What is PDPA (Personal Data Protection Act - Thailand)?
Thailand's PDPA is a comprehensive data protection law modeled after the GDPR that regulates the collection, use, and disclosure of personal data, with full enforcement beginning in June 2022.
Thailand's Personal Data Protection Act (PDPA), enacted in 2019 with full enforcement from June 1, 2022, is the country's first comprehensive data protection legislation. Heavily influenced by the GDPR, it applies to the collection, use, or disclosure of personal data by data controllers or processors located in Thailand, as well as those outside Thailand if they offer goods or services to, or monitor the behavior of, individuals in Thailand.
The PDPA establishes lawful bases for processing including consent, research, vital interests, contract performance, public interest, and legitimate interest. It grants data subjects rights to access, data portability, objection, erasure, restriction, correction, and the right to withdraw consent. The law also categorizes certain data as sensitive personal data, including health data, biometric data, racial or ethnic data, and political opinions, which require explicit consent for processing.
The Personal Data Protection Committee (PDPC) oversees enforcement, and penalties include administrative fines of up to 5 million Thai baht, criminal penalties including imprisonment, and punitive damages up to twice the actual damages. Organizations operating in Thailand should use IQWorks to manage PDPA compliance, particularly leveraging DiscoverIQ for mapping personal data flows and ConsentIQ for managing consent across Thai operations.
How IQWorks Helps
Related Terms
GDPR (General Data Protection Regulation)
The General Data Protection Regulation is the European Union's comprehensive data protection law that sets strict rules for how organizations collect, store, and process personal data of EU residents, with fines up to 4% of annual global turnover.
Sensitive Personal Data
Sensitive personal data includes special categories such as health information, biometric data, racial or ethnic origin, religious beliefs, and sexual orientation that require enhanced protection.
Consent Management
Consent management is the systematic process of obtaining, recording, tracking, and managing individuals' consent for the collection and processing of their personal data in compliance with privacy regulations.