PDPA : Personal Data Protection Act

PDPA stands for Personal Data Protection Act B.E. 2019 (2019). The law came into force on June 1, 2022. It is a law on the authorization of personal data subjects. Establish standards for keeping personal information safe. And used for purposes according to the consent of the subject of personal data such as name, address, phone number, photograph, bank account, email, LINE ID, website account, fingerprint, health history, etc., which can identify the owner of the data. that It can be data in the form of documents, paper, books, or stored electronically.

To collect personal information, collect personal information, use personal information or for the disclosure of personal information All of which are related to this Act that must be complied with. If anyone or any organization fails to comply, there will be legal penalties. The PDPA's penalties for those who do not comply are There are civil penalties, criminal penalties, and administrative penalties.

How is PDPA important?

The importance of PDPA is to empower data subjects with rights over personal data that has already been collected. or are going to be stored more To create security and privacy for data owners with important rights Right to Acknowledgment and Acceptance of Personal Data Collection and the right to request access to personal data objection and revocation of data collection and use and the right to request the removal or destruction of personal data

Increased rights of data subjects This causes enterprise operators and companies to modify the process of collecting and taking personal data of data subjects, whether they are customers. Employees in the organization or any person involved in accordance with the practices of the PDPA, the Personal Data Protection Act.

If you are an entrepreneur Or represent an organization that handles PDPA matters. Today, we'll help you change the way they operate to comply with PDPA laws.

If you want to collect information data processing put data to use Including the maintenance and security of personal information of customers and related parties. You will need to perform the following steps urgently. Because Thailand has now started enforcing the PDPA Act, if you fail to comply with the PDPA principles, you may face serious civil, criminal and administrative penalties.

In addition, there is another type of personal data that this Act gives importance and has severe penalties in case of leaking to the public that is Sensitive Personal Data, namely: Information ethnicity, ethnicity, political opinions, cult beliefs Religious or philosophical, sexual behavior, criminal record, health information, disability or mental health information, trade union information, genetic information, biometric information, any other information that affects the subject of information in a similar manner as determined by the Committee.

The rights of the personal data subject (Data Subject Rights) are as follows:

1. Right to be informed

2. Right to request access to personal data

3. Right to object to the collection, use or disclosure of personal information

4. Right to request removal or destruction

5. Right to withdraw consent

6. Right to request to suspend the use of information

7. Right to request correction of personal data

8. Right to request the transfer of personal data

On the part of the controller of personal data whether a natural person or a juristic person (companies, shops, foundations, associations, agencies, organizations, shops or anything else) if personal information is collected or use of personal information or disclosed for any purpose Consent from the data subject is also required. It is necessary to clearly state how the information will be used. unless it is in accordance with the exception that The Act stipulates 6 items as follows:

· It is the performance of a contract.

· It is a use that is authorized by law.

· It is a life-saving use and/or a person's body

· It is used for statistical research.

· It is used for public benefit.

· It is used to protect interests. or their own rights

It can be seen that PDPA or the Personal Data Protection Act. come to want to maintain the rights of the data owner However, before using the data, the data collector must obtain the consent of the data owner. The data subject should also carefully consider that each time the personal data is provided. for what purpose And we can refuse to provide that information. In order to prevent misuse or exploitation of our personal data, it is possible.


for the data collector It is a very direct impact on the PDPA that must be complied with. The personal data controller therefore has to set up a personal data security policy within the organization and educate personnel in the organization, know the scope of collection, use and dissemination of personal data, have a data storage system. Secure personal, access to personal information is restricted, personal information usage activity is recorded. These are all essential that data controllers comply with in order to continue complying with the PDPA.