Thailand PDPA Service for International Schools


Number One  PDPA Privacy Partner Of Choice

Relentless PDPA Service For International Schools

Opt In

15 + 3 =

Relentless Privacy and Compliance Services at Your Service

Implementing PDPA and being compliant in time for the 27th May deadline can be daunting. But with a well planned out  privacy program program  compliance by the 27th May is still achievable. 

 At Relentless we have designed a PDPA assessment / implementation plan that is built from the ground up at every department level to meet the complex needs and operations of the school. The service contains the following elements 

  • PDPA Privacy assessment built on Internationally recognised standards
  • Full gap analysis and remediation report
  • Full data discovery and data mapping of all personal data processing activities
  • Register of processing activities including lawful basis and retention periods
  • PDPA Training  Customised  to school operations
  • Ongoing Outsourced DPO (Data Protection Officer) services available.
  • We have native Thai speaking staff 
  • We also cover GDPR for recruitment of  UK staff and EU  Alumni data processing 

Relentless PDPA Service has you covered!

Thailand’s Personal Data Protection Bill was approved by the National Legislative Assembly on 28 February 2019 and, after being signed and endorsed by the monarch

We asked Robert to come in and do an audit for us in the lead up the introduction of PDPA in Thailand. He spent a week with us and was forensic in his approach. His report has left us a lot to think about and act upon. Compared to other firms offering the same thing, the price was very reasonable and they have experience in the SE Asia market, so the advice is refreshingly specific rather than generic. I wouldn’t hesitate to recommend Relentless Privacy Services. Dr T. J. Jefferis, Second Master

Dr Tim Jefferis

Second Master, Harrow International School Bangkok

What are the PDPA 7 Key Factors

A summary of the seven key things you should know about the PDPA key points is as follows:

(1) Personal Data. The PDPA governs any data of a living  person that could identify that person directly or indirectly. For example, any personal data of an individual handled by the school, including student data, parent  data, staff data, shareholders, contractors, suppliers, seminar and market survey participants, and data involving customer complaints and inquiries would be subject to the PDPA.

(2) Players. The Personal Data Protection Committee will be established to set out further sub-regulations and protect the rights of the data subjects. Any entities collecting, using, disclosing and/or transferring personal data will be required to comply with the PDPA as a data controller and/or a data processor (which have different roles and obligations).

(3) Applicability. The PDPA has extraterritorial applicability. Thus, data controllers and data processors both in and outside of Thailand could be subject to the PDPA.

(4) Legal basis. In order to collect, use, disclose and/or transfer personal data, the data controller has to rely on legal basis, which could be consent or other exemptions (e.g., vital interest, public interest, legal obligations, and legitimate interest).

(5) Personnel. The data controller and the data processor could be required to appoint a data protection officer and a representative in Thailand, which subject to future sub-regulations.

(6) Rights of data subjects. The data controller has to guarantee the rights of the data subjects.

(7) Penalties. The PDPA imposes penalties for non-compliance. It is punishable with administrative fines (up to THB 5 million), criminal penalties (imprisonment up to one year and/or fines up to THB 1 million), and punitive damages up to twice the amount of the actual damages. Furthermore, civil damages under the PDPA can be multiplied as Thailand now allows data subjects to bring a class action lawsuit. The director of a school could also be subject to penalties under the PDPA.

Who Does the PDPA Apply To

The Data Administrator shall only obtain the data directly from the data subject.

The Data Administrator must inform the data subject of the purpose of collecting the data, what data is to be collected, and to
whom the data will be disclosed.
Additionally, the request for consent must be clearly separated from other messages. The message must be delivered in a format
which is easily accessible and understandable, using language that is easy to understand. The message should not be misleading or
cause data subjects to misunderstand the purpose of collecting the data. The Commission may require the Data Administrator to
request consent from the data subject in accordance with any announcement that the board may make from time to time.

The Thailand PDPA does not provide a specific definition of “sensitive data.” However, according to the PDPA, it is prohibited to
collect information related to ethnicity, political opinions, religious beliefs, sexual orientation, criminal history, health information,
disability, trade union information, genetic data, biological data or any other information that affects the data subject in the same
way, unless there are specific laws which stipulate otherwise, e.g. for the protection of health or physical condition of the data

The PDPA does allow, in some limited circumstances, for an exemption to the requirement to obtain consent from the data
subject where the data is collected from another Person who is not the data subject.
In obtaining consent from the owner of the Personal Data, the Data Administrator must take into account the absolute
independence of the owner of the personal information in giving the consent. In entering into a contract, including to provide any
services, there must not be any condition for consent to be granted to collect, use or disclose personal information that is not
necessary or relevant to entering into such contract or services.

What is the Scope of the PDPA

Scope of Applicability

The PDPA shall not apply to personal or household activities.
In terms of territory, the PDPA will apply to:

• Any Data Controller or Data Processor residing in Thailand, regardless
of whether or not the acquisition, usage or disclosure of the data is
carried out in Thailand;

• in the case that the Data Controller or the Data Processor resides
outside of Thailand, if the subject of the aforesaid activities is data
belonging to a person residing in Thailand, the PDPA shall apply only
a: goods or services are being offered to such persons,
regardless of whether any payment is involved; and

        b: behavior surveillance activities of such persons take place
            within Thailand.

Are Data Processing Officers (DPOs) a Requirement

Common duties: Data Protection Officers (“DPO”)

Similar to the GDPR, both the Data Controller and the Data Processor are
required to appoint a DPO to inspect their handling of Personal Data. The
types of organizations that are required to have a DPO are:
• a governmental body designated by the Commission;
• an organization wherein the activities of the Data Controller/Data Processor consist of collecting, using and disclosing Personal Data by
virtue of the organization’s nature, or it requires routine monitoring due to the large scale of Personal Data being controlled or processed.
However, the threshold of such scale remains to be prescribed by subordinated regulations; and
• an organization of which the core activities involve collecting, using and
disclosing sensitive Personal Data.

What qualifications does a DPO need to have? Do I need to hire them? Their qualifications are to be announced by subordinated regulations.
However, considering that their duties are, for example, to provide advice to the Data Controller and the Data Processor in matters of compliance with PDPA and be the “contact persons” of the organization with regards to personal data protection matters, expertise and specialization in personal data protection matters is crucial. A DPO can be an internal staff of the Data Controller or the Data Processor,
or they can be an outsourced person.

What are the penalties?

Civil Liability

  • Actual damages
    If the Data Controller or the Data Processor carries on any action that does
    not comply with the PDPA and such action damages the Personal Data
    owner, regardless of whether such noncompliance was carried on
    intentionally or negligently, the Data Controller and Data Processor shall be
    liable for actual damages arising therefrom, except where they can prove
    that (i) the damages were a result of force majeure, or by actions of the data
    owner; or (ii) the non-compliant act was a carried out in order to comply with
    an official’s lawful order.
  • Punitive damages
    Under the PDPA, the court is also empowered to order the Data Controller
    or the Data Processor to pay “punitive damages” in addition to actual
    damage. Such punitive damages shall not exceed two times the actual
    damages owed. Factors that the court will take into consideration when
    considering whether to order the punitive damages are, for example,
    financial status of the Data Controller or the Data Processor, and/or the
    extent of participation/involvement of the Data Controller or Data Processor
    in the act that resulted in causing such damage.
  • Penal Penalties
    Failure to comply with the PDPA may result in penalties being imposed on
    both the entity and any directors who collaborate to commit the offence or do
    not reasonably manage to prevent such offence. Such penalties include both
    fines and imprisonment.
    Administrative Penalties
    Administrative penalties in the case of violation of the PDPA shall not be in
    excess of THB 500,000, or not in excess of THB 5 million, depending on the
    severity and type of violation.
What are the requirements for data processing?

Other than ensuring that the Personal Data’s owners are accorded to their
rights discussed in the topic above, a Data Controller is also required to
perform the following:

  • implement suitable measures to prevent loss, unauthorized access,
    alteration or disclosure of Personal Data. However, what shall count as
    “suitable measures” will be prescribed by the subordinated regulations,
    which are yet to be issued
  • ensure that a third party who is not a Data Controller that acquires the
    Personal Data does not use or disclose the Personal Data wrongfully, or
    without authorization;
  • maintain written records relating to processing activities, that can be
    inspected by data owners;
  • delete Personal Data when the storage period expires, or the Personal
    Data is no longer relevant, exceeds the scope of necessity or consent is
    withdrawn; and
  • notify the commission within 72 hours in case of a data breach, except
    in cases where such breach will not have a detrimental effect to the
    rights of the individual. If the breach will adversely affect the Personal
    Data owner, the Personal Data owner must also be notified and be
    presented with compensation measures.

Specific Duties for Data Processor

Other than the Data Processor’s duty not to use Personal Data in manners
that are not lawfully instructed by the Data Controller, the PDPA also
requires the Data Processor to:

  • implement suitable measures for preventing loss, unauthorized access,
    alteration or disclosure of Personal Data; and
  • maintain written records for processing activities that can be inspected
    by the data owners.

Relentless Data Mapping

Our privacy platform automates your data mapping 

Relentless Your PDPA Partner of Choice

Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies  of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.

We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.

With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain  within the law.

Relentless PDPA Service What's Included?

Our PDPA Service Includes the Following

  • PDPA Assessment
  • Dedicated DPO
  • Unlimited Support Calls
  • Unlimited Email Support
  • Data  Mapping
  • Record of Processing Activities
  • Subject Access Request  Service
  • Data Risk Assessments
  • Data Breach Support
  • Data Protection Policy Writing
  • PDPA Framework Design
  • PDPA Privacy Maturity Gap Analysis and Remediation Report

PDPA Enquiry

PDPA Enquiry


1 + 13 =

Privacy Preference Center