Announcing Agent Commander - The First Integrated solution from Veeam + Securiti.ai enabling the scaling of safe AI agents

View
Contact Us See a demo

Employer’s Data Obligation Under Thailand’s PDPA

employee data thailand banner
Published June 12, 2022 / Updated May 9, 2024
Contributors

Anas Baig

Product Marketing Manager at Securiti

Muhammad Faisal Sattar

Director of Product Legal & Global Data Compliance

FIP, CIPT, CIPM, CIPP/Asia

Listen to the content

Thailand's Personal Data Protection Act (the "PDPA") is a comprehensive data privacy law that aims to protect the privacy of Thailand’s citizens. The PDPA was said to go into effect on 27 May 2020. However, the PDPA went into effect on June 1st, 2022, after being postponed due to the pandemic.

The PDPA does not explicitly cover an employer's handling of personal information about employees. Data controllers are defined as "a person or juristic person who has the right and duty to make decisions regarding collecting, using, or disclosing personal data" under Section 6 of the PDPA.

Employers would be subject to the PDPA's requirements since they make decisions about collecting, using, and disclosing employees’ personal data.

Employers' Obligations Under the PDPA

Employers have several obligations under the PDPA:

According to Section 19 of the PDPA, an employer shall not collect, use, or disclose personal data on employees unless the employee has given consent before or at the time of the collection, use, or disclosure.

Unless it is impossible by nature, a request for consent must be given expressly in a written statement or via technological means. According to Section 26 of the PDPA, an employer shall not acquire the following sensitive personal data without the employee's specific consent:

  • Racial information,
  • Ethnic origin,
  • Political opinions,
  • Cult, religious or philosophical beliefs,
  • Sexual behavior,
  • Criminal records,
  • Health data, disability,
  • Trade union information,
  • Genetic data,
  • Biometric data, or
  • Any data which may affect the employee in the same manner.

Exemptions

However, the PDPA provides few exceptions regarding the consent and data collection requirements. Employers can process employees’ personal data when there is a legitimate reason, such as a medical emergency or for workers’ compensation claims, public interest, to meet contractual obligations, or to ensure employment protection.

As of now, the PDPA does not define employment protection as an exception for the above requirement. Employers must notify employees prior to collecting their personal data, even where consent is not required. Employers should consider the following to stay compliant with the PDPA:

  1. Consent of employees should be explicit;
  2. Employees should be informed about the purpose of collection, processing, retention period, and/or disclosure;
  3. The collection of personal data should be limited to the extent of its purpose of use;
  4. Employees have the right to withdraw consent at any time;
  5. Employers need to inform employees of any consequences associated with the withdrawal of consent;
  6. The employee's right of access and correction (including the contact information of the person who handles any request for access to the data on the employer's behalf).

Data Retention

The PDPA does not provide any retention period. However, it requires employers to ensure that they inform employees regarding their personal data retention period.

In Thailand, organizations usually retain the data of their employees for ten years under the Labor Protection Act. Employers should ensure that they don’t retain any unnecessary personal data of their employees or job applicants.

Data Transfer Obligations

Section 28 of the PDPA addresses the transfer of employee information to third parties, whether in Thailand or abroad. The PDPA states that the destination country and third parties should have adequate data protection standards.

The transfers shall be carried out in accordance with the requirements for the protection of employees’ personal data. It is advised that the employer must obtain consent from the employee before transferring any data and ensuring that the third party has adequate security measures to protect the employees’ data.

Security Measures Requirements

Employers must take appropriate security measures to prevent unauthorized losses, alterations, or disclosure of employees' personal data. The PDPA requires that employers implement a system to destroy personal data when the retention period is over, when the data is no longer necessary or when the employee requests its destruction.

Data Breach Requirements

Any personal data breach must be reported to the Office of the Personal Data Protection Committee without delay and, where feasible, within 72 hours after the employer has become aware of it.

Employees’ Rights under The PDPA

Under the PDPA, employees are entitled to a number of rights that the employer needs to honor in order to stay compliant. These rights are as follows:

Right to access:

Employees have the right to access the personal data that the employer collects, uses, and discloses.

Right to be informed:

The employer shall inform the employee about any collection, processing or storage of data prior to or at the time of the collection of the personal data.

Right to erasure:

The employee has the right to request the employer to delete any stored data, except where the employer is not obligated to do so.

Right to rectification:

Employees have the right to rectify incomplete or inaccurate personal data that the employer has stored.

Right to Withdraw Consent:

The employee has the right to withdraw their consent at any time for the purposes that they have consented to the processing of their personal data.

Operationalizing the PDPA

In order to achieve compliance, HR management needs to honor the obligations mentioned above. This can be done in the following ways:

  • Disclose how employees’ data is being processed through transparent formal policies.
  • Develop formal policies and procedures for data collection and handling.
  • Update privacy policies as needed.
  • Ensure privacy policies and notices are easily accessible.
  • Review and update data handling and security practices.
  • Maintain proper documentation.

Manual approaches have a slew of drawbacks, including high prices and the possibility of human error. In today's automated and digitally connected world, firms must use automation to comply with privacy laws such as Thailand's PDPA.

Securiti’s Sensitive Data Intelligence Solution enables organizations to discover, analyze, and protect large datasets. It offers organizations a 360-degree solution to all their compliance needs. Request a demo of Securiti’s Sensitive Data Intelligence solution and start your journey to PDPA compliance.

To assist you in complying with the PDPA's requirements, Securiti also provides automatic data mapping, DSR rights fulfillment, data breach management, and added security controls.

Frequently Asked Questions (FAQs)

The Personal Data Protection Act (PDPA) in Thailand outlines various obligations for organizations regarding the collection, use, and disclosure of personal data. These obligations include obtaining consent for data processing, ensuring data security, and respecting individuals' rights.

Thailand's PDPA introduced requirements for organizations to report data breaches to both the Personal Data Protection Committee (PDPC) and affected data subjects. The PDPA also requires organizations to take remedial action and notify affected individuals when a data breach poses a risk to their rights and freedoms.

While both GDPR and the Thailand PDPA aim to protect personal data, there are differences. GDPR applies in the European Union, whereas the Thailand PDPA is specific to Thailand. GDPR has stricter requirements and higher fines. However, both regulations share principles related to consent, data rights, and data breach notification.

Analyze this article with AI

ChatGPT Claude Perplexity Grok
Prompts open in third-party AI tools.
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share
More Stories that May Interest You
View More
February 24, 2026
Introducing Agent Commander
The promise of AI Agents is staggering— intelligent systems that make decisions, use tools, automate complex workflows act as force multipliers for every knowledge...
View More
October 16, 2025
DataAI Security for Financial Services: Turn Risk Into competitive Advantage
Financial services run on sensitive data. AI is now in fraud detection, underwriting, risk modelling, and customer service, raising both upside and risk. Institutions...
View More
September 30, 2025
Securiti and Databricks: Putting Sensitive Data Intelligence at the Heart of Modern Cybersecurity
Securiti is thrilled to partner with Databricks to extend Databricks Data Intelligence for Cybersecurity. This collaboration marks a pivotal moment for enterprise security, bringing...
Please enter a minimum of 3 characters to begin your search.

Type

Videos
View More
January 20, 2025
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
January 15, 2025
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
January 2, 2025
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
December 24, 2024
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
November 1, 2024
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
October 29, 2024
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
August 12, 2024
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
June 3, 2024
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
January 29, 2024
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
October 17, 2023
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 50:52
From Data to Deployment: Safeguarding Enterprise AI with Security and Governance
Watch Now View
Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Latest
View More
February 24, 2026
Introducing Agent Commander
The promise of AI Agents is staggering— intelligent systems that make decisions, use tools, automate complex workflows act as force multipliers for every knowledge...
Risk Silos: The Biggest AI Problem Boards Aren’t Talking About View More
February 18, 2026
Risk Silos: The Biggest AI Problem Boards Aren’t Talking About
Boards are tuned in to the AI conversation, but there’s a blind spot many organizations still haven’t named: risk silos. Everyone agrees AI governance...
Largest Fine In CCPA History_ What The Latest CCPA Enforcement Action Teaches Businesses View More
February 23, 2026
Largest Fine In CCPA History: What The Latest CCPA Enforcement Action Teaches Businesses
Businesses can take some vital lessons from the recent biggest enforcement action in CCPA history. Securiti’s blog covers all the important details to know.
View More
February 19, 2026
AI & HIPAA: What It Means and How to Automate Compliance
Explore how the Health Insurance Portability and Accountability Act (HIPAA) applies to Artificial Intelligence (AI) in securing Protected Health Information (PHI). Learn how to...
Indiana, Kentucky & Rhode Island Privacy Laws View More
March 2, 2026
Indiana, Kentucky & Rhode Island Privacy Laws: What Changed & What Businesses Should Do Now
A breakdown of new data privacy laws in Indiana, Kentucky, and Rhode Island—key obligations, consumer rights, enforcement timelines, and what businesses should do now.
Consent-Aware GenAI: Enterprise Blueprint View More
March 2, 2026
Consent-Aware GenAI: Enterprise Blueprint
Download the whitepaper to learn how to align AI use with consent, prevent purpose creep, and operationalize governance controls for safe, scalable GenAI.
Agentic AI Security: OWASP Top 10 with Enterprise Controls View More
March 2, 2026
Agentic AI Security: OWASP Top 10 with Enterprise Controls
Map the OWASP Top 10 risks for agentic AI to enterprise-grade controls, identity, data security, guardrails, monitoring, and governance to stop autonomous AI abuse.
View More
February 24, 2026
Strategic Priorities For Security Leaders In 2026
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI. Category:...
View More
February 18, 2026
Take the Data Risk Out of AI
Learn how to prepare enterprise data for safe Gemini Enterprise adoption with upstream governance, sensitive data discovery, and pre-index policy controls.
View More
December 22, 2025
Navigating HITRUST: A Guide to Certification
Securiti's eBook is a practical guide to HITRUST certification, covering everything from choosing i1 vs r2 and scope systems to managing CAPs & planning...
What's
New