What You Need to Know
Thailand's Personal Data Protection Act (PDPA) came into full effect in May 2022. It requires organisations to securely destroy personal data when it is no longer needed, including data stored on hardware. This guide explains what that means in practice, what the penalties are for non-compliance, and what a compliant destruction process looks like.
What Is Thailand's PDPA?
The PDPA governs how organisations and individuals collect, store, use, and dispose of personal data. It applies to any organisation handling data about Thai residents, whether a Thai or foreign company.
What Counts as Personal Data Under PDPA?
Name, ID card number, address, phone, email, financial data, health data, photos, biometric data, device data, login credentials, browsing history. Anything that can directly or indirectly identify a person.
What Does PDPA Say About Data Disposal?
Organisations must ensure personal data is destroyed or anonymised when no longer needed. Deleting files or formatting does not meet the standard. A documented, auditable process is required.
Penalties: up to ฿5 million administrative fine. Criminal liability for directors in serious cases.
What This Means When You Dispose of Hardware
Every device that ever stored personal data must be securely wiped or physically destroyed before disposal. The organisation remains liable until destruction is documented. A Certificate of Data Destruction is the standard way to demonstrate compliance.
Common Questions
Is deleting files enough? No. Deleted files are recoverable with standard software.
Is formatting a drive enough? No. Formatting does not overwrite existing data.
Does PDPA apply to small businesses? Yes, with limited exceptions.
Does PDPA apply to foreign companies in Thailand? Yes, if they handle data about Thai residents.
I'm an individual. Does this apply to me? Not legally, but your personal data is still at real risk.
Questions?
Get in touch on LINE, WhatsApp, or request a quote.