Compliance Guide — Thailand

Thailand Employee Monitoring Laws: PDPA and Workplace Privacy Compliance Guide

Q: What lawful basis can employers use for monitoring in Thailand?

Thailand's PDPA provides six lawful bases for processing personal data: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. For employee monitoring, employers most commonly rely on contractual necessity (monitoring necessary for the employment relationship) and legitimate interests (the employer's business interest in monitoring productivity and security). The legitimate interests basis requires a balancing assessment demonstrating that employer interests are not overridden by employee privacy rights. Sensitive personal data categories require explicit consent regardless of which basis applies to other data.

Q: What are employee data rights under Thailand's PDPA?

Thailand's PDPA grants employees six categories of data rights: (1) right of access to their personal data; (2) right to data portability; (3) right to erasure (deletion) when processing is no longer lawful; (4) right to restriction of processing when in dispute; (5) right to object to processing based on legitimate interests; and (6) right to explanation and human review of automated decision-making. Employers must establish processes to receive and respond to rights requests within a reasonable timeframe, with 30 days being the standard practice under PDPC guidance.

Q: What is the penalty for violating Thailand's PDPA?

Thailand's PDPA imposes three categories of penalties. Administrative fines reach up to 5 million baht (approximately $145,000 USD) per violation. Criminal penalties for intentional violations include imprisonment up to one year, fines up to 1 million baht, or both. Civil damages are available to aggrieved data subjects, including moral damages where intentional or negligent violations cause harm. Organizations that process sensitive personal data without consent face higher criminal penalties: up to three years imprisonment and fines up to 3 million baht.

Thailand employee monitoring law is the legal framework under the Personal Data Protection Act B.E. 2562 (PDPA), effective June 2022, that governs how employers in Thailand may collect and process employee personal information, including workplace activity monitoring data. Thailand's PDPA applies to any organization processing data of Thai residents, including foreign employers with remote Thai workers. The employment contract alone is not sufficient justification for all monitoring activities: employers need a specific lawful basis AND must satisfy transparency obligations. This guide covers everything employers need to know to monitor Thai employees legally in 2026.

Start Free Trial Download Policy Template

eMonitor compliance dashboard showing employee monitoring policy status for Thailand PDPA compliance

Thailand's PDPA: What Employers Need to Know

Thailand's Personal Data Protection Act B.E. 2562 (PDPA) is the national data protection statute enacted in May 2019. The PDPA became fully effective on June 1, 2022, following two postponements caused by the COVID-19 pandemic. The PDPA is Thailand's first comprehensive data protection law, replacing a patchwork of sector-specific regulations with a unified framework modeled partly on GDPR and partly on ASEAN regional data protection guidelines.

The PDPA applies to any data controller or data processor that collects, uses, or discloses personal data of individuals located in Thailand, regardless of where the controller or processor is based. A Singapore-headquartered company with remote workers in Bangkok is subject to the PDPA for those workers' monitoring data. A US technology company with a Thai development team is subject to the PDPA for that team's employment data. The extraterritorial scope is the first compliance reality employers must accept before assessing what specific obligations apply.

For employee monitoring specifically, the PDPA creates obligations at three stages. Before monitoring begins: identifying a lawful basis, drafting and distributing a privacy notice, conducting a legitimate interests assessment where applicable. During monitoring: limiting data collection to what is necessary, implementing appropriate security measures, and maintaining a record of processing activities. After collection: responding to employee rights requests, notifying the PDPC and affected employees of breaches, and deleting data when retention periods expire.

The PDPC: Thailand's Data Protection Regulator

The Personal Data Protection Committee (PDPC) is the regulatory body established under the PDPA to oversee compliance, issue guidance, receive complaints, and impose administrative sanctions. The PDPC has been increasingly active since full PDPA enforcement began in June 2022, issuing sub-regulations on specific topics, publishing enforcement guidance, and beginning to address complaints from data subjects. Employers with Thai operations should monitor PDPC publications, as regulatory guidance continues to clarify how PDPA provisions apply to employment contexts.

What Counts as Employee Personal Data Under the Thai PDPA

Thailand's PDPA defines personal data as information relating to a person that enables direct or indirect identification of that person. For employee monitoring purposes, personal data includes: employee names and identification numbers linked to monitoring records, computer activity logs associated with an employee account, application and URL usage records by employee, screenshot images showing employee workscreen content, productivity scores derived from monitored activity, precise location data if location tracking is used, and biometric identifiers if biometric monitoring tools are deployed.

The PDPA distinguishes between general personal data, which may be processed under any of the six lawful bases, and sensitive personal data, which requires explicit consent regardless of other available bases. Sensitive personal data categories relevant to employee monitoring include: racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability information, trade union membership, genetic data, and biometric data. The scope of Thailand's sensitive data definition is broad and the biometric category is clearly relevant to employers using facial recognition access control, fingerprint timekeeping, or voiceprint verification systems.

Lawful Bases for Employee Monitoring Under Thailand's PDPA

Thailand's PDPA establishes six lawful bases for processing personal data. Understanding which basis applies to each monitoring activity is the foundation of PDPA compliance for employers. The employment contract is not a universal justification for all monitoring activities under the PDPA, which is the most important difference between Thai law and the assumptions many employers bring from other jurisdictions.

Contractual Necessity

The contractual necessity basis (Section 24(3)) permits processing personal data when it is necessary for performance of a contract to which the data subject is a party. For employee monitoring, this basis supports processing that is directly necessary to administer the employment contract: recording attendance for payroll, tracking hours worked for billing purposes, and measuring task completion for project management. The key question is necessity: if the employment purpose could be achieved without the specific monitoring activity, the contractual necessity basis is more difficult to sustain.

Broad monitoring activities such as full-screen capture at short intervals, application usage tracking for all applications, URL monitoring for all websites visited, and keystroke analytics go beyond what is typically necessary to execute the employment contract itself. These activities are more naturally analyzed under the legitimate interests basis, with a documented balancing assessment. Thai PDPC guidance to date has not drawn a bright line between these categories, but the pattern of GDPR enforcement in similar European contexts provides a useful reference point.

Legitimate Interests

The legitimate interests basis (Section 24(5)) permits processing personal data when it is necessary for legitimate interests pursued by the data controller or a third party, provided those interests are not overridden by the data subject's fundamental rights and freedoms. For employee monitoring, the employer's legitimate interests include productivity measurement, data security, intellectual property protection, compliance monitoring, and quality assurance.

The PDPA does not eliminate the need for a balancing assessment when relying on legitimate interests. Employers must document: what the specific legitimate interest is, why the monitoring is necessary and proportionate to that interest, and how the impact on employees' privacy rights is limited and not excessive relative to the benefit. A monitoring program with a clearly documented business purpose, transparent disclosure to employees, and data collection limited to work hours on employer systems is far easier to justify under legitimate interests than a program that monitors all hours, collects excessive data, and does not provide employees with any visibility into what is recorded.

Consent

Consent under Thailand's PDPA must be freely given, specific, informed, and unambiguous. The freely given requirement creates a structural challenge in the employment context: employees generally cannot freely refuse monitoring consent without risk to their employment. Thai PDPC guidance has not yet definitively resolved whether employment-context consent is inherently compromised, following the path of European data protection authorities who have generally concluded that blanket monitoring consent embedded in employment contracts is not truly freely given.

Consent remains the required basis for sensitive personal data categories regardless of whether another basis applies to general monitoring data. An employer who uses biometric access control (facial recognition or fingerprints) must obtain explicit consent for that specific sensitive data category, separate from any consent or alternative basis used for other monitoring activities.

Legal Obligation and Other Bases

The legal obligation basis supports monitoring activities required by Thai law, such as logging access to certain financial or medical systems for regulatory compliance purposes. The vital interests and public task bases have limited applicability to private employer monitoring contexts. The six bases are exclusive and exhaustive: if no basis applies to a processing activity, that activity is unlawful under the PDPA regardless of the employer's business rationale.

Sensitive Personal Data in Employee Monitoring: High-Risk Categories

Thailand's PDPA treats sensitive personal data with additional protection requirements because of the heightened harm that misuse of this data can cause. For employers deploying monitoring tools, the sensitive data categories most likely to arise in practice are biometric data, health data, and potentially racial or ethnic origin data if monitoring tools use facial recognition systems trained on demographic categories.

Biometric Data

Biometric data is explicitly classified as sensitive personal data under Section 26 of the Thai PDPA. Any monitoring or timekeeping system that collects facial geometry (facial recognition cameras), fingerprints (biometric time clocks), or voiceprints (voice authentication systems) processes biometric data and requires explicit, separate consent from each employee before collection begins. The consent must describe specifically what biometric data is collected, for what purpose, and how long it will be retained. Processing biometric data without consent, or on any basis other than the explicit exceptions in Section 26 (vital interests, public interest in certain defined circumstances), creates serious criminal and civil liability under the PDPA.

Health Data

Health data is sensitive personal data under the PDPA. Monitoring tools that capture health-related information, such as stress detection systems that analyze vocal patterns or keystroke dynamics for signs of fatigue or mental health status, collect sensitive health-related data requiring explicit consent. More commonly, monitoring tools that capture personal health data incidentally, such as screenshots that show employees accessing health insurance portals, medication ordering services, or telehealth platforms, create incidental sensitive data collection that requires careful policy design. Employers should configure monitoring tools to minimize incidental capture of sensitive data from employee personal activities on corporate devices.

Communications Content

While communications content is not listed as a specific sensitive data category under the PDPA, monitoring the content of employee communications creates significantly heightened privacy intrusion that the PDPA's proportionality principle addresses. Communications monitoring, whether of email content, chat message content, or voice call recordings, should rest on a clearly documented legitimate interests assessment showing why content monitoring is necessary and proportionate rather than less intrusive forms of monitoring such as metadata analysis or application-level usage tracking.

Employee Data Rights Under Thailand's PDPA

Thailand's PDPA grants employees six categories of rights that employers must operationalize through internal processes. These rights are enforceable: employees may file complaints with the PDPC if employers fail to respond appropriately, and the PDPC has authority to compel compliance and impose fines.

Right of Access

Employees have the right to request access to the personal data an employer holds about them, including monitoring data such as activity logs, screenshots, URL tracking records, and productivity scores. Employers must respond to access requests within a reasonable timeframe; PDPC guidance indicates 30 days as the standard expectation. Access must be provided without charge for the first request each year (additional requests may be charged a reasonable fee). Employers cannot refuse access requests without a legally recognized reason, such as the request threatening the rights of other persons or conflicting with legal obligations.

Right to Erasure

Employees have the right to request deletion of their personal data when: the data is no longer necessary for the purposes for which it was collected, the data subject withdraws consent and no other lawful basis exists, the data was unlawfully processed, or a legal obligation requires deletion. For monitoring data, employers must establish automated retention schedules that delete monitoring records when retention periods expire, and must process deletion requests when employees leave the organization and their data is no longer needed for legitimate operational or legal purposes.

Right to Data Portability

The PDPA grants employees the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller. For monitoring data, portability rights apply to data that was provided by the data subject or was automatically collected based on consent or contractual necessity. Employers must be technically capable of exporting an individual employee's monitoring data in a readable format when a portability request is received.

Right to Object

Employees may object to processing based on the legitimate interests basis. When an employee objects, the employer must stop processing unless it can demonstrate compelling legitimate grounds for processing that override the employee's interests. For employee monitoring programs based on legitimate interests, an employee objection requires a documented reassessment of whether the employer's monitoring interest remains compelling and proportionate given the specific employee's objection and circumstances.

Right to Restriction of Processing

Employees may request restriction of processing in specific circumstances, including when the accuracy of the data is disputed or when the employee has objected to processing pending resolution of the balancing assessment. Restriction means the employer may store the data but not actively use it until the dispute is resolved.

Automated Decision-Making Rights

PDPA Section 41 addresses automated decision-making: data subjects have rights regarding decisions made solely through automated processing that produce legal or similarly significant effects. For employers using monitoring data in algorithmic performance scoring, risk flagging, or automated HR decisions, this provision requires: transparency about how the automated system works, the ability for employees to request human review of automated decisions, and the ability to contest decisions made by automated systems. Monitoring platforms that generate productivity scores or risk alerts used in employment decisions (performance reviews, disciplinary processes) must satisfy these automated decision-making requirements.

Data Breach Notification Under Thailand's PDPA

Thailand's PDPA requires data controllers to notify the PDPC within 72 hours of becoming aware of a personal data breach that affects individuals' personal data. Employee monitoring data is personal data under the PDPA, meaning security incidents involving monitoring records, screenshots, activity logs, or other collected employee data trigger the 72-hour notification obligation.

What Triggers Breach Notification

A personal data breach is any incident that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data. For employee monitoring programs, breach triggers include: unauthorized access to monitoring dashboards by individuals who should not have access, theft or loss of devices containing monitoring data, ransomware attacks that encrypt or exfiltrate monitoring records, and accidental disclosure of monitoring data to unauthorized parties (such as sending a monitoring report to the wrong email address).

72-Hour Notification Content

The 72-hour PDPC notification must include: a description of the nature of the breach, the categories and approximate numbers of data subjects affected, the categories and approximate volumes of personal data records concerned, the contact information of the responsible person or DPO, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects. For significant breaches that are likely to result in high risk to data subjects, employers must also notify the affected employees without undue delay.

Consequences of Missing the 72-Hour Window

Failure to notify the PDPC within 72 hours is itself a violation of the PDPA, independent of the underlying breach. The PDPC may impose administrative fines for late notification even when the underlying breach has been remediated. Employers with Thai operations must establish incident response procedures that can detect breaches, assess their scope, and prepare PDPC notifications within the 72-hour window. This requires pre-drafting notification templates, assigning clear breach response ownership, and testing the response procedure at least annually.

PDPA Penalties and Enforcement in Thailand

Thailand's PDPA establishes three penalty tracks for violations: administrative, criminal, and civil. The penalty structure creates significant exposure for employers who treat PDPA compliance as optional, particularly given that criminal penalties include imprisonment for individuals responsible for violations.

Administrative Fines

The PDPC may impose administrative fines up to 5 million baht (approximately $145,000 USD at 2026 exchange rates) for violations of the PDPA's core provisions. Factors affecting fine levels include the severity of the violation, the number of data subjects affected, whether the violation was intentional or negligent, whether the violator cooperated with the PDPC investigation, and whether the violator took remediation steps promptly. The 5 million baht maximum applies per violation, and multiple monitoring-related violations (such as lacking a lawful basis, failing to provide notice, and failing to respond to access requests) could each attract separate fines.

Criminal Penalties

Criminal penalties apply to intentional violations of the PDPA. For processing personal data without a lawful basis: imprisonment up to one year, fines up to 1 million baht, or both. For unlawful processing of sensitive personal data: imprisonment up to one year, fines up to 1 million baht, or both. For unlawful disclosure of personal data for personal gain or causing harm to others: imprisonment up to one year, fines up to 500,000 baht, or both. For unlawful disclosure causing public damage: imprisonment up to three years, fines up to 3 million baht. Individual managers who directed or authorized violations face personal criminal exposure under these provisions.

Civil Damages

Data subjects, including employees, may sue for compensation for actual damages caused by PDPA violations. Thai civil courts may also award moral damages where the violation caused emotional distress, reputational harm, or other non-economic injury. Class-action-style claims by groups of affected employees are procedurally possible under Thai civil procedure, though this avenue has been used less frequently than in BIPA-style US litigation. The civil damages track creates a separate, employee-initiated liability path that operates independently of PDPC administrative proceedings.

eMonitor monitoring transparency dashboard supporting Thailand PDPA compliance for employer operations

How to Build a Thailand PDPA-Compliant Monitoring Policy

A PDPA-compliant monitoring policy for Thailand requires satisfying substantive requirements (lawful basis, notice, data minimization) and procedural requirements (breach notification readiness, rights request processes). The following six-step process addresses each element.

Identify the lawful basis for each monitoring activity. Create a data processing register that maps each monitoring tool and data type to a specific PDPA lawful basis. Attendance and payroll monitoring: contractual necessity. Productivity analytics and application tracking on employer systems: legitimate interests, with a documented balancing assessment. Biometric data or health-related monitoring: explicit consent. A specific, documented lawful basis for each activity is the non-negotiable foundation of PDPA compliance.
Draft a privacy notice in Thai and English. Prepare a privacy notice describing what personal data is collected, the purpose and method of processing, the lawful basis for each activity, retention periods for each data type, a description of employee rights under the PDPA and how to exercise them, and the contact information of the DPO or responsible person. Distribute the notice to all Thai employees before monitoring begins and obtain documented acknowledgment in writing or electronically.
Document the legitimate interests balancing assessment. For monitoring activities based on legitimate interests, prepare a written balancing assessment demonstrating the employer's specific interest, why monitoring is necessary and proportionate, and how employee privacy impact is limited. Review and update the assessment when monitoring practices change materially. Retain the assessment for at least three years or until the related processing ceases.
Implement cross-border data transfer safeguards. If monitoring data is stored on servers outside Thailand, implement safeguards that satisfy PDPA Section 28's cross-border transfer requirements. Follow current PDPC guidance on acceptable transfer mechanisms. Document the safeguards in the data processing register and review them when vendor or storage arrangements change.
Establish a 72-hour breach notification procedure. Create a documented incident response plan that covers breach detection, internal escalation to the responsible person or DPO, PDPC notification within 72 hours, and employee notification when breach risk is high. Pre-draft the PDPC notification template. Test the procedure annually and update it based on PDPC guidance on notification content and process.
Build employee rights request processes. Implement processes for receiving and responding to access, portability, erasure, restriction, objection, and automated decision-making requests from Thai employees. Set a 30-day response target consistent with PDPC guidance. Assign clear ownership, document each request and response, and provide a clear channel (email, internal portal) through which employees can submit rights requests.

Thailand vs Singapore vs Malaysia: ASEAN Monitoring Law Compared

For employers with workforces across Southeast Asia, understanding how Thailand's PDPA compares to neighboring jurisdictions simplifies regional compliance planning. Thailand, Singapore, and Malaysia represent the three most significant employee monitoring compliance frameworks in the ASEAN region as of 2026.

Thailand PDPA vs Singapore PDPA

Singapore's Personal Data Protection Act 2012 (as amended 2021) and Thailand's PDPA share a GDPR-influenced structure with six lawful bases for processing. Singapore's framework is more mature, with over a decade of enforcement by the Personal Data Protection Commission (PDPC-Singapore), published guidance specifically addressing employment contexts, and a well-developed body of decisions interpreting how employer monitoring satisfies lawful processing requirements. Thailand's PDPA is younger and enforcement guidance is still developing. Singapore permits the business improvement purpose as an additional lawful basis not available under GDPR or Thailand's PDPA, which is particularly useful for monitoring programs aimed at workforce optimization.

Thailand PDPA vs Malaysia PDPA

Malaysia's Personal Data Protection Act 2010 (PDPA), as amended by the PDPA Amendment Act 2024, shares the same name as Thailand's statute but differs in several respects. Malaysia's framework requires employers to notify employees before collecting data but does not have the same range of data subject rights as Thailand's PDPA (Malaysia's law is currently being strengthened through the 2024 amendment). Thailand's breach notification window (72 hours) is stricter than Malaysia's current requirement. For regional employers, Thailand requires the most granular compliance work among the three ASEAN jurisdictions due to the breadth of employee rights and the 72-hour breach notification obligation.

How eMonitor Supports Thailand PDPA Compliance

eMonitor supports Thailand PDPA compliance through a monitoring architecture that aligns with the PDPA's core requirements: transparent disclosure, legitimate interests justification for computer activity monitoring, work-hours-only data collection, and employee-facing data visibility.

Legitimate Interests Architecture

eMonitor's computer activity monitoring, application tracking, URL monitoring, and screen capture on employer-owned devices is designed for transparent, overt monitoring during work hours. This architecture is the strongest available foundation for a legitimate interests justification under Thailand's PDPA: the employer's interest in monitoring how company equipment is used during paid work hours, conducted openly with employee knowledge, is a well-established and proportionate business purpose. eMonitor's work-hours-only design avoids the disproportionate intrusion that off-hours monitoring would create.

Employee-Facing Dashboards Satisfying Access Rights

eMonitor provides employees with dashboards showing their own activity data. This transparency directly supports two PDPA compliance objectives: the notice obligation (employees can see what is being collected and understand the monitoring program in concrete terms), and the access right (employees can view their data without submitting a formal request). Transparent, visible monitoring is also the strongest defense against claims of covert or deceptive monitoring under Thai law.

No Biometric Data Collection Required

eMonitor's core monitoring functions do not require biometric data collection, avoiding the explicit consent requirement that Thailand's PDPA imposes for sensitive biometric personal information. Screen monitoring, application usage tracking, and productivity analytics all operate without facial recognition, fingerprint scanning, or voiceprint collection. Employers with Thai workers can monitor computer activity through eMonitor without triggering the PDPA's most burdensome consent requirements.

Configurable Data Retention

eMonitor's data retention settings allow employers to configure automated deletion schedules aligned with the purposes documented in their PDPA privacy notice and processing register. Short retention periods for screenshots (30 days), longer periods for activity summaries (90 days), and indefinite retention only for audit logs required by regulatory obligations, all support the PDPA's data minimization principle and reduce the volume of employee personal data held at any point in time.

Thailand Employee Monitoring Law: Frequently Asked Questions

Does Thailand have an employee monitoring law?

Yes. Thailand employee monitoring law is governed by the Personal Data Protection Act B.E. 2562 (PDPA), fully effective June 1, 2022. The PDPA applies to any organization processing personal data of individuals in Thailand, including foreign employers with Thai workers. Employers must identify a lawful basis for each monitoring activity, notify employees before monitoring begins, and protect collected monitoring data with appropriate security measures.

What is Thailand's PDPA?

Thailand's Personal Data Protection Act B.E. 2562 (PDPA) is the national data protection statute enacted in 2019 and fully effective June 1, 2022. Modeled partly on GDPR, it establishes six lawful bases for processing personal data, employee data subject rights including access and erasure, a 72-hour breach notification requirement to the PDPC, cross-border transfer restrictions, and criminal penalties for intentional violations. The Personal Data Protection Committee (PDPC) oversees enforcement.

When did Thailand's PDPA take effect?

Thailand's PDPA was enacted in May 2019 but full enforcement was delayed twice due to the COVID-19 pandemic. The PDPA became fully effective on June 1, 2022, when all provisions including criminal penalties took effect. Transitional periods for specific sectors extended some obligations into 2023. As of 2026, all PDPA provisions are fully in force and the PDPC has been issuing guidance and enforcement actions.

Does Thailand's PDPA apply to foreign employers with Thai workers?

Yes. Thailand's PDPA applies to any data controller or processor that collects or processes personal data of individuals located in Thailand, regardless of where the employer is based. A foreign employer with remote workers physically in Thailand is subject to the PDPA for those workers' monitoring data. The extraterritorial scope means there is no geography-based exemption for foreign employers: if Thai workers' data is processed, PDPA applies.

What lawful basis can employers use for monitoring in Thailand?

Thailand's PDPA provides six lawful bases. For employee monitoring, the most applicable are contractual necessity (monitoring directly necessary for the employment contract, such as attendance for payroll) and legitimate interests (broader monitoring like productivity analytics, supported by a documented balancing assessment). Sensitive personal data, including biometrics and health data, requires explicit consent regardless of which basis applies to other monitoring data. Employment contracts alone do not satisfy PDPA requirements for all monitoring activities.

Does Thailand require employee consent for workplace monitoring?

Consent is one of six lawful bases under Thailand's PDPA, not the only option. Employers can rely on contractual necessity or legitimate interests for routine computer activity monitoring without per-session individual consent. Sensitive personal data categories including biometric data and health data require explicit consent before collection, separate from the employment agreement. A written monitoring policy disclosing what is monitored and why is required under all lawful bases.

What are employee data rights under Thailand's PDPA?

Thailand's PDPA grants employees six categories of rights: access to their personal data; data portability; erasure when processing is no longer lawful; restriction of processing when in dispute; objection to processing based on legitimate interests; and explanation and human review of automated decisions. Employers must build processes to receive and respond to rights requests within 30 days (PDPC standard practice) and retain records of all requests and responses.

What is the penalty for violating Thailand's PDPA?

Thailand's PDPA imposes three penalty categories. Administrative fines reach up to 5 million baht (approximately $145,000 USD) per violation imposed by the PDPC. Criminal penalties for intentional violations include imprisonment up to one year and fines up to 1 million baht. For violations involving sensitive personal data without consent: up to three years imprisonment and fines up to 3 million baht. Civil damages are available to affected data subjects, including moral damages for non-economic harm.

Can Thai employers monitor employee email and internet usage?

Thai employers may monitor corporate email on employer-operated servers and internet usage on employer networks when employees are notified in advance and monitoring serves a legitimate business purpose proportionate to the privacy intrusion. Metadata monitoring (sender, recipient, timestamps, sites visited) is less intrusive than content monitoring (reading email body text, capturing message content). Content monitoring requires stronger proportionality justification. A clear acceptable use policy distributed before monitoring begins is the essential first compliance step.

How does eMonitor support PDPA compliance in Thailand?

eMonitor supports Thailand PDPA compliance through transparent employee-facing dashboards satisfying access rights, work-hours-only monitoring supporting proportionality under legitimate interests, configurable data retention schedules aligned with PDPA minimization requirements, and an architecture that avoids biometric sensitive data collection. Employers must separately implement a written privacy notice, document a legitimate interests balancing assessment, and establish breach notification and rights request procedures as required by the PDPA.