Thai PDPA data subject rights: What you should know

June 3, 2021

Blue and purple gradient background

Thai PDPA data subject rights

A key component of the Thai PDPA is the rights prescribed to data subjects that fall under the law’s personal scope. The incoming law outlines several rights for data subjects including but not limited to, the right to access, the right to erasure, the right to withdraw consent, and the right to data portability. Each of these rights presents its own set of challenges but with the right communication channels, consent management platforms, and data inventories the burden of these tasks can be significantly reduced.

As we have outlined in a previous blog, privacy rights awareness is on the rise amongst consumers on a global scale and as a result, an increase in data subject access requests (‘DSARs’) is on the cards for many organizations. Despite the Thai PDPA being postponed a further 12 months to June 1, 2022, organizations should still be looking to introduce best practices now in order to be prepared in time for the PDPA’s compliance deadline. OneTrust offers many solutions that can help streamline the DSAR process, comply with regulatory requirements, and build consumer trust with simple implementation to get you up and running with plenty of time to spare.

Download the report: Comparing privacy laws: GDPR v. Thai Personal Data Protection Act

What you need to know about PDPA data subject rights

Central to the Thai PDPA is its wide range of data subjects’ rights which organizations are responsible for bringing to the attention of individuals. In many ways, the data subject rights under the PDPA resemble those under the GDPR, as such organizations currently operating in the EU will likely have a head start with PDPA compliance. However, for a large number of organizations support will be needed in order to set up an effective data subject rights fulfillment process.

Data subject rights under the PDPA include:

  • Right to be informed – The data controller is required to inform the data subject, prior to or at the time of the collection of the personal data, of required details such as the purpose of the collections, the data retention period, and the rights of the data subject.
  • Right to access – The data subject has the right to access or request a copy of their personal data collected, used, and disclosed by the data controller.
  • Right to rectification – The data subject has the right to have incomplete, inaccurate, misleading, or out-of-date personal data held by the data controller rectified.
  • Right to erasure – The data subject has the right to request that the data controller delete or de-identify their personal data except in scenarios where the data controller is not obligated to do so in order to comply with a legal obligation or to establish, exercise, or defend legal claims.
  • Right to object/opt-out – The data subject has the right to object to certain collection, use, and disclosure of their personal data such as objecting to direct marketing.
  • Right to data portability – The data subject has the right to obtain the personal data that the data controller holds about them in a structured electronic format and to send or transfer such data to another data controller.
  • Right not to be subject to automated decision making – The subject has the right to restrict the use of their personal data in certain circumstances.


Get started: OneTrust Privacy Rights Management (DSAR)

Organizations becoming obligated to inform data subjects of their rights will ultimately lead to greater awareness and an increase in individuals exercising these rights. In this case, automating the fulfillment of DSARs will help streamline the process as well as save privacy teams valuable time and resources. OneTrust can help with its Targeted Data Discovery™ technology which can quickly identify where data resides throughout your systems and utilize PDPA-specific response workflows to respond to requests, document exceptions, and reduce unnecessary work.

The PDPA also requires companies to maintain accessible channels to communicate consent and initiate data subject rights. Organizations will need to produce a machine-readable format of the data they hold on a data subject and be prepared to erase or delete personal information upon request. OneTrust Consent and Preference Management integrates with consent documentation across data collection points to generate detailed records and produce consent reports in the event of a regulatory inquiry. Furthermore, you are empowered to configure a centralized preference center to reduce opt-outs, while still allowing data subjects to withdraw consent and change their preference settings.

The PDPA may not be effective until 2022 but that shouldn’t mean that your organization waits until the eleventh hour to implement best practices for handling data subject rights requests. OneTrust offers a wide suite of solutions tailored to be PDPA specific that can help to automate and streamline your data subject rights processes now. Request a demo to find out more about how OneTrust can help.

You may also like


Privacy Management

Managing data transfers

Register for this free webinar to learn how to effectively manage international data transfers in the wake of Schrems II.

July 18, 2023

Learn more


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more