Talk To An Expert

+66 (0) 2285 6240-9

Thailand PDPA and how it affects the Thai Hotel and Hospitality Industry

Global Data Privacy Regulations

Thailand PDPA

[et_pb_section fb_built=”1″ _builder_version=”3.22″][et_pb_row _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.7.7″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”]

People are, without a doubt, the very livelihood of the hotel and hospitality industry. From patrons to employees, hotels and hospitality businesses rely heavily on their relationships with both. This inevitably involves acquiring and managing personal data.

While personal data can be a potent marketing tool and one of the keys to building and maintaining long-term relationships with staff and guests, it can also lead to major business losses if that personal data is not managed according to the laws set out by Thailand’s PDPA.


How hotels and hospitality businesses should understand Thailand PDPA


Before 2019, there was no law in Thailand which protected the personal data people shared with businesses, including hotels. A person who wanted to protect the acquisition, storage and management/distribution of their data had to base an action under the doctrine of wrongful act, in contract or use specific sections of the Criminal Code.

All this has changed now, thanks to Thailand passing the Personal Data Protection Act (PDPA). The act is quite similar to the EU’s General Data Protection Regulation (GDPR) law. If you’re familiar with GDPR, then you’ll have little trouble understanding why PDPA is so nuanced and detailed compared to other Thai statutes.

However, in this article, we will be covering only some of the PDPA basics that hotel and hospitality business owners should be aware of.


Is your hospitality business PDPA compliant?


To familiarize you with PDPA, let’s cover some basics:


The PDPA’s scope


The PDPA applies to all personnel involved in receiving, storing or disclosing the data subjects’ (hotel guests) personal data. This would typically be a Data Controller, Data Processor or Data Protection Officer (DPO).

Specific compliance measures must be put in place by all hotels and hospitality business or resort owners who receive, store and/or disclose large quantities of data as part of day-to-day business activities. It’s probably fair to say that all businesses in the hotel and hospitality sector do this every day.


Exclusions from the PDPA Act


PDPA is not applicable when it comes to acquiring, using, or disclosing data for mass media marketing, state security, Parliament or courts’ proceedings, or by the credit bureaux.


Territorial scope


The Act outlines complex rules when data is collected, stored, used or managed by the hotel’s DPO or Data Controller outside Thailand.


The hotel’s data controller’s duties under the PDPA


It is the data controller’s duty to inform the data owner (hotel guest) of the following before attempting to collect any personal data:

  • The purpose for collecting personal data
  • The kinds of personal data that will be collected and the required duration
  • Third parties with whom the data will be shared
  • Information and contact details of the designated Data Controller
  • All the respective rights of the data owner as outlined by the PDPA – this includes the right to withdraw consent for personal data sharing and the right to access, delete or anonymize personal data.

Furthermore, consent of the data owner/subject must be acquired electronically or through a statement. This consent needs to be clear and explicit and must not be ambiguous in nature. Furthermore, consent must be acquired before or while personal data is being collected.

After collecting the required personal data, the data controller must also follow through in the following ways:

  • Process, use or disclose personal data only according to the purpose explained to the data owner (Section 21);
  • Avoid indirect personal data collected from sources other than the data owner (Section 25) – however, this is subject to a few exceptions;
  • Implement appropriate measures to prevent the unauthorized access, theft, loss, disclosure or modification of personal data;
  • See to it that personal data shared with third parties do not use or disclose the data without authorization or in a way that’s wrongful or not in line with both PDPA laws and the data owner’s consent;
  • Appropriately delete personal data after the prescribed storage period ends, or when it is no longer needed/relevant or exceeds the purpose of consent and/or necessity, or when the data owner withdraws consent;
  • Notify the appropriate government bodies as prescribed by the Ministry of Digital Economic and Society (MDES) within 72 hours in the event of a data breach that would have a highly undesirable impact on the data owner’s rights (Section 37).

Here are some examples where a Data Controller may not obtain consent:

  • Preparation of historical documents/public archives for research or statistical purposes, as long as the appropriate safeguards to protect the data owner’s rights have been put in place;
  • Reducing or eliminating any harm or danger to any person’s health, body or life;
  • Executing the performance of a contract to which the data owner is a party, or taking specific steps at the data owner’s request before entering into a contract;
  • Executing an act performed in the interest of the public, or for exercising authoritative duties vested in the Data Controller;
  • Where any legitimate concerns or interests of the Data Controller are involved, except where such concerns may be overridden by the data owner’s rights concerning his/her data;
  • Complying with a law is concerned which applies directly to the Data Controller.


Example of a Privacy Policy given Thailand PDPA for Hotel Owners


To help you understand how you might comply with Thailand’s PDPA law, here are a few typical items you might include in your Privacy Policy:

  • Description of personal information
  • The type of personal information that’s collected and for what purpose
  • How and where that personal information is used
  • How it’s stored, retained and processed
  • How data owners can access or amend information
  • The specific PDPA laws which apply to your Privacy Policy
  • Where customers can direct any concerns or questions regarding the Policy



[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_column type=”1_2″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_code _builder_version=”4.9.4″ _module_preset=”default” background_color=”#73c2e0″ hover_enabled=”0″ sticky_enabled=”0″] [ninja_form id=6][/et_pb_code][/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_blurb title=”Is Your Hotel – Hospitality Venue Ready?” _builder_version=”4.7.7″ _module_preset=”default” header_level=”h2″ header_font=”|700|||||||” header_text_align=”center” header_text_color=”#28952d”]

VinarcoPDPA has a wide portfolio of services that makes dealing with Thailand PDPA laws an absolute breeze. Stay in full control of your privacy policy, and comply with PDPA regulations according to your hotel or hospitality business requirements.


Share This :

Recent Posts

Have Any Question?

The world of data privacy laws and compliance can be a complex maze. We’re here to offer competitive data privacy protection and regulatory services to help you deal with day-to-day data privacy compliance and maintenance challenges.