From global-privacy-regulations-skills
Guides developers on Thailand PDPA compliance: consent framework, DPO requirements, lawful processing bases, cross-border transfers, data subject rights.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin global-privacy-regulations-skillsThis skill uses the workspace's default tool permissions.
Thailand's Personal Data Protection Act B.E. 2562 (PDPA), published in the Royal Gazette on 27 May 2019, became fully effective on 1 June 2022 after two postponements from the original 2020 effective date. The PDPA applies to the collection, use, and disclosure of personal data by data controllers and data processors in Thailand, and extraterritorially where activities target data subjects in T...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Thailand's Personal Data Protection Act B.E. 2562 (PDPA), published in the Royal Gazette on 27 May 2019, became fully effective on 1 June 2022 after two postponements from the original 2020 effective date. The PDPA applies to the collection, use, and disclosure of personal data by data controllers and data processors in Thailand, and extraterritorially where activities target data subjects in Thailand (Section 5).
The Personal Data Protection Committee (PDPC, คณะกรรมการคุ้มครองข้อมูลส่วนบุคคล) is the supervisory authority established under Section 8. The Office of the Personal Data Protection Committee (OPDPC) serves as the operational secretariat.
| Basis | Section | Detail |
|---|---|---|
| Consent | Section 19 | Explicit consent; freely given, specific, informed; written or electronic; may be withdrawn at any time |
| Contract performance | Section 24(3) | Necessary for performance of a contract to which the data subject is a party |
| Vital interests | Section 24(4) | Necessary to prevent or suppress danger to life, body, or health |
| Public task | Section 24(4) | Necessary for public interest tasks or exercise of official authority |
| Legitimate interest | Section 24(5) | Legitimate interests of the controller or third party, balanced against data subject's fundamental rights |
| Legal obligation | Section 24(6) | Compliance with a law to which the controller is subject |
| Archiving/research | Section 24(1) | Necessary for archiving, research, or statistics in the public interest with appropriate safeguards |
Sensitive data categories: racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union membership, genetic data, biometric data, health data, disability data, sexual orientation, and any other data prescribed by the PDPC.
Processing requires explicit consent unless:
| Requirement | Detail |
|---|---|
| Explicit | Must be an express statement or conduct clearly indicating agreement |
| Freely given | Must not be a condition of service where unnecessary; no bundling with T&Cs (Section 19(4)) |
| Specific | Consent per purpose; blanket consent is invalid |
| Informed | Full disclosure of purpose, data items, recipients, retention period |
| Written or electronic | Written request for consent must be clear, not misleading, easily accessible |
| Withdrawal | Data subject may withdraw at any time; withdrawal must be as easy as giving consent (Section 19(5)) |
| Children | Under 10 years: consent from parent/legal guardian; 10 years and above: may consent if age-appropriate understanding demonstrated |
| Processing Activity | Consent Type | Mechanism |
|---|---|---|
| Customer freight services | Contract performance (Section 24(3)) — consent not required | N/A |
| Marketing communications | Explicit consent (Section 19) | Opt-in checkbox in Thai and English |
| Employee health data processing | Explicit consent for sensitive data (Section 26) | Written consent form at onboarding |
| Cross-border transfer to EU HQ | Explicit consent with transfer disclosure (Section 28) | Dedicated transfer consent form |
The PDPC Notification on DPO Appointment Criteria (2022) requires a DPO when:
| Responsibility | Detail |
|---|---|
| Advise on compliance | Advise the controller/processor on PDPA compliance obligations |
| Monitor compliance | Monitor compliance with the PDPA and internal policies |
| Audit coordination | Cooperate with the OPDPC; act as the contact point for the OPDPC |
| Confidentiality | Maintain confidentiality of personal data accessed in the course of duties |
| Independence | Must be able to perform duties independently; no dismissal for performing duties |
| Element | Detail |
|---|---|
| DPO (Thailand) | Siriporn Chaiyaporn, Compliance Manager — Bangkok office |
| Contact | dpo-thailand@zenithglobal.co.th |
| Reporting line | Reports to Chief Privacy Officer; independent reporting access to Board of Directors |
Personal data may be transferred to a foreign country or international organisation only if:
| Condition | Section | Detail |
|---|---|---|
| Adequate protection | Section 28(1) | Destination has adequate personal data protection standards as determined by the PDPC |
| Compliance with group rules | Section 28(3) | Transfer within a group of undertakings conducting business together, with appropriate data protection policies inspected and certified by the OPDPC (BCR equivalent) |
| Contract necessity | Section 28(4)(a) | Necessary for contract performance with the data subject |
| Consent | Section 28(4)(b) | Data subject's consent after being informed of inadequate standards |
| Vital interests | Section 28(4)(c) | Necessary to prevent or suppress danger to life, body, or health |
| Legal obligation | Section 28(4)(d) | Necessary for important reasons of public interest |
| Legal claims | Section 28(4)(e) | Necessary for establishing, exercising, or defending legal claims |
| Appropriate safeguards | Section 28(2) | Appropriate protection measures prescribed by the PDPC are in place |
As of March 2026, the PDPC has not published a formal list of adequate countries. Transfers primarily rely on consent, contract necessity, or appropriate safeguards.
| Right | Section | Response Deadline | Implementation |
|---|---|---|---|
| Right of access | Section 30 | Within 30 days | Privacy portal in Thai and English |
| Right to data portability | Section 31 | Within 30 days | Structured format (JSON/CSV) |
| Right to object | Section 32 | Without unreasonable delay | Objection mechanism in customer portal |
| Right to erasure | Section 33 | Without unreasonable delay | Automated deletion with legal hold check |
| Right to restriction | Section 34 | Without unreasonable delay | Processing flagging system |
| Right to rectification | Section 35 | Without unreasonable delay | Self-service correction in portal |
| Right to withdraw consent | Section 19(5) | Without unreasonable delay | One-click withdrawal mechanism |
| Element | Requirement |
|---|---|
| OPDPC notification | Within 72 hours of becoming aware of the breach |
| Data subject notification | Without delay if the breach is likely to affect rights and freedoms |
| Content | Nature of breach, DPO contact, likely consequences, remedial measures |
| Cross-border | Notify the OPDPC even if the breach occurred outside Thailand if Thai data subjects are affected |
| Component | Detail |
|---|---|
| DPO | Siriporn Chaiyaporn, Bangkok office |
| Privacy notice | Published at zenithglobal.co.th/privacy in Thai and English |
| Consent management | Platform with Thai language support; separate consent per purpose |
| ROPA | Processing activities register maintained per Section 39 |
| Breach notification | 72-hour workflow to OPDPC; data subject notification procedure |
| Cross-border safeguards | Consent-based transfers with disclosure; intra-group policy for headquarters transfers |
| Employee training | Annual PDPA training for all Thailand employees |
| Data subject rights | 30-day response workflow via privacy portal |