Thailand’s PDPA and Its Impact on Property Management: Compliance, Risks, and Best Practices

Chakrapan Pawangkarat

Head of Property and Asset Management, JLL Thailand

Board member, Property Management Association of Thailand

27 March 2025

Introduction

Thailand’s Personal Data Protection Act (PDPA) is a critical regulation for property managers, impacting how they handle tenant and visitor data. Since property management involves collecting and storing personal data—such as lease agreements, CCTV footage, and smart access records—compliance is essential to avoid legal risks and build tenant trust.

This article explores how PDPA affects property management, the difference between Personal Data (PD) and Sensitive Personal Data (SPD), and best practices for compliance.

Understanding Personal Data vs. Sensitive Personal Data (SPD)

PDPA classifies data into two categories:

1. Personal Data (PD)

Personal Data refers to any information that can identify an individual, either directly or indirectly. Examples include name, address, phone number, ID card number, lease agreement details, and CCTV footage. Handling personal data requires obtaining consent, but in some cases, it can be processed under legal obligations, contracts, or legitimate interests.

2. Sensitive Personal Data (SPD)

Sensitive Personal Data includes information that could lead to discrimination or harm if misused. This includes race, ethnicity, religion, political opinions, biometric data (such as fingerprints or facial recognition), and health records. Unlike general personal data, sensitive personal data requires explicit written consent, must be stored securely, and should only be collected when absolutely necessary.

Handling and Protection Strategies

Personal Data (PD) Handling

Property managers must obtain clear consent before collecting personal data, except when required for contractual obligations like lease agreements. Data should be securely stored, with access limited to authorized personnel. It should be shared only when necessary, such as with legal authorities or maintenance vendors, and minimized to include only what is required. A clear data retention policy should be in place, ensuring that tenant information is deleted after a defined period, such as one year after lease termination.

Sensitive Personal Data (SPD) Handling

For sensitive personal data, explicit written consent is mandatory. For example, if a property uses biometric data for building access, tenants must be informed and given the choice to opt out. This data should be encrypted, accessible only to essential personnel, and protected using multi-factor authentication (MFA). Processing should be strictly limited, and sensitive data should be deleted as soon as it is no longer needed, such as removing biometric access records immediately after a tenant moves out.

Real-World Property Management Examples

Tenant Lease Agreement

A lease agreement typically contains personal data such as name, phone number, and ID details. Since this data is necessary for contractual purposes, standard consent processes apply, and the information must be securely stored.

CCTV in Common Areas

CCTV footage is considered personal data as it can identify individuals. Property managers must notify tenants and visitors about surveillance through clear signage and establish a retention policy, typically keeping recordings for 30 to 90 days.

Smart Access Control (Fingerprint/Face Recognition)

Biometric data is classified as sensitive personal data. If a property requires fingerprint or facial recognition for access, tenants must provide explicit written consent. As an alternative, the property should offer keycard access for those who prefer not to share biometric data.

Emergency Medical Records for Disabled Tenants

If a property maintains emergency medical records for disabled tenants, this information is considered sensitive personal data. It should be securely stored, accessed only by authorized personnel, and shared only with medical professionals when necessary. Written consent from the tenant is required before collecting such data.

How PDPA Impacts Property Management

1. Data Collection & Consent Management

Property managers must clearly inform tenants why their data is being collected and obtain written consent, especially for sensitive personal data. Any data collected should be necessary and relevant—for example, requesting a date of birth for general building access may not be justified.

2. Security of Digital & Physical Records

All tenant databases should be stored using encrypted cloud systems, and access should be restricted to authorized personnel only. Physical records, such as lease agreements, should be kept in locked cabinets, and management software should have automatic logout features and firewall protection.

3. Surveillance & Smart Access Control Compliance

For properties using CCTV, privacy notices must be displayed in common areas, and footage retention should be limited to what is necessary. If biometric access control is in place, tenants must be informed of their rights and given an alternative, such as a keycard, if they do not consent to biometric data collection.

4. Third-Party Vendors & Data Sharing

Many properties work with external vendors, such as security, cleaning, and maintenance companies. To comply with PDPA, these vendors must sign a Data Processing Agreement (DPA) that ensures they handle personal data responsibly. Unauthorized sharing of tenant data, such as giving phone numbers to real estate agents, should be strictly prohibited.

5. Tenant Rights & Requests Handling

Under PDPA, tenants have the right to access their data, request corrections if the information is inaccurate, and ask for data deletion when they are no longer a resident. Property managers must have a process in place to handle these requests and respond within 30 days.

6. Staff Training & Compliance Audits

Employees handling tenant data should undergo PDPA training to understand compliance requirements. Property management companies should conduct internal audits every six to twelve months to ensure data protection policies are being followed. For larger properties, appointing a Data Protection Officer (DPO) can help oversee compliance efforts.

7. Data Breach & Incident Response Plan

If a data breach occurs, property managers must report the incident to the Personal Data Protection Committee (PDPC) immediately. Affected tenants should be notified within 72 hours, and cybersecurity measures such as firewalls, antivirus software, and network monitoring should be in place to prevent future breaches.

Conclusion

Thailand’s PDPA is reshaping how property managers handle personal and sensitive data. Non-compliance can lead to legal penalties of up to THB 5 million and damage tenant trust. By implementing strong data protection strategies, secure access controls, and proper consent management systems, property managers can ensure compliance while maintaining efficient operations.

Acknowledgement:

"This article was generated with the assistance of ChatGPT, an AI tool, and subsequently reviewed and edited by the author."