Thailand PDPA Privacy Guide: Your Rights Under the Personal Data Protection Act

Thailand's Personal Data Protection Act (PDPA / พ.ร.บ.คุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562) went into full effect in June 2022, giving Thai residents significant control over their personal data. Despite being law for several years, many people in Thailand still do not know what rights they have or how to exercise them.

This guide breaks down what the PDPA means for you as an individual and how to take control of your personal data.

What the PDPA Covers

The PDPA applies to any organization — Thai or foreign — that collects, uses, or discloses personal data of people in Thailand. This includes:

• Banks and financial institutions
• Telecom providers (AIS, TRUE, DTAC)
• E-commerce platforms (Shopee, Lazada)
• Social media companies
• Hospitals and healthcare providers
• Government agencies
• Employers
• Any website or app you use

What Counts as Personal Data

Data Type	Examples
Identification (ข้อมูลระบุตัวตน)	Name, national ID number, passport number, ThaiD data
Contact Information	Phone number, email, LINE ID, address
Financial Data (ข้อมูลการเงิน)	Bank accounts, credit card numbers, PromptPay ID
Biometric Data	Fingerprints, facial recognition data, voice prints
Health Data (ข้อมูลสุขภาพ)	Medical records, prescriptions, health insurance details
Location Data	GPS data, check-in history, travel records
Online Activity	Browsing history, search history, cookies
Employment Data	Salary, work history, performance records

Your Rights Under the PDPA

1. Right to Be Informed (สิทธิในการรับทราบ)

Before collecting your data, organizations must tell you:

• What data they are collecting
• Why they need it
• How long they will keep it
• Who they will share it with
• Your rights regarding that data

In practice: This is the consent form or privacy notice you see when signing up for services. Read it — it matters.

2. Right to Consent (สิทธิในการให้ความยินยอม)

You must give clear consent before your data is collected, except in limited cases (legal obligation, vital interest, public interest, or legitimate interest). You also have the right to:

• Withdraw consent at any time
• Refuse consent without being denied the core service (companies cannot refuse service just because you declined optional data collection)

3. Right of Access (สิทธิในการเข้าถึง)

You can request a copy of all personal data an organization holds about you. They must respond within 30 days.

4. Right to Data Portability (สิทธิในการโอนย้ายข้อมูล)

You can request your data in a commonly used, machine-readable format and have it transferred to another service provider.

5. Right to Rectification (สิทธิในการแก้ไข)

If your data is inaccurate or incomplete, you have the right to request correction.

6. Right to Erasure (สิทธิในการลบ)

You can request that an organization delete your personal data when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent
• You object to processing and there are no overriding legitimate grounds
• The data was collected unlawfully

7. Right to Restrict Processing (สิทธิในการระงับ)

You can request that an organization stop using your data while a dispute is being resolved.

8. Right to Object (สิทธิในการคัดค้าน)

You can object to data processing for direct marketing purposes at any time, with no conditions.

PDPA Rights Summary Table

Right	When to Use	Response Deadline
Access (เข้าถึง)	Want to know what data they have	30 days
Erasure (ลบข้อมูล)	Want your data deleted	30 days
Rectification (แก้ไข)	Data is incorrect	30 days
Portability (โอนย้าย)	Switching to another service	30 days
Object (คัดค้าน)	Stop marketing, profiling	Immediate for marketing
Restrict (ระงับ)	Pause processing during dispute	30 days
Withdraw Consent (ถอนความยินยอม)	Change your mind about data use	Varies

How to Exercise Your PDPA Rights

Step 1: Find the Data Protection Contact

Most organizations are required to have a Data Protection Officer (DPO) or a designated contact for data requests. Look for:

• Privacy policy page on their website
• "Data Protection Officer" contact in their terms of service
• Customer service departments (specify your request is a PDPA request)

Step 2: Submit a Written Request

Send a formal request via email or written letter. Include:

• Your full name and contact information
• Proof of identity (redacted ID card copy)
• Specific right you are exercising
• Description of what data you want accessed, deleted, or corrected
• Reference to PDPA Section 30-36

Step 3: Track the Response

Organizations must respond within 30 days. If they refuse, they must explain why in writing.

Step 4: Escalate If Necessary

If the organization does not comply, you can file a complaint with:

• Office of the Personal Data Protection Committee (PDPC) — pdpc.or.th
• Courts — You can seek compensation for damages caused by PDPA violations

Protect Your Personal Data Proactively

Minimize Your Data Footprint

• Only provide data that is truly necessary for the service
• Use separate email addresses for different services
• Decline optional data collection wherever possible
• Review app permissions on your phone regularly

Secure What You Share

When you need to share sensitive personal information — national ID numbers, bank details, medical records — never send them through LINE or email. Use LOCK.PUB to create encrypted, password-protected memos that auto-expire. The recipient views the information with a password, and it self-destructs after expiration. No data lingers in chat history or email archives.

Regular Data Audits

• Review privacy settings on social media quarterly
• Check what apps have access to your LINE account
• Review connected apps on your Google and Apple accounts
• Delete accounts on services you no longer use

What Companies Must Comply With

Under the PDPA, organizations that violate data protection rules face:

Violation	Maximum Penalty
Administrative fine	Up to 5 million THB
Criminal penalty	Up to 1 year imprisonment and/or 1 million THB fine
Civil liability	Actual damages + punitive damages (up to 2x actual)

Companies must also:

• Appoint a Data Protection Officer (for large-scale processing)
• Maintain records of data processing activities
• Implement appropriate security measures
• Notify the PDPC of data breaches within 72 hours
• Obtain consent before cross-border data transfers (with exceptions)

Common PDPA Scenarios for Everyday Life

• An online shop keeps sending marketing messages after you unsubscribe — File a PDPA complaint for violation of your right to object
• A former employer shares your salary information — Request erasure and file a complaint
• A hospital shares your medical records without consent — This violates PDPA sensitive data protections
• A telecom company sells your data to advertisers — Request access to see who received your data, then demand deletion

The Bottom Line

The PDPA gives you real power over your personal data. Exercising these rights is free, and organizations must comply within 30 days. Start by reviewing which services hold your data and request deletion from those you no longer use.

For sharing sensitive personal information when necessary, visit LOCK.PUB to create free encrypted memos that self-destruct — ensuring your data does not persist longer than needed.