- Enforcement focus initially on education and compliance guidance, transitioning to formal enforcement from 2024
- Sectoral guidance published for: financial services, telecommunications, healthcare, e-commerce
Compliance Programme
| Component | Detail |
|---|---|
| DPO | Siriporn Chaiyaporn, Bangkok office |
| Privacy notice | Published at zenithglobal.co.th/privacy in Thai and English |
| Consent management | Platform with Thai language support; separate consent per purpose |
| ROPA | Processing activities register maintained per Section 39 |
| Breach notification | 72-hour workflow to OPDPC; data subject notification procedure |
| Cross-border safeguards | Consent-based transfers with disclosure; intra-group policy for headquarters transfers |
| Employee training | Annual PDPA training for all Thailand employees |
| Data subject rights | 30-day response workflow via privacy portal |
Related skills