Thailand’s Personal Data Protection Act: How Employers Should Approach the Law

When employees join a company or organization, they are often required to share personal data with their employers as part of the latter’s due diligence process. Employers may even collect personal data from employees long after they have been hired for a number of reasons, including research, security, and keeping track of work processes. While employers have legitimate motives for collecting employees’ personal data, there is still a possibility of abusing or misusing the data collected.

The Thai government introduced the Personal Data Protection Act mid last year as a way of governing how personal data is collected and used by data controllers. While the act has already been promulgated, its main provisions will take effect after a one-year grace period on 27th May 2020. This means all stakeholders that collect personal data, including employers, will soon be obligated to fulfil the duties and obligations of the legislation. It is therefore important for employers and employees to understand the Act’s provisions prior to its enactment.

Though the Act does not specifically address the duties of employers in terms of data collection, Section 6 states that “a person or juristic person [who] has the power and duty to make decisions regarding the collection, use, or disclosure of personal data”[1] are considered data controllers. This means that employers who collect personal data from employees are subject to the provisions laid out in Chapters 2 and 3 of the Act.

What are employers’ duties in terms of collecting employees’ personal data?

The Act states that “the collection of personal data shall be limited to the extent necessary in relation to the lawful purpose of the data controller,”[2] meaning employers are not permitted to collect unnecessary data from their employees. It is also stipulated that data must solely be collected from the employees themselves;[3] and collecting data regarding the employee’s race, ethnic background, political opinion, religious affiliation, sexual orientation, and biometric data, among others, is prohibited unless they consent to giving out this information in accordance with Section 26.[4] However, given that employers are required by other legislation, such as labor protection and social security laws, to collect the aforementioned data, it is understood that the employee consents to giving their personal information upon signing an employment contract with their employer.

Likewise, employers should note that they are required to make an explicit request for consent prior to collecting sensitive data from employees unless certain circumstances, such as suppressing bodily harm, are met. The request must clarify what information will be collected, the purpose of collecting them, the time period in which the data will be held, and whether or not the data can be disclosed. Employers should also note that employees will have the right to withdraw their consent at any time.[5]

It is also necessary for employers to provide appropriate security measures to prevent unauthorized losses, alterations, or disclosure of employees’ personal data and must report any security breach to the Office of the Personal Data Protection Committee within 72 hours of becoming aware of it. They must also enforce systems for destroying personal data when the retention period is over, when the data is no longer necessary, or when the employee requests its destruction.[6]

What rights do employees have regarding personal data?

Employees have the right to request for access to personal data that is relevant to them; and employers are obligated to fulfil this request save for instances where the rights of others are adversely affected, or the law deems it appropriate to do so.[7] The data must be submitted in a format that is legible to the employee and in a form that is commonly used, meaning it can be handed over using digital tools.[8]

They also have the right to object to the collection, use, or disclosure of their own personal data if there are compelling grounds for doing so according to the law. Employees also have the right to restrict the use of or request the destruction of their personal data if they feel it is no longer necessary for the employer to have them or if they object to its proposed use. [9]

What are the liabilities for non-compliance?

Failure to comply with the provisions of the Act, whether intentionally or unintentionally, will force the employer to compensate the employee for damages caused, including all expenses borne by the employee to offset the damages on top of punitive charges. Exceptions will be made for violations that occur by order of a government official acting under the law, force majeure, or the employee’s own negligence.[10]

Employers whose violation of the Personal Data Protection Act impairs the employees’ reputation will be punished with imprisonment for a maximum period of six months and/or a fine not exceeding 500,000 Baht in damages. If the court finds that the violation was done in order to unlawfully benefit the employer, they will be punished for one year and/or fined 1 million Baht. The Act additionally mentions that offenses under Section 79 are compoundable.[11] Violating the Act can also incur administrative fines ranging from 500,000 Baht to 5 million Baht depending on the specific violation.[12]


While collecting personal data about employees may be necessary, employers must be cognizant of the way in which they do so to prevent civil, criminal, and administrative liabilities. Silk Legal therefore highly recommends employers to review existing HR policies and procedures that are specific to the collection of data to ensure they are compliant with all provisions listed in the Act. For any doubts or confusion about the Personal Data Protection Act, please feel free to contact Silk Legal for more information or assistance.

[1] Section 6 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[2] Section 22 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[3] Section 25 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[4] Section 26 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[5] Section 19 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[6] Section 37 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[7] Section 30 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[8] Section 31 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[9] Section 33, 34 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[10] Section 77, 78 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[11] Section 79, “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at

[12] Sections 82 – 90, “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at