Why Thailand’s PDPA Matters If You Handle Client Documents

Do you keep copies of passports, ID cards, contracts or medical papers for clients? If yes, you need to understand Thailand’s Personal Data Protection Act (PDPA) and how it affects your day-to-day operations.

The PDPA sets rules for how organisations collect, use, store and dispose of personal data. Getting it wrong can be costly, not only in fines but in reputational damage and loss of trust.

A recent case shows exactly what is at stake. A private hospital in eastern Thailand outsourced the destruction of paper medical records to a small business. Instead of shredding them promptly, the contractor stored the files at home and some papers later turned up as wrappers for street food. The Personal Data Protection Committee (PDPC) found that over 1,000 protected files were leaked during this process. The hospital was fined 1.21 million baht, while the disposal business owner was fined 16,940 baht.

I am pedantic about keeping customer data safe: nothing is left on desks overnight or when the office is closed. Data belongs locked away in a secure place. My team hear me talk about this all the time. Early on they thought I was mad, and perhaps I am, but on this point they have come around. I regularly ask whether they would be comfortable having their own personal details on full display; that usually concentrates minds and keeps us careful. 

We shred all papers ourselves, have invested in a great shredder. This ensures our customer data does not end up wrapped around a fried chicken leg. 

REMEMBER: If you outsource destruction to someone else, you are still responsible in the eyes of the law.

For any business that handles client documents, three lessons stand out:

1. Vendor oversight is not optional. If you outsource scanning, storage or destruction, you remain the data controller. Use proper contracts, audit your vendors, supervise destruction with a chain of custody, and obtain a certificate of destruction.
2. Have a breach plan and act fast. If personal data is compromised, you may have to notify the PDPC without delay (and, where feasible, within 72 hours) and sometimes notify affected individuals. Build this timing into your incident response plan.
3. Minimise and secure. Keep only what you need, for as long as you need it. Lock down access, encrypt where appropriate, train staff and contractors, and test your disposal procedures.

Handled well, PDPA compliance protects your clients and your brand. Handled poorly, it can end up in the headlines.

How Would You Like Your Data To Be Handled?

Thailand PDPA – key items business owners need to know/understand

1. Applies to All Businesses Handling Personal Data
   • The PDPA applies to any organisation, Thai or foreign, that collects, uses, or discloses personal data of individuals in Thailand, whether customers, employees, or suppliers.
     
2. Clear Consent is Required
   • You must obtain explicit, informed consent from individuals before collecting or processing their personal data. Unless another legal basis (e.g. contract, legal obligation) applies.
     
3. Define and Limit the Purpose
   • Data must only be collected for specific, clearly stated purposes. Using the data for other reasons without additional consent is prohibited.
     
4. Rights of Data Subjects
   • Individuals have the right to:
     • Access their data
     • Request corrections
     • Withdraw consent
     • Object to data use
     • Request deletion (“right to be forgotten”)
       
5. Transparency Obligations
   • You must inform individuals (via a privacy notice) about:
     • What data is being collected
     • Why it’s being collected
     • How it will be used
     • Who it will be shared with
     • How long it will be retained
       
6. Data Minimisation
   • You should collect and retain only the data necessary for the stated purpose. Excessive or irrelevant data collection is a violation.
     
7. Security Measures Are Mandatory
   • Businesses must implement reasonable administrative, technical, and physical safeguards to protect personal data from unauthorised access, leaks, or loss.
     
8. Cross-Border Transfers Require Protection
   • If personal data is transferred outside Thailand, the recipient country must have adequate data protection standards, or appropriate safeguards (like binding contracts) must be in place.
     
9. Special Categories of Data Need Extra Protection
   • Sensitive data, such as race, religion, health, biometric data, political opinions, requires explicit consent and additional safeguards.
     
10. Data Breach Notification
    • If a breach occurs, you must notify the PDPC (Personal Data Protection Committee) within 72 hours and inform affected individuals if there’s a high risk of harm.
      
11. Appoint a Data Protection Officer (DPO) if Required
    • Companies engaged in large-scale or high-risk data processing must appoint a DPO to monitor compliance and coordinate with authorities.
      
12. Non-Compliance Carries Penalties
    • Fines can reach up to THB 5 million per offence, plus civil damages and even criminal liability for serious breaches or misuse of sensitive data.

As a business owner focus on:

• Conducting an internal data audit: What data are you collecting, storing, and sharing?
• Creating or a review your privacy policy and consent forms.
• Implementing staff training on data protection principles.
• A detailed review of your contracts with third parties who process data on your behalf.
• Put a response plan in place for data breaches or access requests.

And to ensure it all works going forward I recommend that you appoint a member of staff to train everyone and oversee the process and monitoring.

If you need help implementing a plan, doing an audit – talk to us at Chiang Mai Business Network. We can help build a robust framework for your business handling of PDPA covered data.