PDPA Clinic Compliance Thailand 2026: 7 Steps to Avoid 5-Million-Baht Fines

If you own or manage a clinic in Thailand, PDPA clinic compliance is no longer optional — it is the operational baseline that regulators will measure you against in 2026. Patient health records, lab results, and Before/After photographs are classified as Sensitive Personal Data under Section 26 of the Personal Data Protection Act B.E. 2562 (PDPA), attracting the highest administrative penalties in the statute: up to 5 million baht per violation. In 2025, Thailand’s Personal Data Protection Committee (PDPC) already imposed a 2.5-million-baht fine on a single aesthetic clinic. In 2026, the PDPC’s “Eagle Eye” audit programme targets over 1,000 healthcare facilities. This guide gives you the practitioner’s answer — not legal theory — to the question every clinic owner is now asking: what exactly must I do, and can I afford it?

PDPA Clinic Compliance Thailand 2026: Why Patient Data Is a “Ticking Time Bomb” 🏥🚨

Picture walking into your clinic one morning to find every patient file locked by ransomware — or, worse, receiving a civil claim for 5 million baht because an employee accidentally shared a patient’s sexual-health history in a staff LINE group. This scenario is no longer hypothetical. Throughout 2025, aesthetic clinics and hospitals across Thailand faced real enforcement action under the PDPA, with Health Data drawing the harshest scrutiny as the apex category of Sensitive Personal Data.

PDPA clinic compliance Thailand 2026 — secure cloud storage for patient data
PDPA Clinic Compliance Thailand 2026

This guide cuts through the legal theory. What follows is a “how-to” practitioner framework designed specifically for Thai clinics in 2026 — actionable, budget-conscious, and structured to reduce million-baht exposure without requiring enterprise-level resources.

Real Enforcement: Clinic Fined 2.5 Million Baht for Patient Data Breach (2025)

Numbers do not lie. In August 2025, an aesthetic clinic in Thailand was issued an administrative fine of 2.5 million baht. The root cause was not a sophisticated cyberattack — it was an employee who exported a customer database and inadvertently transmitted it to a call-centre fraud ring. The PDPC’s finding was unambiguous: intent is irrelevant if adequate safeguards are absent.

  • Key Takeaway: The PDPA does not require malicious intent to establish liability. If your clinic lacks documented preventive measures, you are in violation from the moment a breach occurs — regardless of how it happened.

Sensitive Data = Health Data = Maximum 5-Million-Baht Penalty

Under Section 26 of the PDPA, health histories, treatment records, and laboratory results are classified as Sensitive Personal Data — the statute’s highest-risk category.

  • Risk Exposure: Administrative fines reach up to 5 million baht per violation. Where data is unlawfully exploited for commercial gain, criminal sanctions include up to one year’s imprisonment, placing individual clinic owners — not just the corporate entity — at personal legal risk.

PDPC Eagle Eye 2026: 1,000 Healthcare Facilities Targeted for Inspection

According to well-placed regulatory sources, 2026 will see the Office of the Personal Data Protection Committee (PDPC) launch its “Eagle Eye” programme — a proactive audit initiative targeting more than 1,000 clinics and healthcare facilities to assess patient data management standards. Compliance posture, not self-reported status, will determine outcomes.

Categories of patient data protected under PDPA Thailand — healthcare compliance guide
What categories of patient data does PDPA protect?

What Patient Data Does PDPA Protect in Thailand? 📋

9 Categories of Sensitive Health Data Under the PDPA

PDPA protection extends far beyond a patient’s name and contact number. The following categories trigger Sensitive Personal Data obligations — meaning explicit, separate consent is required before collection or processing:

  1. Medical Records and Treatment Histories
  2. Laboratory Results and Blood Test Reports
  3. Radiological Imaging: X-ray, MRI, CT Scans
  4. Drug Allergy Records
  5. Genetic Data (Genomic Information)
  6. Sexual Orientation and Behaviour (commonly held in specialist clinics)
  7. Race or Religion (as indicated on older national ID cards)
  8. Biometric Data — facial scans, fingerprints used for identification
  9. National ID Number when linked to health data

Legacy Patient Data Older Than 10 Years: Mandatory Audit Now

Clinics with long operating histories typically accumulate substantial physical patient archives. Under general prescription rules, data for patients with whom no contact has occurred for more than ten years should be formally assessed for destruction.

  • Critical Risk: Retaining outdated records without a documented legal basis is itself a PDPA violation. Files that have passed their mandatory retention period must be destroyed using certified methods — cross-cut shredding for paper, certified erasure for digital media. Storing them “just in case” is both legally exposing and operationally unnecessary.
7 PDPA action steps for Thai clinic compliance — 6-month implementation timeline
7 PDPA Action Steps for Thai Clinics — 6-Month Implementation Timeline

7 PDPA Action Steps for Clinics: A 6-Month Implementation Timeline ✅

The following seven steps represent the minimum viable compliance framework for Thai healthcare providers under the PDPA. Implemented in sequence, they can be completed within six months — even by a two-room clinic operating on a constrained budget.

Step 1: Redesign Your Patient Consent Form (Explicit + Granular)

Retire the single-page omnibus consent form immediately. A legally compliant consent framework under PDPA Section 19 requires purpose-specific, separately ticked authorisations — bundled consent is unenforceable. Your revised form must offer patients distinct opt-in checkboxes for each purpose:

  • [ ] I consent to the collection and use of my health data for the purpose of medical diagnosis and treatment
  • [ ] I consent to my data being transmitted to an external laboratory for specialist analysis (Referral)
  • [ ] I consent to receiving promotional communications and offersthis box must remain unticked by default and must never be pre-checked on behalf of the patient

Step 2: Data Mapping Using Google Sheets (Free Template Available)

Before you can protect data, you must know where it lives. Create a data inventory that answers four questions for every data category held by your clinic: what data, who collects it, where is it stored, and who has access?

  • Practical Note for Small Clinics: Google Sheets is a perfectly acceptable tool for a Record of Processing Activities (RoPA) at this scale — provided the spreadsheet is stored in a secured Google Workspace account (not a personal Gmail), sharing is restricted to named individuals, and access logs are enabled. See the Kooru Healthcare Compliance Resource Hub for a downloadable Data Mapping template.

Step 3: Implement RBAC — Control Who Can Access Which Patient Records

Apply the principle of Role-Based Access Control (RBAC) — each staff member accesses only the data strictly necessary for their function. This is not merely good practice; it is required under the PDPA’s data minimisation principle.

  • Physicians and Nurses: Full access to treatment histories and laboratory results
  • Finance and Front Desk: Access limited to billing amounts, patient name, and contact number — detailed clinical histories are out of scope
  • Marketing Staff: Access restricted to name and email address, and only where the patient has provided explicit marketing consent

Step 4: Cloud Storage with AES-256 Encryption (AWS Singapore/Thailand — Legally Compliant)

A cloud environment with enterprise-grade encryption is demonstrably more secure than a local server stored under the reception desk. The PDPA requires appropriate technical and organisational measures — which a certified cloud provider satisfies far more reliably than on-premises hardware that lacks physical security, backup protocols, or monitoring.

  • Recommended Providers: AWS (Asia Pacific – Singapore or Thailand region), Google Cloud, Microsoft Azure — all offer ISO 27001-certified environments and contractual data processing addenda (DPA/BAA)
  • Mandatory Requirement: All patient data must be encrypted both in transit (TLS/HTTPS) and at rest (AES-256 minimum) — unencrypted patient data on any medium is a regulatory red flag

Step 5: Execute a Data Processing Agreement (DPA) with Every Lab and Vendor

The moment you send a blood sample to an external laboratory or dispatch medication by courier, patient data leaves your direct control. You remain legally accountable as the Data Controller for how that data is handled downstream.

  • Required Action: Enter into a written Data Processing Agreement (DPA) with every laboratory, logistics company, and third-party service provider that handles patient data on your behalf. This agreement must specify security obligations, breach notification timelines, and allocate liability in the event of a downstream data leak. Without a signed DPA, you are jointly liable for any vendor’s breach.

Step 6: Establish a Data Retention Policy (Lab Results — 10 Years?)

Every data category must have a defined retention period and a defined destruction protocol. Retaining data beyond its legal or operational purpose is an independent PDPA violation.

  • Medical Records (เวชระเบียน): 5–10 years, as required under Thailand’s Medical Facility Act
  • CCTV Footage: 30 days, then overwritten — CCTV in clinical examination rooms is strictly prohibited
  • Receipts and Billing Records: 5 years under the Revenue Code
  • Once the retention period expires: destroy immediately using certified methods. Do not accumulate.

Step 7: Appoint a DPO and Run Quarterly Staff Training

  • Data Protection Officer (DPO): Larger clinics processing Sensitive Health Data at scale are required to designate a DPO under PDPA Section 41. For clinics that cannot justify a full-time in-house hire, an outsourced DPO service is explicitly permitted and substantially reduces overhead. Kooru provides outsourced DPO services tailored to healthcare operators.
  • Staff Training: All front-desk and clinical staff must receive PDPA training at minimum quarterly intervals. The single most common operational breach? A staff member photographing a patient record screen and forwarding it via personal LINE. That is a criminal offence. Zero tolerance must be embedded in your clinic culture — not merely stated in a policy document.

Free Tools & Templates for Small Clinics: PDPA Compliance from 30,000 THB 💻

You do not need to procure enterprise compliance software to satisfy PDPA obligations. A well-configured stack of widely available tools can deliver substantive protection at a fraction of the cost. The following approach works for clinics operating on a budget of approximately 30,000 baht.

Google Workspace: PDPA-Ready Configuration

  • Cost: From approximately 200 THB per user per month
  • Configuration Checklist: Enforce Two-Factor Authentication (2FA) for all accounts without exception; disable public file sharing links; activate Drive audit logs to record every file access event — these logs are your primary evidence in the event of a PDPC investigation

Consent Management: CookieYes + Google Forms

  • Website Consent: Deploy CookieYes (free tier available for small websites) to manage cookie consent banners in full PDPA compliance
  • Front-Desk Consent: Replace paper consent forms with a Google Form on a tablet — patients tap to consent, responses are timestamped, and records are instantly searchable. This approach costs nothing beyond the device and eliminates the risk of illegible signatures or misfiled paper forms

Encryption Tools: VeraCrypt + BitLocker (Both Free)

  • Clinic Computers: Enable BitLocker (included with Windows Pro at no additional cost) to encrypt the entire hard drive. A stolen or seized computer with BitLocker active reveals nothing to an unauthorised party — the data remains cryptographically locked regardless of physical access to the hardware.

Printable Checklist: 30-Day Data Subject Rights Response Protocol

Prepare a Data Subject Request Form and place it at your front counter. Under the PDPA, when a patient exercises their rights — requesting access to records, correction, or deletion — you have a statutory 30-day window to respond in writing. A documented process, rather than an ad hoc reaction, demonstrates the “appropriate measures” that regulators look for.

Privacy Notice Template for Thai Clinics (Copy-Paste and Adapt) 📄

12 Mandatory Sections Under PDPA Healthcare Requirements

Your Privacy Notice — posted visibly at the front counter and on your website — must address the following twelve elements to satisfy Thailand PDPA obligations for health-sector operators:

  1. Identity of the Data Controller (clinic name and registered address)
  2. Categories of data collected (records, lab results, Before/After photographs)
  3. Purpose of processing (diagnosis, insurance claims, follow-up care)
  4. Third-party recipients (laboratories, social security office, logistics providers)
  5. Retention period for each data category
  6. Patient rights (access, rectification, erasure, portability)
  7. Security measures in place
  8. Contact details for the DPO or designated data contact

Standard Patient Consent Language (Template — Adapt Clinic Name)

# I hereby consent to [Clinic Name] collecting, using, and disclosing my health information for the purpose of diagnosis, medical treatment, patient referral coordination, and processing of healthcare reimbursement claims pursuant to applicable benefit entitlements.

[ ] I separately and specifically consent to the use of Before/After photographs for promotional and review purposes, on the condition that my face and identifying features are obscured.

Privacy Notice template for Thai clinics — PDPA patient consent documentation
Privacy Notice for Thai Clinics — PDPA Patient Consent Documentation

Real Thai Clinic PDPA Enforcement Cases: Lessons at a High Price ⚖️

Case Study 2025: Aesthetic Clinic — 5,000 Records Leaked = 2.5 Million Baht Fine

  • Root Cause: A departing employee copied the full customer database and used it to launch a competing clinic, subsequently selling the list to a third party
  • Systemic Failure: The clinic had no access control whatsoever — every employee could download the entire customer database at will, with no audit trail and no restriction by role or seniority
  • Compliance Lesson: Implement RBAC and disable USB data export and unauthorised cloud upload functionality on all staff workstations. This is a one-time technical configuration, not an ongoing cost

Case Study — Public Hospital: No DPA with Laboratory = 153,000 THB Per Affected Individual

  • Root Cause: Blood test documentation sent to an external laboratory was lost in transit by the motorcycle courier
  • Systemic Failure: No Data Processing Agreement had been executed with the laboratory specifying secure transport requirements, liability allocation, or incident response obligations
  • Compliance Lesson: Vendor due diligence is non-negotiable. Every entity that touches patient data on your behalf must be bound by a DPA before any data transfer occurs

The Error 90% of Thai Clinics Are Still Making: Pre-Ticked Consent Boxes

  • Pre-filling a consent checkbox — particularly the marketing communications box — on behalf of the patient is an explicit PDPA violation. Consent is only legally valid when the patient exercises an affirmative, voluntary act of will. The pen must move in the patient’s hand, not yours.

Conclusion: PDPA Clinic Compliance Is a Standard Upgrade, Not a Burden

Achieving PDPA clinic compliance is not a regulatory imposition — it is the professional standard that patients expect and that top-tier healthcare operators already deliver. A clinic that protects data rigorously earns a simple, powerful message of trust: “We guard your secrets as carefully as we treat your conditions.”

Delay carries asymmetric risk. A letter from the PDPC or a civil summons represents not only financial loss, but reputational damage accumulated over years of building patient relationships. The cost of prevention is a fraction of the cost of remedy — and the cost of remedy may not cover the cost of reputation.

# Need a PDPA adviser who speaks healthcare? The Kooru team specialises in Healthcare Data Privacy — with ready-to-deploy templates and tools calibrated for Thai clinical environments. [Contact us today for a complimentary consultation] — protect your clinic before enforcement reaches your door.

 

PDPA FAQ for Thai clinic owners — top questions answered by Kooru healthcare compliance experts
PDPA FAQ for Thai Clinic Owners — Top Questions Answered

Frequently Asked Questions: PDPA Compliance for Thai Clinic Owners

1. Our clinic has 3 doctors and 5 staff. Do we need a Data Protection Officer (DPO)?

Under PDPA Section 41, a DPO is required where processing of Sensitive Personal Data — including health records — constitutes the core activity of the organisation and is conducted at large scale. For a small clinic, “large scale” is not yet precisely defined in Thai implementing regulations, but the PDPC’s guidance suggests that the threshold is determined by volume, frequency, and sensitivity of data processed rather than headcount alone. A clinic with a modest patient volume may lawfully designate the clinic manager as the data compliance coordinator, provided that person receives formal PDPA training and is accessible to patients wishing to exercise their statutory rights. Outsourced DPO arrangements are also expressly permitted and cost-effective for operators of this size.

2. Does sending patient data via LINE OA constitute a PDPA violation?

LINE OA is not designed or certified for the transmission of health data. It is not HIPAA-compliant, and there is no available contractual mechanism through which a clinic can obtain from LINE a Data Processing Agreement governing the handling of Sensitive Personal Data. Transmitting laboratory results, medication names, or diagnosis information via LINE OA therefore creates quantifiable regulatory risk. If patients explicitly request this channel and provide written, informed consent stating they understand the security limitations, the risk may be mitigated — but not eliminated. The clinically and legally superior approach is to use a dedicated healthcare communication platform or a patient portal with end-to-end encryption. Delete the chat thread once the clinical episode is concluded.

3. Can we use Google Drive to store patient lab results and health records?

Yes — but exclusively through a Google Workspace paid subscription, not a personal or free Gmail account. Google Workspace provides AES-256 encryption at rest, TLS in transit, admin-level audit logs, and — critically — Google’s standard Data Processing Amendment, which establishes contractual obligations on Google as a data processor on your behalf. Free Google accounts do not provide these protections and explicitly permit Google to scan content for advertising purposes. Storing patient health data in a free Gmail or Google Drive account is a clear PDPA violation that the PDPC would treat as a failure of basic technical safeguards. Configure sharing permissions to restrict access to named clinic accounts only, and enable file access logging immediately.

4. What is the maximum PDPA fine a clinic can face in Thailand?

The PDPA establishes a two-track penalty regime. The administrative track, enforced by the PDPC Expert Committee, carries maximum administrative fines of up to 5 million baht per violation for unlawful processing of Sensitive Personal Data such as health records. On the civil track, any patient whose data has been breached may file an independent lawsuit seeking compensatory damages. Under PDPA Section 77, courts may award punitive damages of up to twice the actual proven loss — meaning a patient whose records were exposed could claim, for example, 2 million baht in proven loss plus 4 million baht in punitive damages in a single action. Criminal liability under Section 79 carries imprisonment of up to one year for wilful misuse of personal data for personal gain.

5. Do Before/After review photos require a separate patient consent?

Yes — unconditionally. Aesthetic outcome photography constitutes a processing purpose entirely distinct from clinical treatment and must be covered by a separate, specific consent that is not bundled with the treatment consent form. This requirement is not relaxed by the fact that the patient’s eyes or face may be obscured in the published image. If there exists any realistic probability that persons acquainted with the individual could identify them from contextual cues — body features, distinctive characteristics, or surrounding circumstances — the image remains personally identifiable under the PDPA’s functional definition. The consent must specify exactly where the images will be published, for how long, and by whom, and the patient must retain the right to withdraw consent at any time.

6. What are the PDPA rules for CCTV cameras in a clinic?

CCTV surveillance in a clinic is permissible under the PDPA’s legitimate interest basis, but specific obligations apply. A clearly legible notice stating “CCTV in Operation” must be displayed at every point of entry before individuals enter any surveilled area. Footage may be retained for a maximum of 30 days, after which it must be overwritten or securely deleted — not archived indefinitely. CCTV cameras are absolutely prohibited in any clinical examination room, treatment area, or procedure room where patients’ bodies are exposed. Violation of this prohibition would simultaneously engage criminal provisions under both the PDPA and the Medical Council’s professional ethics rules.

7. If a patient requests deletion of their medical records, are we legally required to comply?

Not necessarily — and this distinction is important. The right to erasure under the PDPA is not absolute. Thailand’s Medical Facility Act (Ministerial Regulation on Medical Records Retention) requires clinics to retain patient medical records for a minimum of five years from the date of last treatment. This statutory obligation constitutes a “Legal Obligation” basis under PDPA Section 24(6) that overrides a patient’s erasure request with respect to core clinical documentation. The clinic must, however, respond in writing within 30 days explaining the legal basis for refusal. Separately, data held for purposes beyond clinical necessity — marketing lists, social media engagement tracking, promotional photography — must be deleted upon request, as no equivalent legal retention obligation applies to those categories.

8. Do we need patient consent to send health records to an insurer for reimbursement claims?

The answer depends on the type of disclosure. Where information is transmitted for the purpose of processing a claim under an entitlement the patient already holds — social security, group insurance under an employment benefit — the legal basis is contractual performance or legal obligation, and no additional consent is required beyond what was captured at registration. However, if patient data is being shared with an insurer for the purpose of marketing new insurance products to that patient — a fundamentally different purpose — explicit, specific consent is mandatory before any transfer occurs. The distinction between “processing necessary for existing contractual performance” and “processing for new commercial engagement” is one of the most frequently misunderstood compliance boundaries in Thai healthcare settings.

9. What features should I look for in PDPA-ready clinic management software?

When evaluating clinic information systems (Hospital OS or HIS), treat PDPA compliance features as non-negotiable requirements rather than optional add-ons. The minimum feature set for a compliant system includes: a comprehensive audit log recording every access event (who accessed which record, at what time, from which device); granular Role-Based Access Control (RBAC) configurable at the individual user level; database infrastructure hosted on a cloud environment certified to ISO 27001; a contractual Data Processing Agreement with the software vendor; and a clearly documented data breach notification procedure specifying how the vendor will alert you within the 72-hour PDPC reporting window. Request documentation of these features in writing before signing any service agreement.

10. Must medication dispensing bags display the drug name on the label?

Drug name labelling on dispensing packaging is required for patient safety under pharmacy regulations and is generally appropriate. The PDPA consideration arises not from the label itself, but from how patient identities are handled at the dispensing point. At a busy pharmacy counter, verbally calling out a patient’s name alongside the name of a drug used to treat a stigmatised condition — HIV antiretrovirals, psychiatric medication, or treatments for sexually transmitted infections — constitutes an inadvertent disclosure of Sensitive Personal Data to everyone within earshot. Implement a numbered queue system, call patients by queue number rather than name at collection, and ensure dispensing staff understand that announcing a drug name in a public space is a data exposure event, not merely a breach of courtesy.


By: Khun Phuwara (ภูวรา ครอบตะคุ) — Senior Consultant in Business Strategy and Legal-Tech, The Kooru