PDPA for HR — The Complete 2026 Guide to Protecting Employee Data

Thailand’s Personal Data Protection Act (PDPA), B.E. 2562 (2019), requires organizations that hold employee data to obtain explicit consent, define clear processing purposes, maintain a Data Retention Policy, give employees the right to access, correct, and delete their own data, and notify the PDPC within 72 hours of any data breach. Non-compliance carries fines up to 5 million THB per case, plus potential criminal liability. For HR teams, PDPA is not a one-off project — it is an ongoing compliance discipline that must be reviewed annually.

💡 What is PDPA in the HR context?
Thailand’s Personal Data Protection Act (PDPA) governs how organizations collect, use, and disclose personal data. For HR, it covers everything from resumes, ID copies, health data, salary, leave history, and performance reviews through to CCTV footage and biometric data collected through check-in systems.

Why PDPA Is an HR Responsibility (Not Just IT or Legal)

Many organizations still treat PDPA as an IT or Legal problem. In reality, HR is the department that collects, uses, and shares the most personal data in any company. From recruitment to onboarding, employment, and offboarding — every HR process touches personal data. If HR is not the driver of PDPA compliance, the policy will exist on paper but fail in practice.

PDPA numbers Thai HR teams should know:

• 58% of data breaches in Thai organizations originate in HR or payroll systems — Thailand Cybersecurity Report 2024
• The maximum PDPA fine is 5 million THB per case, plus criminal liability of up to one year — PDPC announcement 2023
• 73% of HR managers in Thailand are not confident their organization is fully PDPA-compliant — Deloitte HR Compliance Thailand 2025

The data HR processes is especially sensitive — national ID numbers, financial information, health records, and biometric data. Several of these data types are classified as “Sensitive Personal Data” under PDPA, which triggers a higher protection standard than ordinary personal data.

Classifying Employee Data Under PDPA

PDPA splits personal data into two tiers: Personal Data (general) and Sensitive Personal Data. HR must classify everything in its systems correctly because the two tiers carry different rules for collection and use.

General Personal Data that HR routinely collects includes name, phone number, email, address, national ID number, job title, salary, education, employment history, and performance review data. This data requires clear consent, a defined purpose, and a documented retention period.

Sensitive Personal Data that HR must treat with extra care includes health information (medical certificates, sick leave records), biometric data (fingerprints, face scans, selfie check-in images), criminal records, genetic data, religion, political views, and sexual orientation. This category requires explicit, separate consent — it cannot be bundled into a general employment consent form.

Your HR system must be able to tag the data classification of each field so that you can respond to data subject access requests quickly. Pinno’s Employee Profile module provides data classification designed specifically for PDPA Thailand.

The 7 Core Principles of PDPA Every HR Team Must Embed

Thailand’s PDPA follows seven international principles (largely aligned with the EU’s GDPR) that HR must understand and embed in every process — recruitment, onboarding, employment, and offboarding.

Principle 1: Lawfulness, Fairness, and Transparency — data must be collected on a valid legal basis, processed fairly, and employees must know what is happening with their data.

Principle 2: Purpose Limitation — use data only for the purposes disclosed at consent. New purposes require new consent.

Principle 3: Data Minimization — collect only the data needed for the stated purpose. HR should never collect data unrelated to the job, such as religion or marital status, unless there is a genuine, defensible need.

Principle 4: Accuracy — the data must be correct and current. Employees should be able to update their own records.

Principle 5: Storage Limitation — do not keep data longer than necessary. Application data from unsuccessful candidates, for example, should be deleted within a year unless explicit longer-term consent is given.

Principle 6: Integrity and Confidentiality — protect data with encryption, access controls, and audit logs.

Principle 7: Accountability — organizations must be able to prove their compliance through documented records and policies.

12-Point PDPA Checklist for HR Managers

This is the checklist HR managers in Thailand should use to benchmark their PDPA posture today. Yes to every item indicates a strong compliance position. Three or more “no” answers indicate priority gaps to close.

1. Privacy Notice — A document that tells employees what data is collected, for what purpose, for how long, and which of the eight data subject rights they hold under PDPA.
2. Consent Form — Separate consents per purpose, not a single catch-all consent. Each must be timestamped and revocable by the employee at any time.
3. Data Inventory — A complete map of what data your HR systems hold, where it lives, and who has access.
4. Retention Schedule — Documented retention periods per data type — for example, unsuccessful applicant data deleted after 12 months, employee records kept 5 years post-departure, tax records kept 10 years.
5. Access Control — Role-based access in your HR system. HR managers see everything; line managers see only their direct reports; employees see only their own record.
6. Data Subject Rights Process — A documented workflow for handling employee requests for access, correction, deletion, and data portability — with a 30-day response window.
7. Vendor Management — Every external vendor that touches HR data (payroll outsource, recruitment agencies, insurance providers) must have a signed Data Processing Agreement (DPA).
8. Breach Notification Plan — A playbook covering who responds to a breach, the 72-hour PDPC notification process, and how affected employees will be informed.
9. Training Program — Annual PDPA training for HR teams and line managers, with attendance records.
10. Cross-border Transfer — If data moves to overseas locations (such as a regional HQ in Singapore), a documented legal basis and protection mechanism (e.g., Standard Contractual Clauses).
11. DPO Appointment — A Data Protection Officer formally appointed if the organization meets PDPC’s mandatory criteria.
12. Annual Review — Privacy notice, consent forms, and retention schedule reviewed and updated at least once per year.

Common HR Mistakes That Trigger PDPA Violations

The Pinno PDPA advisory team consistently sees four mistakes in Thai organizations that HR should audit immediately.

The first is sending payslips through LINE or personal email without password protection. Salary information is highly sensitive personal data, and sending it through unencrypted channels creates real breach exposure. The fix: use an Employee Self-Service portal protected by 2FA, or distribute password-protected PDFs where the password is unique to each employee.

The second is keeping unsuccessful candidate resumes indefinitely in shared drives or email — often without any long-term consent. Set a 6–12 month retention window and let candidates opt in if they want to remain in the talent pool for future roles.

The third is sharing employee data with vendors without a DPA in place. For example, providing an employee list with salaries to a health insurance vendor without a signed agreement controlling how that data may be used. Sign Data Processing Agreements with every vendor that accesses personal data — including annual health check providers.

The fourth is giving the entire HR team blanket access to all employee data, which violates the “need-to-know” principle. Configure roles and permissions in your HR system: a payroll officer sees salary-related fields only, not performance reviews.

Reducing PDPA Risk with Pinno HR Software

An HR system designed around PDPA dramatically reduces the compliance burden on your team. Pinno’s Employee Profile ships with PDPA features built specifically for Thai organizations: data classification, role-based access control, audit logs that record every data access, and a retention policy engine that deletes data automatically when its retention window expires.

The platform also integrates with Employee Self-Service, giving employees visibility into what data the organization holds about them, the ability to update incorrect information themselves, and instant download of their own data copy for portability — directly addressing the data subject rights mandated by PDPA.

About Pinno

Pinno is a Thailand-built HR Cloud Software developed by Pinno Solutions Co., Ltd. under the PRTR Group — a leading HR solutions provider in Thailand for over 30 years. Today, more than 20,000 organizations trust Pinno across Payroll, Time, Benefits, Performance, and Employee Self-Service in a single platform. Website: https://pinno.io

---

Reduce your PDPA risk with an HR system designed around Thai compliance — Book a free demo to see end-to-end employee data lifecycle management under a PDPA-first framework.

• Facebook
• Twitter
• Line