Thailand PDPA Compliance for Clinics: What Every Practice Owner Must Know in 2026

Thailand’s Personal Data Protection Act (PDPA) has been fully enforced since June 1, 2022, and every clinic that collects, stores, or processes patient data must comply. Whether you run a single-doctor GP practice in Chiang Mai or a multi-branch aesthetic centre in Bangkok, PDPA applies to you. Violations carry fines up to 5 million THB per offence, criminal liability, and civil damages — yet many Thai clinic owners still operate without clear compliance measures in place.

This guide breaks down what the PDPA requires from healthcare practices, how it compares to international standards, and what your clinic management software must do to keep you on the right side of the law in 2026.

What Is the Thailand PDPA and Who Must Comply?

The Personal Data Protection Act B.E. 2562 (2019) is Thailand’s first comprehensive data privacy law. Modelled on the EU’s GDPR, it governs how organisations collect, use, disclose, and transfer personal data. The law applies to any entity that processes personal data in Thailand — regardless of whether the organisation itself is registered locally.

For healthcare providers, this is especially significant. Patient records contain “sensitive personal data” under Section 26 of the PDPA — a category that includes health information, biometric data, and genetic data. Sensitive data receives stricter protections and requires explicit consent before processing.

Data Controller vs Data Processor

The PDPA distinguishes between two roles. A data controller decides why and how personal data is processed — this is your clinic. A data processor handles data on behalf of the controller — this includes your clinic management software vendor, cloud hosting provider, or third-party lab that receives patient samples.

Both roles carry obligations under the law. As the data controller, your clinic must ensure that every processor you work with meets PDPA standards. If your software vendor stores patient records insecurely, your clinic bears the compliance risk.

Which Healthcare Practices Fall Under PDPA?

Every healthcare practice in Thailand falls under PDPA if it processes personal data. This includes:

• GP clinics and family medicine practices
• Dental clinics and orthodontic centres
• Aesthetic and dermatology clinics
• Traditional Thai medicine and TCM practitioners
• Physiotherapy and chiropractic centres
• Medical tourism practices serving international patients
• Wellness centres and specialist clinics

There is no exemption based on practice size. A solo practitioner collecting patient names and phone numbers on a paper form is subject to the same rules as a hospital chain with a digital records system.

What Does PDPA Require from Thai Clinics?

The PDPA establishes several core obligations for data controllers. For clinics, these translate into specific operational requirements around consent, storage, and incident response.

Patient Consent and Lawful Basis

Under Section 19, your clinic must obtain consent before collecting personal data — unless a lawful basis applies. For health data specifically, Section 26 requires explicit consent. This means a general “I agree” checkbox on a registration form is not sufficient. Patients must be clearly informed of what data you collect, why you collect it, how long you keep it, and who you share it with.

Lawful bases that may apply without consent include: performing a contract (e.g., providing the medical service the patient booked), complying with a legal obligation, or protecting vital interests in an emergency. However, these exceptions are narrow. For routine clinic operations — marketing messages, sharing records with insurance providers, or sending appointment reminders via WhatsApp — explicit consent is required.

Data Storage, Retention, and Deletion

The PDPA requires that personal data be kept only for as long as necessary for its stated purpose. Once the retention period ends — or a patient withdraws consent — the data must be deleted or anonymised. Clinics must define and document retention periods for each data type they hold.

For medical records, this intersects with Thailand’s medical licensing regulations, which may require minimum retention periods. Your clinic needs a retention policy that satisfies both the PDPA’s minimisation principle and any sector-specific record-keeping requirements.

Breach Notification Obligations

Section 37(4) of the PDPA requires data controllers to notify the Office of the Personal Data Protection Committee (PDPC) of a data breach within 72 hours of becoming aware of it. If the breach is likely to cause high risk to individuals — which patient data breaches almost always are — you must also notify the affected patients without delay.

This means your clinic needs a breach detection and response plan. If your software does not log access events or alert you to unusual activity, you may not even know a breach has occurred until it is too late to meet the 72-hour window.

How Does PDPA Compare to GDPR and Malaysia’s PDPA 2010?

If your practice operates across Southeast Asian borders — or serves international patients — understanding how Thailand’s PDPA relates to other frameworks helps you build a compliance strategy that works regionally.

• Consent model: Thailand’s PDPA requires explicit consent for sensitive data (including health data), similar to GDPR. Malaysia’s PDPA 2010 also requires consent but does not have a separate “sensitive data” category with heightened requirements.
• Cross-border transfers: Thailand restricts transfers of personal data to countries without adequate data protection standards, unless the data subject consents or a legal exception applies. GDPR uses a similar adequacy mechanism. Malaysia’s PDPA 2010 restricts cross-border transfers unless the destination country has been approved.
• Breach notification: Thailand requires notification to the PDPC within 72 hours — identical to GDPR’s timeline. Malaysia’s PDPA 2010 does not currently mandate breach notification, though amendments are under discussion.
• Penalties: Thailand’s fines reach up to 5 million THB per offence. GDPR fines can reach 4% of global annual turnover or €20 million. Malaysia’s PDPA 2010 carries fines up to RM 500,000 and imprisonment up to 3 years.

For clinic groups operating in both Thailand and Malaysia, the practical takeaway is that Thailand’s PDPA is stricter on health data consent and cross-border transfers. A system that satisfies Thailand’s requirements will generally meet Malaysia’s as well.

What Are the Penalties for Non-Compliance?

The PDPA enforces three categories of penalties, and they can be applied concurrently:

1. Administrative fines: Up to 5 million THB per violation, imposed by the PDPC Expert Committee.
2. Criminal penalties: Fines up to 5 million THB and/or imprisonment up to one year for intentional misuse of personal data, disclosure of sensitive data without consent, or obstructing PDPC investigations.
3. Civil damages: Data subjects can sue for actual damages plus punitive damages of up to twice the actual damages. Class action lawsuits are also permitted under Thai law.

“The PDPA does not distinguish between large hospital networks and small private clinics. The compliance obligations — and the penalties for failing to meet them — apply equally regardless of practice size.”

— Thailand Personal Data Protection Act B.E. 2562, Section 90–91

Beyond the financial penalties, a publicised data breach damages patient trust. In a market where patients increasingly research clinics online before booking, a compliance failure can cost you far more than the fine itself.

What Should Clinic Software Do to Support PDPA Compliance?

Your clinic management system is where most patient data lives. If that system was not designed with data protection in mind, compliance becomes a manual burden — paper consent logs, spreadsheet-based audit trails, and no reliable way to detect a breach. The right software handles the heavy lifting.

Consent Management and Audit Trails

Your system should record when each patient gave consent, what they consented to, and whether they later withdrew it. Every access to a patient record — who viewed it, when, and what they changed — should be logged automatically. These audit trails are your primary evidence if the PDPC ever investigates your clinic.

Encryption and Access Controls

Patient data must be encrypted both at rest (stored on servers) and in transit (moving between your device and the cloud). Role-based access controls ensure that only authorised staff can view sensitive records. A receptionist scheduling appointments should not have the same access level as a treating physician reviewing electronic medical records.

Data Portability and Deletion

Under the PDPA, patients have the right to request a copy of their data in a commonly used format and the right to request deletion. Your software should support both actions without requiring manual workarounds or IT intervention.

How Does MedicalMet Help Thai Clinics Stay Compliant?

MedicalMet is a cloud-based clinic management system built for Southeast Asian healthcare practices — including clinics across Thailand. The platform addresses PDPA requirements through its core architecture, not through bolt-on compliance modules.

• AES-256 encryption at rest and in transit — the same standard used by major financial institutions.
• Role-based access controls — define exactly who can view, edit, or export patient data across your practice.
• Comprehensive audit logs — every record access, edit, and deletion is logged with timestamps and user identity.
• Automated daily backups — patient data is backed up automatically, so recovery after any incident is fast and complete.
• Thai language support — the entire platform, including patient-facing communication, operates in Thai.
• Cloud-based infrastructure — no local servers to secure. MedicalMet handles server-side security, patching, and uptime.

For clinics concerned about the intersection of AI and patient privacy, MedicalMet’s AI features — including AI Treatment Notes and AI Clinical Timeline — process data within the same encrypted environment. No patient data is sent to external AI providers. For a deeper look at how AI and patient data privacy work together, see our guide on AI safety for patient data in clinics.

MedicalMet’s security architecture is designed to meet the requirements of data protection laws across all six Southeast Asian markets the platform serves — Malaysia, Singapore, Brunei, Philippines, Thailand, and Vietnam.

PDPA compliance is not a one-time project — it is an ongoing obligation that touches every part of how your clinic handles patient information. The right clinic management system makes compliance automatic rather than manual, giving you confidence that your practice meets the standard every day without extra administrative work.