Carnival Magic
Carnival Magic 333 at the beach Pro Property Partners British International School, Phuket
The Phuket News Novosti Phuket Khao Phuket

Login | Create Account | Search

Collecting user data to improve customer experience? Make sure you comply with the PDPA

Collecting user data to improve customer experience? Make sure you comply with the PDPA

In 2019, Thailand introduced the Personal Data Protection Act (PDPA), which requires data controllers and processors to ensure data collected are managed and processed with explicit consent on sensitive data. Due to COVID-19, however, the enforcement of the law was delayed by two years until June 2022.

By The Phuket News

Sunday 19 March 2023, 11:00AM

Photo: via Silk Legal

Photo: via Silk Legal

After the Act took effect, the government announced that SMEs would be exempt from some of the Act’s provisions following concerns from small and medium-sized businesses about their ability to comply with the law. 

While data privacy protections have been enshrined in law, many users have expressed their willingness to give their personal data in exchange for better services, particularly around finance and fintech. According to a report published by technology consultancy Capco, around 70% of Thais are willing to share their personal data to improve their digital services experience. For financial and fintech businesses, doing so may mean that they need to collect user data to better tailor their services.

How can companies leverage consumer data while complying with the PDPA?

Personalisation and setting customer-centric elements to digital services are key in understanding what customers want. Collecting data and analytics are important for businesses to identify opportunities to better serve their clients. 

However, in light of the PDPA, and the growing consciousness of users to their rights as owners of their personal data, businesses in the fintech, technology and financial space must be cognizant of what the types of data they can collect and how they are able to do so within the legal and ethical bounds of Thailand’s data privacy regulations. This is important as the data companies seek may not always be what customers feel obliged to share. 

While many users in Thailand have expressed their willingness to give their personal data for better services, this should not be interpreted as a blank cheque for digital service providers to collect user data without consent. This is particularly so as digital users around the world take serious precautions when having to provide their personal information and place great importance on data privacy and protection.

Under the PDPA, the legal bases for the collection of personal data include:

  • Archiving for documents of historical significance or public interest;
  • The suppression of danger;
  • Making contracts;
  • Legitimate interests of either, or both, the user and the platform collecting personal data;
  • Legal obligations; and
  • Gaining consent from users.

Based on this, apart from legal obligations and maintaining the interests of both users and the platform, fintech and technology firms can legally collect user data only when users give prior consent to do so, particularly if sensitive data is involved.

How can companies get legal consent from users?

According to guidelines provided by the Personal Data Protection Committee (PDPC) on Sept 7, 2022, users must give consent in either written or electronic form and have the right to withdraw that consent at any time. 

Moreover, consent given by users must be informed and forthright, meaning platforms are required to provide the following information clearly when getting consent:

  • The type of personal data that will be collected and how;
  • The reasons for doing so;
  • The users’ rights and obligations;
  • How long the personal data will be held for; and
  • Whether the personal data given by users will be sent to third parties, and if so, whom.

It should be noted that platforms cannot collect personal data from other sources unless they notify the users directly and gain consent to do so.

What should companies do if they wish to collect user data?

Obviously, companies and platforms that wish to collect user data to improve their services must obtain consent from their users. This means drafting a separate consent notice that is easily identifiable to users, such as a pop-up or notification, that is written in a way that is clear and unambiguous, as well as creating a data retention policy for the various types of data to be collected. Platforms may also want to consider ways of collecting consent from those with disabilities.

If policies covering consent already exist within the platforms’ operations, it may be prudent for service providers to review them to ensure they comply with the PDPA and its supporting regulations. However, we recommend that service providers consider a continuity plan for when consent is withdrawn by users as well as a process for destroying data when users want to do so.

As always, regardless of whether you are an established service provider or are looking to set up a technology or fintech company in Thailand, you should seek legal advice if in doubt to avoid severe consequences for non-compliance. 

By Sasitorn Ongcharoen

Silk Legal is an experienced law firm that has been advising clients on PDPA compliance, and are ready to help clients meet business goals. To consult on PDPA-related issues, contact

Comment on this story

* Please login to comment. If you do not have an account please register below by simply entering a username, password and email address. You can still leave your comment below at the same time.

* (Not Hotmail/Outlook)

Kamala Pete | 19 March 2023 - 12:03:06

Even the "western world" are having huge problems battling intrusive chinese and russian malware - I would think that Thailand has no chance of cleaning up and securing their internet infrastructure.


Have a news tip-off? Click here


Phuket community
Gun-theft cop sentenced to 270 years

Just 1 RTP station, showing the sloppy way of internal thinking/functioning/control of RTP. How will...(Read More)

Illegal operators removed from Leypang beach

Yes because all those sun-loving, beach-going Thais (all 10 of them) would flock to that grubby bit ...(Read More)

Trump indicted, first US president to face criminal charges

Donald Trump- America's National Embarrassment. Bring on the Georgia election interference and t...(Read More)

‘Urgent’ meeting fails to resolve ongoing taxi disputes

If they turned on their meters instead of refusing and fixing the price people wouldn't need to ...(Read More)

Foreigner killed in Phuket motorbike crash as road death tally reaches 35

Not surprised to see more and more accidents involving foreigners in Rawai or Patong as they drive l...(Read More)

British expat dies from bee sting in Phuket

Terribly sad lovely man RIP Steve ...(Read More)

‘Urgent’ meeting fails to resolve ongoing taxi disputes

@Fascinated Don't worry ! J. did announce twice now it would be time to leave this place. Hope...(Read More)

Taxi crackdown to continue, checkpoints to target illegals

Yet the thugs are allowed to roam free. THEY are the ones affecting the image of Phuket. Lets rememb...(Read More)

Taxi crackdown to continue, checkpoints to target illegals

.....To maintain/executive law&order in Patong a little bit, it are always others 'forces...(Read More)

Taxi crackdown to continue, checkpoints to target illegals

Kakka2, In contrary, it all starts at the top everywhere. Take Patong RTP, at once 5 (!) Colonels of...(Read More)