PDPA Compliance for Thai Laboratories: What Lab Managers Need to Know
What Is PDPA and Why Do Labs Need to Comply?
Thailand's Personal Data Protection Act (PDPA), B.E. 2562 (2019), came into full effect on 1 June 2022. It establishes rights for data subjects and obligations for organisations that collect, use, or disclose personal data — modelled closely on Europe's GDPR.
Calibration and testing laboratories routinely collect personal data: customer contact names, email addresses, phone numbers, and company details are all personal data under the PDPA.
Personal Data Labs Typically Hold
- Customer records: Full name, company, Tax ID, billing address, phone, email
- Job forms: Name of equipment submitter, department, on-site contact
- Calibration certificates: May name the submitter or recipient
- Communications: Email threads, LINE messages, call logs
Obligations as a Data Controller
1. Privacy Notice
Before or at the time of collection, you must inform data subjects of: what you collect, why, how long you keep it, and who has access. This is typically a Privacy Policy on your website and in your customer onboarding documents.
2. Lawful Basis (Consent is not always required)
Sending calibration certificates and invoices to clients falls under contractual necessity — no separate consent is needed. Consent is required for activities beyond the service contract, such as sending marketing emails or sharing data with third parties.
3. Technical and Organisational Security
- Strong passwords and Multi-Factor Authentication (MFA)
- Role-based access controls — staff only see data relevant to their role
- Immutable audit log capturing every data access and modification
- Encryption in transit (HTTPS) and at rest
4. Honouring Data Subject Rights
Under the PDPA, clients and staff have the right to:
- Access — request a copy of data held about them
- Rectification — correct inaccurate data
- Erasure — request deletion when data is no longer necessary
- Objection — object to certain types of processing
- Portability — receive data in a machine-readable format
Labs must respond to these requests within 30 days.
5. Breach Notification
If a data breach is likely to result in risks to data subjects, you must notify the PDPC within 72 hours of becoming aware, and notify affected data subjects without undue delay.
PDPA Penalties
| Violation | Maximum penalty |
|---|---|
| Collecting data without lawful basis | Fine ≤ ฿3 million |
| Unlawful disclosure of personal data | Fine ≤ ฿5 million + prison ≤ 1 year |
| Failure to notify breach within 72 hours | Fine ≤ ฿3 million |
| Civil damages (class actions possible) | Court-determined actual damages |
How LabSync Supports PDPA Compliance
- Immutable audit log: Every data access and modification is recorded in a hash-chained, append-only log that cannot be retroactively altered — critical evidence for demonstrating accountability.
- Role-based access: Technicians see only job-relevant data; accounting staff see only financial data; admins have full visibility with all actions logged.
- MFA: Prevents unauthorised access even if credentials are compromised.
- Data export: Export customer data as CSV to fulfil Data Subject Access Requests (DSAR) within the 30-day window.
- PDPA DSAR module: Track DSAR requests, deadlines, and responses in one place — with audit trail evidence that you responded on time.
Start your free 14-day LabSync trial and build PDPA-compliant data management into your lab operations from day one.