PDPA ไทย (Thailand Personal Data Protection Act drafting)
Overview
พ.ร.บ. คุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA, effective 1 June 2022) ใกล้เคียงกับ GDPR แต่ไม่เหมือนกัน. Copy-pasting a GDPR notice into Thai is the #1 reason notices fail audits — references to "Article 6 GDPR" make the notice non-compliant on its face. Always re-anchor citations to PDPA sections.
When to use
- ร่างนโยบายความเป็นส่วนตัว (privacy notice) สำหรับเว็บไซต์ / แอป
- ออกแบบ cookie / consent banner ที่ผ่านเกณฑ์ PDPA
- ร่างหนังสือแจ้งสิทธิ์เจ้าของข้อมูล (data subject rights notice)
- แจ้งเหตุการละเมิดข้อมูล (data breach notification) ภายใน 72 ชั่วโมงต่อ PDPC
- ประเมินว่าต้องแต่งตั้ง DPO หรือไม่
- ตรวจสอบ template ที่แปลมาจาก GDPR ว่าใช้ได้กับ PDPA หรือไม่
PDPA vs GDPR — what changes when drafting
| Topic | GDPR | PDPA (พ.ร.บ.) |
|---|---|---|
| Consent | Opt-in, freely given | Opt-in, freely given (Sec 19); no pre-checked boxes |
| Reject button | Recommended | Required equal-weight under PDPC consent guidance |
| Breach notice to regulator | 72h to DPA | 72h to PDPC (Sec 37) |
| Subject rights | 8 rights | Same 8 rights (Sec 30–36): access, rectify, erase, restrict, port, object, withdraw, complain |
| DPO trigger | Large-scale systematic monitoring or special-category data | Same trigger + state agencies (Sec 41) |
| Cross-border | Adequacy or safeguards | Adequacy or safeguards; PDPC keeps adequacy list (Sec 28) |
| Sensitive data | Art 9 categories | Sec 26: race, ethnicity, political opinion, religion/philosophy, sexual behavior, criminal record, health, disability, trade union, genetic, biometric, others as prescribed |
| Penalties | Up to 4% global turnover | Admin fines up to ฿5M; criminal up to ฿1M + 1 yr imprisonment; civil punitive up to 2x damages |
Required elements of a privacy notice (Section 23)
A compliant Thai notice must state, in plain Thai:
- วัตถุประสงค์ — Purpose for each item collected (itemized, not lumped)
- ฐานทางกฎหมาย — Lawful basis (consent / contract / legal obligation / vital interest / public task / legitimate interest)
- ประเภทข้อมูล — Categories of personal data processed
- ระยะเวลาเก็บรักษา — Retention period (or criteria to determine it)
- ผู้รับข้อมูล — Recipients / categories (including processors, group companies, third parties)
- การส่งข้อมูลข้ามประเทศ — Cross-border transfer info: destination countries, safeguards (SCC-equivalent, BCR, adequacy)
- สิทธิ์ของเจ้าของข้อมูล — All 8 data subject rights + how to exercise
- ผู้ควบคุมข้อมูล / DPO — Controller identity, address, DPO contact
- สิทธิ์ในการร้องเรียน — Right to complain to PDPC (สำนักงานคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล)
- ผลของการไม่ให้ข้อมูล — Consequences of refusing (where data is required by contract or law)
See templates/privacy-notice-th.md for the full bilingual skeleton.
Consent banner rules (Section 19 + PDPC consent guidance)
- Pre-checked boxes are invalid — every non-essential category starts off
- "ยอมรับทั้งหมด" and "ปฏิเสธทั้งหมด" must be equally prominent — same colour, same size, same depth in navigation. "Reject all" cannot be hidden behind a "Manage preferences" wall.
- Granular consent — at minimum: necessary / analytics / marketing / personalization. Necessary cookies don't need consent but must still be disclosed.
- Withdrawal as easy as giving — provide a "Cookie preferences" link in the footer that re-opens the banner.
- No "implied consent by continuing to use the site" — explicitly invalid under PDPA.
See templates/consent-banner.md for the HTML mockup and Thai copy.
Breach notification (Section 37)
Notify the PDPC within 72 hours of becoming aware, unless the breach is unlikely to result in risk to rights and freedoms. Notify affected data subjects without undue delay if high risk. Include:
- Nature of the breach (what happened, when, attack vector)
- Categories and approximate number of subjects + records
- Categories of personal data affected
- Likely consequences for subjects
- Measures taken and proposed (containment, remediation, notification plan)
- DPO / contact point
DPO appointment triggers (Section 41)
Required when:
- Core activity = regular and systematic monitoring of data subjects on a large scale (e.g. ad-tech, ride-hailing, loyalty program at scale)
- Core activity = large-scale processing of sensitive data under Sec 26 (e.g. hospitals, HR for tens of thousands of employees)
- The controller / processor is a state agency
- Other criteria prescribed by PDPC sub-notification (check current PDPC notifications)
The DPO must report directly to top management, cannot have a conflict of interest, and their contact must be published in the notice.
Penalties cheat sheet
- Administrative fines: up to ฿5,000,000 per violation for serious breaches (no-consent processing, unlawful sensitive-data processing, illegal cross-border transfer)
- Criminal: up to ฿1,000,000 and/or 1 year imprisonment for unauthorized disclosure of sensitive data for personal benefit
- Civil: actual damages + punitive damages up to 2× actual damages
Cross-border transfers (Section 28 / 29) and standard contractual clauses
PDPC issued two notifications in the Royal Gazette on 25 ธ.ค. 2566 (eff. 24 มี.ค. 2567): one under Sec 28 (adequacy / "whitelist" route) and one under Sec 29 (appropriate safeguards incl. BCR and standard contractual clauses / สัญญามาตรฐาน). Check the current PDPC notification text before quoting numbers — these are the controlling sub-regulations.
Practical state: PDPC has not yet published an adequacy whitelist. In practice, almost every transfer (Cloudflare, AWS, GCP, Azure, Slack, HubSpot, Zendesk, parent-company HR systems) needs a Sec 29 safeguard.
Lawful routes under Sec 28/29:
| Route | Source | When to use |
|---|---|---|
| Adequacy | Sec 28 + Whitelist Notification | Only if destination is on the PDPC whitelist (none as of writing) |
| BCR (binding corporate rules) | Sec 29 + Safeguards Notification | Intra-group transfers; must be pre-approved by the PDPC |
| SCC (สัญญามาตรฐาน) | Sec 29 + Safeguards Notification | Most third-party processor/controller transfers; clauses must meet PDPC minimum content |
| Certification | Sec 29 + Safeguards Notification | Where a PDPC-recognized certification scheme exists |
| Explicit consent | Sec 28(1) | Data subject informed of inadequate protection and consents — fragile, not for routine use |
| Contractual necessity | Sec 28(3)/(4) | Transfer needed to perform a contract with / in the interest of the data subject |
| Vital interest / legal claim / public interest | Sec 28(2)/(5)/(6) | Narrow exceptions |
What to write in the privacy notice (Sec 23(5)+(6) anchor):
- Destination countries (list them — "global cloud providers" is not enough)
- The Sec 28 or Sec 29 route relied on for each
- For SCC: state that PDPC-compliant standard contractual clauses are in place and available on request
- For BCR: state PDPC approval status
- Do not write "we comply with GDPR SCCs" — EU SCCs are not automatically a PDPA Sec 29 safeguard; either re-paper to PDPC SCC or add a Thai addendum
DPIA — risk assessment (no codified DPIA section)
Important framing: PDPA does not have a GDPR-style Article 35 "DPIA is mandatory" provision. What it does have:
- Sec 37(1) — controller must put in place security measures appropriate to the risk
- Sec 39 — Record of Processing Activities (RoPA), which forces you to enumerate purpose, categories, retention, recipients, safeguards
- Sec 40 — same duties on the processor
- PDPC guidance (and SME-exemption carve-outs) treats certain processing as inherently high-risk and effectively expects a written impact assessment
When to run a DPIA (ประเมินผลกระทบด้านการคุ้มครองข้อมูลส่วนบุคคล) even though not statutorily required:
- Large-scale processing of Sec 26 sensitive data (health, biometric, genetic, religion, sexual behavior, crimi