Thailand PDPA: Consent and Controller Duties Guide

Thailand’s Personal Data Protection Act B.E. 2562 (2019) puts consent at the center of lawful processing. Under Sections 23 and 24, consent must be informed, specific, freely given, and easy to withdraw, while certain purposes (contract, legal duty, legitimate interests) may proceed without it. Sensitive data under Section 26 requires explicit consent. For practical compliance, map what you collect, separate marketing consent from service terms, use clear Thai language, provide a one-click revoke path, time‑stamp consent logs, and avoid pre-ticked boxes online or implied opt-ins.

As a data controller, Section 37 requires appropriate security, access controls, and breach response; notify the PDPC of a risky breach without delay and generally within 72 hours. Keep processing records (Section 39), put processor safeguards in contracts (Section 40), and appoint a Data Protection Officer when large-scale monitoring applies (Section 41). Practical moves: assign a privacy owner, run DPIAs for new projects, classify data, encrypt at rest and in transit, test incident drills quarterly, and vendor-risk assess cloud and marketing platforms.

Draft your privacy policy to tick PDPA boxes: explain purposes and lawful bases (Sections 23–24), sensitive data handling (Section 26), retention, data subject rights and request channels (e.g., access, deletion; Sections 30–35), cross‑border transfers (Section 28), and contact details for the controller and DPO. Use plain Thai and English, layered summaries, and clear timestamps on updates. Review quarterly and whenever processing changes. LegalDocs.ai can generate PDPA‑aligned notices, manage consent records, and streamline DPA and vendor due‑diligence workflows for growing Thai businesses.