Privacy policy

PDPA Compliance Overview

What is PDPA?

After being postponed since 2019, the Personal Data Protection Act has come into force in Thailand on June 1, 2022, intending to ensure members of the public that their personal data is protected and not misused. Regarded as Thailand's very own adaptation of the GDPR, the data privacy regulations of this act pertain to the same key points of rights of data, data controlling and non-compliance penalties.

Though the core ideals behind this act are very similar to those of GDPR, it's very important that companies operating within Thailand take the initiative to remain informed and up to date on PDPA provisions, non-compliance penalties, as well as the obligations and liberties of data controllers.  


Key Definitions in the PDPA
How is PDPA Applied?

The PDPA sets regulations for how personal data is collected and used. This applies to all businesses located in Thailand, regardless of whether the data was collected or distributed outside the country. The PDPA also applies to businesses located outside the kingdom, if a few conditions are met:

What are PDPA's lawful bases?

There are six lawful bases that must be met in every act of collecting or using data in order to remain PDPA compliant. All other cases that these lawful bases do not cover, will require the data subject's consent for collection, usage, and disclosure of the personal data.   The lawful purposes are:

  1. for the preparation of historical documents or archives for the public interest, or relating to research or statistics, in which suitable measures to safeguard the data subject's rights and freedoms are put in place and in accordance with any notification prescribed by the Office;
  2. for preventing or suppressing danger to a person's life, body or health;
  3. where it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  4. where it is necessary for the performance of a task carried out in the public interest by the data controller, or in order to exercise the official authority vested in the data controller;
  5. for the legitimate interests of the data controller or any other persons, except where such interests are overridden by the fundamental rights of the data subjects with respect to their Personal Data; or
  6. where it is necessary to comply with any laws to which the data controller is subject.

Certain criteria must be met for the data subject's consent to be considered valid:

Privacy Notice

The privacy notice serves the purpose of keeping data subjects informed of when their data is collected and the purpose it's used for. The data controller must provide the data subject with a privacy notice prior to or by the time the Personal Data is collected.   The notice must include the following information:

Breach Notification

A data controller is required to notify the Office of any data breach affecting Personal Data within 72 hours after becoming aware of it. If the breach is likely to pose a high risk to the rights and freedom of the data subject, the data subject must also be notified without delay.    

Security Obligations

A data controller has a duty to keep Personal Data secure, including the following:

Cross Border Data Transfer

In the event that a data controller sends or transfers Personal Data to a foreign country, the destination country that receives such Personal Data shall have adequate data protection standards, unless an exemption is met (eg a consent from the data subject is obtained for the transfer of the Personal Data to a country which the data protection standard that is not adequate, or the transfer is for compliance with the law). The guideline on adequate data protection standard is yet to be issued.    


A violation of the PDPA could result in civil liability, criminal liability and administrative fines. For example, a data controller who collects, uses or discloses the Personal Data without consent from the data subject (where consent is required) will be liable.    


How Manatal helps you stay compliant

As personal data privacy, yours as well as that of your candidates, is of the utmost importance to us, our platform was designed to simplify and ease compliance to PDPA regulations. To that end, we've included features that help Manatal users meet the specific requirements set by the PDPA. Our goal is to provide you with the tools necessary to adhere to data privacy laws and regulations, and remain informed of the various rights accorded to yourself and your candidates as you recruit.

Manatal supports your PDPA compliance by allowing you to:

Disclaimer: The information above is only a general guide and a suggestion for users. It does not apply to any legal situation, in which you should consult with professional counsel. Manatal welcomes any advice or recommendation to improve this content.

Try Manatal for free during 14-day with no commitment.

No credit card required
No commitment
Try it Now