Privacy & Security

PDPA: What is It? And What to Prepare Before Hosting an Event in Thailand?

Written on JUN 17, 2022

Whether you’re running a business or just living everyday life in Thailand, you might need to know that from June 1st, 2022, to government has already enforced the Personal Data Protection Act (PDPA) to protect the “personal information” of every netizen in Thailand.

Of course, there’s nothing much to talk about if your business already complies with the EU’s GDPR (in other words, you can skip this blog). But if you’re running a business only and locally in Thailand. This blog is for you, especially if you’re in the event industry.

Various blogs and news websites already talk about the PDPA in detail. But to sum it up in a sentence or two: You can’t process any information of anybody without their permission. And this “consent” can come in various forms, based on what kind of event you’re hosting—mainly in-person (on-site) or virtual (online).

You must add some things to your event to comply with the newly-enforced law. We’ve listed it already, just a scroll away.


PDPA on Virtual Events

In this part, we’ll list what your web-based virtual platform needs to comply with Thailand’s PDPA to prevent you from getting into trouble. And to ensure that all your attendees’ personal information will be safe and sound under your control during the event period.


Cookie Consent Popup

You might have seen the “cookie consent” popup from various websites. This is because the EU GDPR law forced businesses to ask permission to collect and process users for whatever reason, from analyzing to marketing. PDPA requires websites to state and ask for permission from their readers.

There are countless tools to create your website’s PDPA (or even GDPR) popup. For example, EasyPDPA and PDPA.Pro. It’s easy and fast for those who don’t care about the design.

Tips: Don’t forget to put the Privacy Policy link on the cookie consent popup. Most people might skip reading it, but there will be someone. And when that “someone” has questions, you can’t answer them. GAME. OVER.


Privacy Policy Page

And to declare how your event platform system collects and processes the attendees’ personal information. You need to write a very long list of the Privacy Policy. This is not just to explain how you process the data but to tell your audiences that they always have the right to withdraw/delete (and also inform them “how” to do it).

Some websites provide you with this policy, but we suggest you learn how your platform works and write the Privacy Policy internally because every product has its selling points—it works differently. There’s no way one template policy can fit everywhere. There’s no ONE SIZE FITS ALL solution when it comes to privacy and security things.

It might be more confusing if the host is not the one who built the event platform—for example, Happenn’s client. In a case like this, you need to be sure that the system can support both the request from the attendees to the host and from the host to the platform provider. So, write it carefully.

Tips: Write it clear, concise, readable, and straightforwardly—no need for any styling. You’re not writing the ad copywriting right now.


Withdrawal/Deletion Request Form

This one isn’t quite mandatory. But it’s more convenient. You can just inform the attendees to submit their requests by email. But when you’re working with hundreds or thousands of people. Imagine how bulky your mailbox will be.

With a proper request form, you can organize the way you want to see these requests. Sometimes you want to make it quick, so you just put the checkbox with submit button and a short description of what we’ll be deleting. Sometimes, for further improvement, you may need to create a text box for them to write their feedback on why they wanted to delete their information from our system. Everything depends on your objective.


PDPA on In-person Events

You might confuse what offline matters like the in-person event have anything to do with the online law like PDPA? Well, the answer is simple. Because our event photos and videos are going to be uploaded anyway, that’s when our offline event meets the online world.

There are a lot of things to discuss. But we’ll focus on the photography things. According to Thitirat Thipsamritkul, one of the people in charge of writing this law[1]. Shooting photos in the event fit under the Legitimate Interest category of the PDPA law. And there are three things to be concerned about when it comes to event photography.

  1. Expectation: Does the person who appears in the photo “aware” that the event host has hired a photographer to walk around and shoot them. Some might say we can see their consent through the body language in the photo. But there are many ways to ensure this won’t cause any trouble in the future. First, let them know in the first place, for example, by verbal (asking) or signing a document at the front gate of your event.
  2. Risk: Does the photo put the people on it at any risk? It might be hard to find an example case. Let’s say you’re a teenage high school student with a full name and student ID on the shirt (that’s what happens in Thailand). People might see all this information and try to do something with it online. I don’t want to imagine how difficult a case like this can be.
  3. Safeguard: Do we have any action to reduce the risk above? Blurring everyone’s faces might not be our best solution if your event has 100-1,000+ attendees. But not publishing the photos with personal information or blurring underage people might help people know that your event has set a standard for privacy.

And most of all, the photographer of your event must be able to “explain the perks of the photo he/she took.” This is debatable. But at least we know why that moment needs to be captured regarding deletion requests or any legal issue.

Then what can you do to prevent the privacy trouble at your on-site events? We can share some ideas.

  1. Sign a consent document at the registration booth; if not, take the audience to watch the event in the private room instead.
  2. Enjoin all of your event photographers to verbally ask the person or a group of people before taking any photos (unnecessary for some cases like shooting a crowd of people in a concert, how can you ask them one by one? And yes, they’re all happy to be on your camera)
  3. Put your privacy policy on both the event website and the event site. Keep reminding your attendees that your skilled photographer will take their privacy for which purpose. And you don’t sell their pics on the photo stock website or use them as advertising.

As we said before, somewhere on this blog. There’s no ONE SIZE FITS ALL solution. And this is just the beginning of the PDPA law. So we might have to wait and see how thing goes with the event organizers/hosts around us.



Anyway, don’t be scared of the PDPA law. It was written to protect everyone. Not just to your attendees but all of us as well. The more you understand about it, the more you can see the bigger picture, and you may find some new creative solutions to apply to your upcoming event on this issue.

And what about Happenn and the PDPA law? We would say we are always concerned about the privacy of our clients and have complied with the EU’s GDPR law since the beginning of its enforcement. So, for our customers who run the business in the axe-shaped country. We can ensure that every piece of data you have submitted to us, whether the name, phone number, cookies, or any photo, will be under our protection 24/7 and 365.

You can request our free demo software to see how we can engage your event with features like Live Streaming, Poll, Q&A, or Online Survey by filling out this form (don’t worry, it’s safe and complies with the PDPA!)