Summary

Thai Personal Data Protection Act (PDPA)

Definition

• Personal Data: any information relating to a person identify, excluding deceased person.
• Person: natural person
• Data Controller: person or juristic person who has the power to make decision on the collection, use, or disclosure of personal data.
• Data Processor: person or juristic Person who processes personal data on behalf of the data controller.

Law

Section 22:

• The collection of personal data shall be limited to the extent necessary for the lawful purpose.

Section 24:

• The data controller shall not collect personal data without the consent of the data subject unless
  1. It is for achievement of the purpose relating to
     • the preparation of historical documents or the archives for public interest
     • research or statistics in which the suitable measure to safeguard the data subject’s rights and freedom are provided.
  2. For preventing or suppressing a danger to a person’s life, body, or health.
  3. For the performance of a contract to which the data subject is a party, or in order to task steps at the request of the data subject prior.
  4. For the performance of a task carried out in the public interest in the Data Controller, or necessary for the exercise of official authority vested in the Data Controller.
  5. For legitimate interests of the Data Controller or a third party, except where such interests are overridden by the fundamental rights and freedoms.
  6. For compliance with a law to which the Data Controller is subjected.