PDPA Compliance Statement
Thailand Personal Data Protection Act B.E. 2562 (2019)
SpaManager is fully committed to complying with the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") of the Kingdom of Thailand. This compliance statement describes how we fulfill our obligations under the PDPA as both a Data Controller and Data Processor.
Table of Contents
- PDPA Overview
- Our Role: Data Controller & Data Processor
- Legal Bases for Processing
- Consent Management
- Data Subject Rights Under PDPA
- Data We Collect
- Purpose of Data Processing
- Data Retention
- Cross-Border Data Transfers
- Data Security Measures
- Data Breach Notification
- Data Protection Officer
- Processor Obligations
- Children's Data
- Sensitive Data
- Filing Complaints
- Updates to This Statement
1. PDPA Overview
The Personal Data Protection Act B.E. 2562 (2019), commonly known as the PDPA, is Thailand's comprehensive data protection law. It came into full effect on June 1, 2022. The PDPA:
- Applies to any organization that collects, uses, or discloses the personal data of individuals in Thailand, regardless of where the organization is located
- Grants data subjects specific rights regarding their personal data
- Requires organizations to have a lawful basis for processing personal data
- Imposes obligations for data security, breach notification, and cross-border transfers
- Establishes the Personal Data Protection Committee (PDPC) as the regulatory authority
- Provides civil, criminal, and administrative penalties for non-compliance
The PDPA is enforced by the Office of the Personal Data Protection Committee (OPDPC) under the Ministry of Digital Economy and Society.
2. Our Role: Data Controller & Data Processor
2.1 As Data Controller (PDPA §2)
SpaManager acts as a Data Controller when we collect and process personal data directly from you for our own purposes, including:
- Account registration data (name, email, phone number)
- Payment and billing information
- Website usage data and analytics
- Communication data (support inquiries, feedback)
- Marketing communications (with your consent)
As a Data Controller, we determine the purposes and means of processing your personal data and are responsible for ensuring PDPA compliance.
2.2 As Data Processor (PDPA §2)
SpaManager acts as a Data Processor when our customers (spa and wellness businesses) use our platform to manage their own customers' and employees' data. In this role:
- Our customers are the Data Controllers for their clients' and staff data
- We process data only on their instructions and for the purposes of providing the SpaManager service
- We maintain technical and organizational security measures to protect the data
- We do not use customer data for our own purposes beyond service delivery
3. Legal Bases for Processing
Under the PDPA, we process personal data based on the following lawful grounds:
| Legal Basis | PDPA Section | When We Use It |
|---|---|---|
| Consent | §19 | Marketing emails, analytics cookies, non-essential data collection |
| Contractual Necessity | §24(3) | Account creation, service delivery, payment processing, subscription management |
| Legal Obligation | §24(4) | Tax records (Thai Revenue Code), financial reporting, court orders, regulatory compliance |
| Legitimate Interest | §24(5) | Security monitoring, fraud prevention, service improvement, essential cookies |
| Vital Interest | §24(1) | Emergency situations threatening life or health (rare) |
| Public Task | §24(2) | Compliance with government directives or public interest requirements |
4. Consent Management
When we rely on consent as the legal basis for processing, we ensure that consent is:
- Freely given: You are not coerced or pressured into consenting (PDPA §19 paragraph 2)
- Specific: Consent is requested for each distinct purpose of processing
- Informed: You are clearly told what data is collected, why, and how it will be used before consenting
- Unambiguous: Consent is provided through a clear affirmative action (opt-in), not pre-ticked boxes or inaction
- Withdrawable: You can withdraw consent at any time as easily as you gave it (PDPA §19 paragraph 5)
- Documented: We maintain records of when and how consent was obtained
How to Withdraw Consent
You may withdraw your consent at any time by:
- Contacting us at privacy@spamanager.io
- Using the unsubscribe link in marketing emails
- Adjusting cookie preferences via the cookie consent banner
- Submitting a request through the platform settings (for logged-in users)
Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal (PDPA §19 paragraph 5).
5. Data Subject Rights Under PDPA
The PDPA grants you the following rights regarding your personal data. You may exercise any of these rights by contacting us at dpo@spamanager.io.
| Right | PDPA Section | Description | Response Time |
|---|---|---|---|
| Right of Access | §30 | Request access to and a copy of your personal data that we hold | 30 days |
| Right to Rectification | §36 | Request correction of inaccurate, incomplete, or misleading personal data | 30 days |
| Right to Erasure | §33(5) | Request deletion of your personal data when no longer necessary or after consent withdrawal | 30 days |
| Right to Restrict Processing | §34 | Request that we temporarily stop processing your data in certain situations | 30 days |
| Right to Data Portability | §31 | Receive your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) | 30 days |
| Right to Object | §32 | Object to processing based on legitimate interest or for direct marketing purposes | 30 days |
| Right to Withdraw Consent | §19(5) | Withdraw previously given consent at any time | Immediately |
| Right to Complain | §73 | Lodge a complaint with the PDPC if you believe your rights have been violated | N/A |
How to Exercise Your Rights:
Send a written request to dpo@spamanager.io with the subject line "PDPA Rights Request." Include your full name, email address associated with your account, and a description of the right you wish to exercise. We may need to verify your identity before processing your request.
We will acknowledge your request within 7 days and provide a substantive response within 30 days. If we need more time due to the complexity or volume of requests, we will notify you within the initial 30-day period with an explanation.
Refusal of Requests: We may refuse a request if it is manifestly unfounded, excessive, or if we have a legal obligation to continue processing the data. We will inform you of the reason for refusal and your right to complain to the PDPC (PDPA §33).
6. Data We Collect
For a comprehensive list of all personal data we collect, please refer to our Privacy Policy, Section 3: Personal Data We Collect.
In summary, the categories of personal data include:
- Identity Data: Name, business name, job title
- Contact Data: Email address, phone number, business address
- Account Data: Login credentials, preferences, subscription details
- Technical Data: IP address, browser type, device information, cookies
- Usage Data: Pages visited, features used, session duration
- Financial Data: Payment information, billing details, transaction history
- Communication Data: Support tickets, emails, feedback
7. Purpose of Data Processing
We process personal data strictly for the purposes disclosed at the time of collection. Our primary purposes include:
- Providing and maintaining the SpaManager platform
- Processing subscriptions and payments
- Customer support and communication
- Improving our services through analytics
- Ensuring platform security and preventing fraud
- Complying with legal and regulatory obligations
- Marketing communications (only with consent)
We do not use personal data for automated decision-making or profiling that produces legal effects (PDPA §21).
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Active account data | Duration of subscription + 30 days | Contractual necessity (PDPA §24(3)) |
| Financial/tax records | 5 years after transaction | Thai Revenue Code §87/3 |
| Communication records | 2 years after last communication | Legitimate interest (PDPA §24(5)) |
| Consent records | 10 years or as required by statute of limitations | Legal obligation / evidence (PDPA §19) |
| Server logs | 90 days (rolling) | Security / Computer Crime Act B.E. 2550 §26 |
| Free trial data (not converted) | 90 days after trial expiration | Legitimate interest (PDPA §24(5)) |
| Data after contract termination | 30 days (user access) + secure deletion | Contractual obligation |
After the retention period expires, personal data is securely deleted or anonymized so that it can no longer be associated with any individual.
9. Cross-Border Data Transfers
The PDPA (§28-§29) imposes restrictions on transferring personal data outside of Thailand. When we transfer personal data internationally, we ensure:
- Adequate Protection: The receiving country has adequate data protection standards as determined by the PDPC, or
- Appropriate Safeguards: We implement appropriate safeguards such as contractual clauses, binding corporate rules, or data processing agreements, or
- Explicit Consent: We obtain your explicit consent after informing you of the inadequate standards of the receiving country, or
- Contractual Necessity: The transfer is necessary for the performance of a contract to which you are party
Our primary data infrastructure is cloud-hosted with servers in Southeast Asia. Some third-party services (e.g., email delivery, analytics) may process data in other jurisdictions including the United States and the European Union. In all cases, we ensure compliance with PDPA §28 transfer requirements.
10. Data Security Measures
In accordance with PDPA §37(1), we implement appropriate technical and organizational security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These include:
Technical Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Regular security assessments and vulnerability scanning
- Web application firewall (WAF) protection
- Multi-factor authentication for administrative access
- Intrusion detection and prevention systems
- Automated security monitoring and alerting
- Regular data backups with encryption
Organizational Measures
- Access control policies (principle of least privilege)
- Employee data protection training
- Data processing agreements with all third-party processors
- Regular review of access permissions
- Incident response plan and procedures
- Data protection impact assessments for high-risk processing
11. Data Breach Notification
In the event of a personal data breach, we follow the notification procedures mandated by the PDPA:
11.1 Notification to the PDPC (PDPA §37(4))
If a personal data breach occurs that is likely to present a risk to the rights and freedoms of individuals, we will notify the Personal Data Protection Committee (PDPC) within 72 hours of becoming aware of the breach. The notification will include:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details of our Data Protection Officer
11.2 Notification to Data Subjects (PDPA §37(4))
If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify the affected data subjects without undue delay, informing them of:
- The nature of the breach in clear, plain language
- What personal data was involved
- Steps we are taking to address the breach
- Recommended steps they should take to protect themselves
- How to contact us for further information
11.3 Breach Records
We maintain a breach register documenting all personal data breaches, regardless of whether they require notification, including the facts, effects, and remedial actions taken (PDPA §39).
11.4 Liability Limitations for Data Breaches
In the event of a data breach, you acknowledge and agree that:
- Our liability for any breach is subject to the limitations set forth in our Terms of Service, Section 15 (Limitation of Liability)
- We are not liable for breaches caused by your failure to maintain your own security obligations, including credential management, access control, and device security (see Terms, Section 12)
- We are not liable for regulatory fines, penalties, or sanctions imposed on you (as Data Controller) by the PDPC or any other authority as a result of a breach, except to the extent such breach was caused solely by our gross negligence or willful misconduct
- We are not liable for claims brought against you by your data subjects (your spa's customers or employees) under PDPA §77–§78, except to the extent such claims arise solely from our failure to fulfill our obligations as Data Processor under PDPA §40
- Under PDPA §79, the Data Processor (SpaManager) is liable only for acts outside the scope of the Data Controller's instructions or contrary to the PDPA. If we process data strictly within your instructions and in compliance with the PDPA, liability rests with the Data Controller (you)
11.5 Shared Responsibility & Customer Obligations After a Breach
Security is a shared responsibility. In the event of a breach affecting your organization's data:
- As Data Controller, you are responsible for notifying your own data subjects (your spa's customers and employees) as required by PDPA §37(4) — we will provide you with the information needed to fulfill this obligation
- You are responsible for complying with the PDPC's instructions or orders regarding your data subjects
- You are responsible for any claims, lawsuits, or regulatory actions brought by your data subjects in connection with your processing of their data through the platform
- You agree to indemnify SpaManager for any liability arising from your failure to fulfill your obligations as Data Controller (see Terms, Section 16)
11.6 PDPA Penalties Awareness
Important: Under the PDPA, penalties for non-compliance include:
Administrative fines: Up to 5 million THB (PDPA §90)
Criminal penalties: Up to 1 year imprisonment and/or up to 1 million THB fine for unauthorized disclosure of personal data (PDPA §79)
Civil liability: Actual damages plus punitive damages up to twice the actual damages (PDPA §77–§78)
Both Data Controllers and Data Processors may be held liable. SpaManager's liability as a Data Processor is limited to breaches of our Processor obligations under PDPA §40 and the caps in our Terms of Service. You, as Data Controller, bear primary responsibility for your own compliance.
12. Data Protection Officer
SpaManager has appointed a Data Protection Officer (DPO) in accordance with PDPA §41-§42. The DPO is responsible for:
- Advising the organization on PDPA compliance obligations
- Monitoring compliance with the PDPA and internal policies
- Acting as the contact point for data subjects and the PDPC
- Cooperating with the PDPC on data protection matters
- Maintaining confidentiality in performing their duties
Data Protection Officer Contact:
Email: dpo@spamanager.io
All inquiries related to your personal data rights under the PDPA should be directed to our DPO. We are committed to responding to all legitimate requests within the timeframes specified by law.
13. Processor Obligations
When SpaManager acts as a Data Processor on behalf of our customers, we comply with PDPA §40, which requires us to:
- Process personal data only on the documented instructions of the Data Controller (our customer)
- Ensure that persons authorized to process the data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Not engage another processor without prior authorization from the Data Controller
- Assist the Data Controller in fulfilling data subject rights requests
- Delete or return all personal data upon termination of the processing agreement
- Make available to the Data Controller all information necessary to demonstrate compliance
- Notify the Data Controller without undue delay after becoming aware of a data breach
We offer a Data Processing Agreement (DPA) to all customers who require one. Please contact legal@spamanager.io to request a copy.
14. Children's Data
Under the PDPA §20 paragraph 3, special protections apply to the personal data of minors (persons under 20 years of age in Thailand, per the Civil and Commercial Code §19).
- SpaManager is a business management tool designed for adults operating spa and wellness businesses
- We do not knowingly collect personal data from individuals under 20 years of age
- If a spa processes data of minor clients (e.g., teenage spa visitors), the spa as Data Controller must obtain consent from the minor's parent or legal guardian before entering such data into the platform
- If we discover that we have collected data from a minor without proper consent, we will promptly delete such data
15. Sensitive Data
The PDPA §26 provides heightened protections for "sensitive personal data," which includes:
- Race, ethnicity, or national origin
- Political opinions
- Religious or philosophical beliefs
- Criminal records
- Trade union membership
- Genetic data and biometric data
- Health data
- Sexual orientation or behavior
- Disability status
Our Approach to Sensitive Data:
SpaManager does not require or collect sensitive personal data as defined by PDPA §26. However, if spa operators choose to store health-related information about their clients (e.g., allergies, medical conditions, or treatment notes), that data is considered sensitive under the PDPA.
Spa operators who store such data are responsible for: (1) obtaining explicit consent from their clients, (2) ensuring appropriate security measures, and (3) limiting access to authorized personnel only.
16. Filing Complaints
If you believe your personal data rights under the PDPA have been violated, you have multiple avenues for recourse:
Step 1: Contact Us Directly
We encourage you to contact us first so we can resolve the issue promptly:
- Email: dpo@spamanager.io
- Subject line: "PDPA Complaint"
We will acknowledge receipt within 7 days and aim to resolve complaints within 30 days.
Step 2: File a Complaint with the PDPC
If you are unsatisfied with our response, or if you prefer to complain directly, you may lodge a complaint with the Personal Data Protection Committee (PDPC):
Office of the Personal Data Protection Committee (OPDPC)
Ministry of Digital Economy and Society
The Government Complex, Commemorating His Majesty The King's 80th Birthday Anniversary, 5th December, B.E. 2550 (2007)
Chaeng Watthana Road, Thung Song Hong, Laksi, Bangkok 10210
Website: www.pdpc.or.th
Under PDPA §73, you have the right to lodge a complaint with the Expert Committee within the statutory limitation period. The Expert Committee will examine your complaint and may order the Data Controller to take corrective action.
Step 3: Civil Remedies
Under PDPA §77-§78, data subjects may seek civil remedies from the Thai courts, including compensation for actual damages and punitive damages up to twice the actual damages awarded by the court.
17. Updates to This Statement
We may update this PDPA Compliance Statement from time to time to reflect changes in our data processing activities, Thai law and regulations, or guidance from the PDPC. Material changes will be communicated via email and/or in-platform notifications. The "Last Updated" date at the top of this page indicates the most recent revision.
We also monitor regulatory developments from the PDPC and will adjust our practices accordingly as new subordinate regulations, notifications, or guidelines are issued.