PDPA setup — consent, retention, export, delete

What PDPA actually requires of you

Thailand's Personal Data Protection Act B.E. 2562 (PDPA) came into force in mid-2022 and is in active enforcement since 2024. The PDPC (Personal Data Protection Committee) issued ฿2.4M in Sansiri's settlement in 2024 — the largest property-sector PDPA fine to date.

Your agency's six core obligations:

1. Lawful basis — for every piece of personal data you hold, you must be able to point to a lawful basis (consent, contract, legal obligation, vital interest, public interest, or legitimate interest).
2. Consent capture — when consent is the basis, you must have evidence the data subject consented to a specific purpose with retention period and withdrawal mechanism explained.
3. Purpose limitation — you cannot use the data for purposes beyond what the data subject consented to.
4. Retention limit — you must delete personal data when the retention period ends or the purpose is fulfilled.
5. Data subject rights — you must respond to access, correction, deletion, and portability requests within 30 days.
6. Security — appropriate technical and organizational measures to prevent unauthorized access or loss.

How DevProp handles each obligation by default

1. Lawful basis — every personal data field is tagged with its basis at the schema level. Customer email = legitimate interest (contact). LINE display name = consent. Thai national ID = contract performance (required for ETA contracts).
2. Consent capture — when a lead enters via LINE/web form, the consent string is captured with timestamp, IP, purpose, and version of your privacy policy at that moment. Stored in the lead's audit log.
3. Purpose limitation — exports and reports respect the purpose tag. You cannot export a list of leads who only consented to "contact about Sukhumvit listings" for a "Phuket marketing campaign".
4. Retention limit — Settings → PDPA → Retention rules. Default: 3 years from last contact for active leads, 1 year for cold leads, 7 years for closed deals (required by Thai accounting law). After retention, records are auto-anonymized or deleted.
5. Data subject rights — one-click access/export/delete from the lead record (see Step 3 below).
6. Security — AES-256-GCM encryption at rest, TLS 1.3 in transit, mandatory 2FA for admin users, audit log of every access.

Step 1 — Configure your privacy policy

Settings → PDPA → Privacy policy. Upload your privacy policy in EN + TH. We provide a Thai-market template (specific to property agencies) that you can edit. The policy version is timestamped — every consent capture references the version active at that moment, so even years later you can prove what the data subject agreed to.

Step 2 — Configure consent capture points

Settings → PDPA → Consent capture. The default 4 capture points:

1. Website contact form — checkbox "I agree to be contacted by [agency] about property opportunities matching my criteria." Logs IP + form data + policy version.
2. LINE OA first message — Nisa auto-sends "Welcome! Before we continue, please confirm you agree to our privacy policy: [link]. Reply YES to continue." Logs LINE user ID + timestamp + reply text.
3. Phone enquiry — agent reads scripted disclosure ("This call may be recorded. Do you consent to me storing your contact details to follow up on your enquiry?") and clicks Confirm. Logs agent name + timestamp + lead name.
4. Walk-in visit — tablet or paper form. Agent ticks the box on the lead's behalf. Logs agent name + timestamp + lead signature (if paper, scanned).

Step 3 — Respond to a data subject request

When someone messages you "What data do you have on me, and please delete it," go to the lead record → Actions → PDPA request. Three options:

1. Access — generates a PDF containing every field, every log entry, every message, every contract. Send to the data subject.
2. Correction — they tell you what's wrong; you correct the field and the audit log captures who, when, and what changed.
3. Deletion — confirms whether deletion is legally possible (you can't delete records related to active contracts or ongoing legal obligations). If allowed, deletes immediately + logs the deletion + sends a confirmation email to the data subject.

All actions are logged. If a regulator asks "prove you responded to this data subject's request within 30 days," the log shows the request received timestamp, the action taken timestamp, the response sent timestamp, and the staff member who processed it.

Step 4 — Retention auto-purge

Once a day at 3am Bangkok time, DevProp runs the retention purge:

1. Leads with no contact in 3 years → anonymized (name/phone/email replaced with hash, message content kept for aggregate statistics only).
2. Leads with no contact in 5 years → fully deleted.
3. Contracts older than 7 years → archived to PDF/A, raw data deleted.
4. Closed deals older than 10 years → fully deleted.

You can override these defaults per record (e.g. flag a high-value contact as "do not auto-purge" until manual review). Overrides are logged.

Step 5 — Audit logs (where regulators look first)

Reports → PDPA → Audit log. Every access to personal data is logged: who, when, what record, what action. If a regulator audits you, this is the primary evidence.

For developer-direct agencies handling hundreds of leads per month, configure access alerts (Settings → Security → Alerts). If an agent accesses >50 leads in an hour, you get a notification. This is the audit pattern that caught the Sansiri agent leaking lead data in 2023.

Penalties at a glance

1. Failing to obtain valid consent: up to ฿3,000,000 administrative fine per violation.
2. Failing to respond to a data subject request within 30 days: up to ฿1,000,000.
3. Failing to report a data breach within 72 hours: up to ฿5,000,000.
4. Sensitive data violations (medical, religious, etc.): up to ฿5,000,000 each.

The PDPC has accelerated enforcement in 2024-25; expect more property-sector cases through 2026. DevProp's PDPA module is designed to keep your agency on the safe side of every one of these obligations by default.