PDPA Compliance Guide (Thailand)
ℹ️Compliance group:
opt-in — opt-in with cross-border transfer rules enforced. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.Thailand's Personal Data Protection Act B.E. 2562 (PDPA) was enacted in 2019 and came into full enforcement on 1 June 2022. It is administered by the Personal Data Protection Committee (PDPC) under the Ministry of Digital Economy and Society. Consenti supports Thailand PDPA via regulation: 'pdpa-th'.
⚠️Consenti provides Partial coverage for Thailand PDPA. The consent UI and audit logging are fully supported. Cross-border transfer agreements and data localisation obligations must be managed at the infrastructure level by your legal and engineering teams.
Official references
Key requirements
| Requirement | Detail |
|---|---|
| Consent model | Opt-in — explicit, informed, freely given |
| Sensitive data | Explicit consent required (race, ethnicity, political opinions, religious beliefs, sexual behaviour, criminal records, health data, disability, trade union membership, genetic/biometric data) |
| Minors | Under-10 requires parental consent; 10–20 requires at minimum assent |
| Withdrawal | Must not be more difficult than giving consent |
| Cross-border transfer | Destination country must have adequate protection or SCCs/BCRs in place |
| Data Protection Officer | Mandatory for large-scale or sensitive data processing |
| Enforcer | PDPC — Personal Data Protection Committee |
Enabling Thailand PDPA mode
Frontend widget
ts
new ConsentiSetup({
core: {
regulation: 'pdpa-th',
},
})Profile configuration (dashboard)
json
{
"regulation": "pdpa-th",
"pdpaTh": {
"dataControllerName": "Acme Co., Ltd.",
"dpoEmail": "[email protected]",
"purposeDescription": "To operate the website and provide requested services."
}
}Cross-border transfers
PDPA Section 28 restricts sending personal data to third countries without adequate protection. Consenti's backend stores data in SQLite (local) by default. If you use the MongoDB or PostgreSQL adapter with a foreign host, ensure your Data Processing Agreement covers PDPA cross-border transfer requirements.
Erasure
http
DELETE /consenti/api/v1/consent/:visitorId