PDPA Compliance

Configure your forms for Thailand's Personal Data Protection Act.

What is the PDPA?

The Personal Data Protection Act B.E. 2562 (PDPA) is Thailand's first comprehensive data protection law. Passed in 2019 and fully enforced since 1 June 2022, it governs the collection, use, and disclosure of personal data of individuals in Thailand. The law is modeled after the EU's GDPR but includes Thai-specific provisions around consent exceptions, sensitive data categories, and criminal penalties.

The PDPA applies to any organization that collects or uses personal data of individuals located in Thailand, regardless of where the organization is based. If your web form is accessible to people in Thailand and you collect their personal data, the PDPA applies to you.

Enforcement is handled by the Personal Data Protection Committee (PDPC), which has the authority to investigate complaints, conduct audits, and impose administrative fines.

The PDPA consent model

Like the GDPR, the PDPA follows an opt-in model — you must obtain consent before collecting personal data. This is the opposite of the CCPA's opt-out approach.

The PDPA does allow collection without consent in specific situations:

Legitimate interests — the data controller has a legitimate interest that does not override the data subject's rights.
Vital interests — necessary to protect someone's life, body, or health.
Contractual necessity — required to perform a contract the data subject is a party to.
Legal obligations — required by Thai law.
Public tasks — carried out in the public interest or under official authority.
Research and statistics — historical, scientific, or statistical research with appropriate safeguards.

However, web forms are voluntary submissions. When someone fills out a contact form, newsletter signup, or feedback form, none of these exceptions typically apply. The person is choosing to provide their data, and you need their explicit consent to collect and process it.

Key difference from GDPR: Under the PDPA, consent must be given as an "explicit written statement or through an electronic system." A pre-checked checkbox does not count. The data subject must take a clear, affirmative action — which is exactly what FormBlade's consent checkbox requires.

What the PDPA preset configures

Setting	Value	Why
Consent checkbox	Required	The PDPA requires explicit consent before collecting personal data through voluntary channels like web forms.
IP anonymization	Enabled	IP addresses are personal data under the PDPA. Anonymizing them reduces your compliance burden and limits exposure in the event of a data breach.
User-agent storage	Enabled	Browser metadata is useful for troubleshooting and is not considered sensitive under the PDPA, provided it is disclosed in your privacy notice.
Data retention	365 days	The PDPA requires that data not be kept longer than necessary. One year is a reasonable retention period for form submissions and gives you a concrete number to cite in your privacy notice.
Privacy policy URL	Required	Section 23 of the PDPA mandates a privacy notice at or before the time of data collection. The privacy policy URL field ensures the link is visible on your form.

Set up the PDPA preset

Account level

Go to Account Settings in the sidebar.
Scroll to Compliance.
Select PDPA (Thailand) from the dropdown.
Click Save.

Per form

Open the form in your dashboard.
Go to the Compliance tab.
Select PDPA (Thailand) from the preset buttons or region dropdown.
Click Save.

Privacy notice requirements (Section 23)

The PDPA requires you to provide a privacy notice to data subjects at or before the time you collect their personal data. This is not optional — it is a standalone legal requirement separate from obtaining consent. Your privacy notice must include:

Purpose of collection — why you are collecting the data (e.g., "to respond to your inquiry" or "to send you our newsletter").
What data is collected — the specific categories (e.g., name, email address, phone number, message content).
Retention period — how long you will keep the data. FormBlade's 365-day default gives you a specific timeframe to cite.
Rights of the data subject — a summary of their rights under the PDPA (access, correction, deletion, portability, objection, withdrawal of consent).
Contact details of the data controller — your organization's name and contact information, including the contact details of your Data Protection Officer (DPO) if you have one.
Third parties — if you disclose data to any third parties (including service providers like FormBlade), state who they are and why.

Link your privacy notice from every page that contains a form. In FormBlade, add the URL in the form's Privacy policy URL field — the PDPA preset makes this field mandatory.

Practical tip: Thai law does not prescribe a specific format for the privacy notice, but it must be written in clear, understandable language. If your audience is Thai, provide the notice in Thai. If your form targets international users, include both Thai and English versions.

Sensitive data under the PDPA

The PDPA defines a specific list of sensitive personal data categories that require explicit consent with no exceptions. Unlike general personal data (where legitimate interests or contractual necessity can justify collection without consent), sensitive data always requires consent, period:

Race and ethnicity
Political opinions
Religious or philosophical beliefs
Criminal records
Health data
Disability information
Trade union membership
Genetic data
Biometric data
Sexual orientation

Warning: If any of your form fields collect data in these categories — for example, a medical intake form asking about health conditions, or an application form asking about religious affiliation — you must obtain explicit consent specifically for those fields. A general consent checkbox may not be sufficient. Consider adding a separate, clearly worded consent statement that specifically names the sensitive data being collected and the purpose for collecting it.

Data subject rights

The PDPA grants individuals six core rights. You must be prepared to respond to any of these within 30 days of receiving a request:

Right of access (Section 30)

Individuals can request a copy of the personal data you hold about them. Export the relevant submissions as CSV from the FormBlade dashboard and provide them to the requester.

Right to correction (Section 35)

Individuals can request that inaccurate or incomplete data be corrected. You can edit submission data directly in the dashboard.

Right to deletion (Section 33)

Individuals can request that their personal data be deleted when it is no longer necessary for the purpose it was collected, when they withdraw consent, or when the data was collected unlawfully. Search for the individual's submissions by email or name in the dashboard and delete all matching records.

Right to data portability (Section 31)

Individuals can request their data in a structured, commonly used, machine-readable format. The CSV export in FormBlade satisfies this requirement.

Right to object (Section 32)

Individuals can object to the processing of their data where it is based on legitimate interests or a public task. If you rely on consent (which you should for web forms), this right is less relevant — withdrawal of consent (below) is the applicable mechanism.

Right to withdraw consent (Section 19)

Individuals can withdraw their consent at any time. When they do, you must stop processing their data and inform them of the consequences of withdrawal. Withdrawing consent does not affect the lawfulness of processing that occurred before the withdrawal.

Cross-border data transfers

The PDPA restricts the transfer of personal data to other countries. If you use FormBlade to collect data from individuals in Thailand, the data is stored on servers that may be located outside Thailand. Under Section 28, you can only transfer personal data to a country that has adequate data protection standards as determined by the PDPC.

Transfers are permitted when:

The destination country has adequate protection standards (the PDPC maintains this list).
The transfer is necessary for the performance of a contract to which the data subject is a party.
The data subject has given explicit consent after being informed that the destination country may not have adequate standards.
The transfer is necessary to protect vital interests.
The data controller has appropriate safeguards in place (e.g., binding corporate rules, standard contractual clauses).

In practice, if your form includes a privacy notice that discloses where data is stored and the data subject consents to the collection, you have a defensible basis for the transfer. Still, mention the storage location explicitly in your privacy notice.

Penalties

The PDPA has some of the most severe penalties in Southeast Asia, combining administrative, criminal, and civil consequences:

Administrative fines — up to 5 million THB (approximately $140,000 USD) per violation, imposed by the PDPC.
Criminal penalties — up to 1 year imprisonment and/or fines up to 1 million THB for unauthorized use or disclosure of personal data, particularly sensitive data. Criminal liability applies to individuals, not just organizations.
Punitive damages — courts can award punitive damages of up to twice the actual damages suffered by the data subject.

The combination of criminal and administrative penalties makes the PDPA notably stricter than the CCPA (which has no criminal provisions) and comparable to the GDPR in overall enforcement power, though with lower absolute fine amounts.

Note: The criminal penalties under the PDPA are unusual among data protection laws worldwide. Most privacy frameworks impose only civil or administrative sanctions. If you handle personal data of individuals in Thailand, take the PDPA seriously — non-compliance is not just a financial risk.