Call us now:
Request for Personal Information Thailand
Our Request for Personal Information Thailand is drafted and reviewed by experienced lawyers to ensure compliance with Thai law and practical business use. It provides a reliable legal framework for formally requesting access to, correction of, or deletion of personal data held by an organisation in Thailand.
Designed for individuals, employees, customers, and companies seeking to exercise their rights under Thai data protection law, this template covers key legal aspects such as identification of the requesting party, nature of the request, personal data concerned, legal basis for the request, deadline for response, and regulatory compliance under the Personal Data Protection Act B.E. 2562 (2019).
However, some requests may require additional clauses or tailored structuring depending on the nature of the personal data concerned, the identity of the data controller, the complexity of the data processing activities involved, or cross-border data transfer considerations. Our legal team can assist clients with customised Requests for Personal Information adapted to their specific situation within a short timeframe.
Disclaimer: This template is provided for general informational purposes only and does not constitute legal advice. While it has been prepared by legal professionals, it may not reflect your specific situation or regulatory constraints. For complex or sensitive data protection matters, legal advice should be sought to ensure proper structuring and compliance under Thai law.
Need a Contract Tailored to Your Needs? Get a Free Consultation.
When should you use a Request for Personal Information in Thailand?
A Request for Personal Information is used whenever an individual wishes to formally exercise one or more of their rights under the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”) in relation to personal data held by an organisation acting as a data controller. This situation commonly arises when an individual wishes to access personal data held about them, request correction of inaccurate data, request deletion or anonymisation of data, object to or restrict certain processing activities, or withdraw previously given consent.
Under Thai law, the right to request access to personal information is governed by the Personal Data Protection Act B.E. 2562 (2019), which came into full effect on 1 June 2022. The PDPA grants data subjects a range of rights in relation to their personal data, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object to processing. Data controllers are required to respond to valid requests within 30 days of receipt.
This document becomes particularly important when an individual has reason to believe that an organisation holds inaccurate, excessive, or unlawfully processed personal data about them, or when an individual wishes to obtain a copy of their personal data for the purpose of verifying the lawfulness of its processing. It provides a clear and formal basis for the request, establishes the applicable legal framework, and creates a documented record of the exercise of data subject rights.
In more complex situations, additional considerations may arise regarding cross-border transfers of personal data, the processing of sensitive personal data categories requiring heightened protection under the PDPA, the interaction between data subject rights and other legal obligations of the data controller, or the involvement of multiple data controllers or processors. Our legal team assists individuals and companies with the preparation of customised Requests for Personal Information tailored to their specific situation in order to ensure effective exercise of data subject rights under Thai law.
Without a properly drafted Request for Personal Information, individuals risk having their requests ignored, delayed, or improperly handled by data controllers, and may find it more difficult to enforce their rights before the Personal Data Protection Committee or the competent Thai courts.
1. Identification of the Data Subject
The request must clearly identify the requesting individual, including their full name, contact details, and any identification number or reference that will assist the data controller in locating the relevant personal data.
2. Identification of the Data Controller
The request must identify the organisation to which it is addressed, including its full legal name, registered address, and the name of its data protection officer or responsible contact, where known.
3. Nature of the Request
The request must specify the type of data subject right being exercised, whether access, rectification, erasure, restriction of processing, data portability, objection to processing, or withdrawal of consent, and provide sufficient detail to enable the data controller to identify and locate the relevant personal data.
4. Description of the Personal Data Concerned
The request must describe the personal data to which the request relates, including the categories of data, the context in which it was collected, and any specific records or processing activities that are the subject of the request.
5. Legal Basis for the Request
The request must identify the applicable provision of the PDPA under which the right is being exercised, and confirm that the requesting party is the data subject or a duly authorised representative acting on their behalf.
6. Deadline for Response and Consequences of Non-Compliance
The request must specify the deadline within which a response is required, in accordance with the 30-day period prescribed by the PDPA, and note the data subject's right to file a complaint with the Personal Data Protection Committee in the event of non-compliance.
Key Clauses and Essential Elements in a Request for Personal Information
A Request for Personal Information is a key legal document enabling individuals to formally exercise their data subject rights under the PDPA in Thailand. It identifies the requesting party, specifies the nature of the request, and establishes the legal basis and deadline for the data controller’s response.
Under the PDPA, data controllers must respond to valid data subject requests within 30 days of receipt. Failure to respond, or an unjustified refusal to comply, may constitute a violation of the PDPA and expose the data controller to administrative penalties, civil liability, and reputational risk.
This type of document is commonly used in employment disputes, consumer protection matters, commercial due diligence processes, financial services contexts, and healthcare or insurance arrangements.
While a standard request may suffice in straightforward situations, more complex cases often require a more detailed and legally precise document to ensure the request is properly addressed.
Why customise a Request for Personal Information with a lawyer in Thailand?
In practice, each data subject request has its own context and level of complexity. The nature of the personal data concerned, the identity and practices of the data controller, the existence of competing legal obligations, or the presence of sensitive personal data categories may all require a more precise and legally robust document than a standard template provides.
Depending on the situation, specific elements may need to be addressed relating to the identification and location of personal data across multiple systems or entities, the processing of sensitive personal data categories such as health data, biometric data, or financial information, the interaction between the data subject’s rights and the data controller’s legal obligations to retain or disclose data, cross-border data transfers and the applicable legal safeguards, the involvement of third-party data processors acting on behalf of the data controller, the data subject’s right to data portability and the format in which data must be provided, the right to object to automated decision-making or profiling activities, PDPA complaint procedures before the Personal Data Protection Committee, or potential civil liability claims against the data controller for unlawful processing.
Tailoring a Request for Personal Information also allows the data subject to more effectively assert their rights, anticipate likely responses or objections from the data controller, and build a documented record for potential enforcement proceedings. This is particularly important in employment disputes, financial services matters, healthcare contexts, or situations involving sensitive personal data or cross-border processing.
Our legal team assists individuals and companies with the preparation and review of customised Requests for Personal Information for Thailand adapted to their specific situation and data protection objectives. In many cases, a tailored request can be prepared within a short timeframe while ensuring full compliance with the PDPA and related Thai regulations.
A properly drafted Request for Personal Information not only strengthens the data subject’s legal position, but also increases the likelihood of obtaining a timely and complete response from the data controller.
Request for Personal Information Thailand
Instant Download
Access your document immediately after download, no waiting required.
Easy to Customize
Editable in Word or Google Docs, ready to adapt to your needs.
Ready to Sign
Fully formatted and legally structured, just fill in your details and sign.
Crafted by Lawyers
Each agreement is designed and proofed by experienced Thai lawyers.
FAQ
What is a Request for Personal Information in Thailand?
A formal written document by which an individual exercises one or more data subject rights under the PDPA, such as the right to access, correct, delete, or restrict the processing of their personal data held by an organisation acting as a data controller.
What rights can I exercise under the PDPA in Thailand?
The PDPA grants data subjects the right of access, rectification, erasure, restriction of processing, data portability, objection to processing, and withdrawal of consent. The availability of each right depends on the legal basis and nature of the processing concerned.
How long does a data controller have to respond to a request in Thailand?
Data controllers must respond within 30 days of receiving a valid request. In complex cases, this period may be extended, but the data controller must notify the data subject of the extension and its reasons within the initial 30-day period.
Can a data controller refuse a Request for Personal Information in Thailand?
Yes, in limited circumstances, such as where the request is manifestly unfounded or excessive, where compliance would violate another law, or where an exemption under the PDPA applies. Any refusal must be communicated to the data subject with reasons within the prescribed timeframe.
What happens if the data controller does not respond to my request?
The data subject may file a complaint with the Personal Data Protection Committee. Non-compliance may expose the data controller to administrative fines, civil liability for damages, and in serious cases, criminal sanctions under the PDPA.
Does the PDPA apply to all organisations in Thailand?
The PDPA applies to any organisation that collects, uses, or discloses personal data of individuals in Thailand, regardless of whether the organisation is based in Thailand or abroad, subject to limited exemptions for household activities, certain government functions, and other specified categories.
Can I request personal information on behalf of another person in Thailand?
Yes, provided you hold a valid written authorisation from the data subject. The request must clearly identify both the data subject and the authorised representative, and the authorisation document should be attached to the request.
How does a Request for Personal Information differ from a general data subject rights request?
A Request for Personal Information specifically focuses on obtaining access to and information about personal data held by a data controller. Other data subject rights requests, such as erasure or portability requests, have different legal bases and procedural requirements under the PDPA.