[July 2019] Personal Data Protection Act (PDPA) – A quick guide for marketers and business owners

By Florian Maier, Managing Director and Phi Ploenbannakit, Director – Antares Advisory, part of Antares Group

Thailand has adopted the principals of the EU General Data Protection Regulation (“GDPR”). The Personal Data Protection Act (“PDPA”) legislation was approved and published in the Royal Gazette on 27 May 2019. A one-year grace period has been given, while the committee and office are being formed, so there is only a short time to prepare for regulatory impacts.

The PDPA will not only have an impact on digital marketing and how marketers effectively target customers, but will also impact all businesses collecting data from persons residing in Thailand.

What is the Personal Data Protection Act (PDPA)?

By default, PDPA is the territorial recognition of GDPR and is designed to protect personal data in digital format against identity theft and misuse. Personal data being collected, processed, distributed, and transmitted or transformed in any manner and for any purpose is also governed by the PDPA. As such, marketers and business units who collect and make use of their customers’ personal data in the course of operation are required to comply with the PDPA.

What is personal data?

PDPA defines personal data as associated data, which can identify a natural person either directly or indirectly, except for the deceased. In other words, personal data is any kind of customers’ or users’ identity having been received with or without notice, including biological data e.g. fingerprint, voice recognition, face detection, etc.

Personal data is generally collected by a data controller and analyzed by a data processor for commercial and business development purposes despite consideration or any payment in kind. It could be the product of paper-based or online registration, customer warranty registration, services or credit application form, exhibition registration, cookies, or even a digital footprint. Protection extends to those who have been compelled to provide their data subject to early services or product acceptance procedures and later, having their data gradually collected by implied consent in terms of users’ behavior. Additionally, personal data shared across marketing or business units as a secondary source to enhance customer engagement is also subject to the law.

Who is subject to the PDPA?

Basically, it is the data controller and the data processor that are regulated by the PDPA. PDPA defines the ‘Data Controller’ as a natural or juristic person who is authorized to collect, use, or disclose personal data, and the ‘Data Processor’ is the person who proceeds with collection, usage, or disclosure of such data on behalf of or according to the data controller’s instructions. However, the data processor is not the data controller. Simply, one person cannot function as the data processor and the data controller at the same time and under the same body. The core function must be carried out independently, even though, they are under the umbrella of affiliated companies.

The data controller can be the business owner or brand that acquires the users’ or customers’ personal data through a registration or membership system. On the other hand, the data processor can be an agency or hosting service provider.

 What are duties of the data controller and data processor?

The data controller and the data processor are distinguished by their duties under the PDPA, even though the descriptions seem to be overlapping to some extent.

In general, the processor has lesser duties than the controller, provided that the processor could be held liable as if they were a controller, should they fail to comply with the controller’s instructions with regards to the collection, usage, and disclosure of personal data.


**The content of this table is merely a summary of concerning sections of the PDPA. Crucial details must be further sought for implementation.

Multi-national corporations including their branch and representative offices are subject to the PDPA, either as the controller or the processor. The former would be most likely the case when they engage with local customers or engage in business-related activities internally and externally. The main concerns are the restrictions on personal data transmission overseas, particularly sensitive data, such as biological data, health records, labour union data, political comments, sexual behaviour, etc.

 How to prepare for the PDPA regulatory impact?

PDPA generally applies to the online and offline businesses as long as personal data is collected and processed in the course of their business operations. The act is extensive to the universal personal data including those of the customer, business partner, user, target research, employee, etc., either retrieved from primary or secondary sources.

With the PDPA less than 12 months away, businesses must make the collection and management of personal data a priority. Here are 4 practical steps that businesses can follow to prepare for the regulatory impact:

  1. Implement a privacy policy and inform personal data owners of the personal data collection, usage, or discloser purposes upon engagement. The privacy policy can be equivalent to the ordinary cookies policy to make the visitors aware of tracking and records. There is not as of yet strict wording under the PDPA nor minimum requirements, which would be subject to the committee’s announcement. As such, the simple communication containing all legal requirements is fine for now.
  2. Obtain the personal data owners’ explicit consent. It can typically be demonstrated by a landing page or first page privacy policy acceptance form prior agreed in order to enjoy the product or service. It is advised to bear in mind that this take-it or leave-it scheme may not last very long, because it can be viewed as a blatant obstacle by the seller against the products or services already purchased. Thus, it is highly recommended to obtain consent before payment or landing.
  3. Create a contact channel where the data owners can withdraw their consent, request an update, or erase their data, should they wish. Currently there are no specific requirements for the contact channel. Thus, it can be a hotline, e-mail, tied-in links, or even a letter. However, it must allow the data owners to express their will as easily as possible. The data log must be created and maintained in an appropriate manner.
  4. Start looking at internal audit policies and creation of a personal data protection unit according to the PDPA’s requirements. This additional cost is unavoidable. Thus, advanced budget planning would prevent redundancy and associated deficiency.

There is an exemption for ‘Small Enterprise’. However, the criteria are not yet set and will be further defined by the committee. The minimum requirements and subordinate rules are predicted to be known as soon as the committee is formed, so are the following administrative procedures and law enforcement when the office is in place.

 What are the penalties for non-compliance?

PDPA outlines strategic and common duties between the high data controller and the data processor. Any failure to comply with the PDPA would subject them to the maximum imprisonment up to 1 year and/or fine penalty up to 5 million Baht, although, some of these are rarely compoundable offenses. As such, integrated collaboration is essentially required to mitigate the legal exposures.

What will happen with the personal data obtained before the PDPA?

Previously obtained data may be kept and used according to the original purposes. However, data owners must be informed that they can erase the data or withdraw their prior consent. Other than that, disclosure and related activities e.g. transmission, sharing, processing, etc. of such data must comply with the PDPA regulations.

Final Thoughts

In the past, personal data has been exploited in various ways as data controllers and data processors could do as they please due to lack of regulatory controls, legal protection, and law enforcement. That will change after the PDPA comes into force.

We recommended businesses collecting personal data of persons residing in Thailand to familiarize themselves as early and as comprehensive as possible with the PDPA and reconsider their policies and procedures for handling personal data.

We will monitor the development of the PDPA subordinate laws and regulations and we will provide you with updates once these will become available.



Florian is the Managing Director of Antares Advisory.He joined Antares in 2014. Prior to that, Florian has been working for a German-owned law firm in Bangkok and, subsequently, for 5 years for a law firm in Stuttgart, Germany, advising mid-sized German companies with respect to international contract law.
He speaks German, English and French and he has an extensive experience in all legal matters, including tax law.
He can be reached at florian@antaresgroup.com or +66 (0) 83 669 0834.


Phi is the Director of Antares Advisory. He holds a LL.B. and subsequently a LL.M. in Business Laws, program held in English, from Thammasat University. He is a member of the Lawyers Council of Thailand and the Thai Bar Association. Phi is a Thai licensed lawyer and Notarial Services Attorney.
His area of practice covers corporate & commercial law, M&A, legal due diligence, labor law, property law, family law, litigation and arbitration. He has extensive experience in assisting corporate and individual clients in identifying the root cause, finding the best solutions and alternatives to mitigate the exposure and take the right decision.
He can be reached at phi@antaresgroup.com or +66 (0) 98 824 4186.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s