PDPA for juristic persons: 5 things to prepare right now
The HOOKY Team
Published 27 Jun 2026 • 2 min read
Condo and village juristic offices hold a large amount of resident personal data — names, unit numbers, phone numbers, even payment history — which puts them squarely under Thailand's Personal Data Protection Act (PDPA).
1. Know what data you actually hold
Start by mapping what data the office collects, where it lives (paper, Excel, a digital system), and who can access it.
2. Have a legal basis for collecting it
Collecting resident data to issue bills and communicate is generally covered under "contract" or "legitimate interest," but the purpose of use must be clearly disclosed.
3. Limit access by role
No single staff member should see everything. A good system splits access by duty — accounting sees only financial data, security sees only what's relevant to them.
4. Encrypt and store data securely
An Excel file shared in a LINE group is a serious risk. Data should be encrypted both in transit and at rest, with backups that meet a reasonable standard.
5. Prepare a breach-response process
If a leak happens, the office needs a process to notify the relevant authority and affected residents within the legally required window.
⚠️ Non-compliance with PDPA can carry fines running into the millions of baht, and does serious damage to a juristic office's credibility.
A well-designed digital system — encrypted data, role-based access, and an auditable trail — makes PDPA compliance far easier than data scattered across files and group chats.
