Thailand has quickly become a hot spot for clinical research. With its diverse population, advanced hospitals, and strong regulatory environment, the country offers everything sponsors need to run impactful clinical trials. But along with these opportunities comes a new challenge: Thailand’s Personal Data Protection Act (PDPA).
The PDPA is reshaping how clinical data is collected, used, and shared. For sponsors, CROs, and researchers, understanding these rules isn’t just a box-ticking exercise—it’s essential for protecting participants, staying compliant, and ensuring trials can move forward smoothly.
What the PDPA Means for Researchers
Clinical trials generate huge amounts of data—much of it sensitive. Under the PDPA, mishandling this information can lead to civil, criminal, and financial penalties.
A few key points:
- The PDPA has extraterritorial reach. Even organizations outside Thailand must comply if they collect data from Thai residents.
- Research exemptions exist, but they require safeguards such as technical controls and approval from an Ethics Committee.
- Transparency is mandatory — the PDPA specifies that certain information (e.g., purpose of processing, data retention period, rights of the data subject) must always be provided to individuals when their data is collected.
Cross-Border Transfers: Not Always Simple
Sharing trial data internationally is common—but under the PDPA, it’s tightly controlled. Transfers are only allowed if:
- The destination country is deemed to have adequate protections, or
- Certain exemptions apply (e.g., explicit consent, contractual necessity, or public interest).
If an adequacy decision is not in place, sponsors must rely on appropriate safeguards—such as Binding Corporate Rules (BCRs), the EU Standard Contractual Clauses (SCCs), or the ASEAN Model Contractual Clauses (MCCs)—to ensure compliance. These safeguards must also meet specific requirements set out by the Personal Data Protection Committee (PDPC).
Practical Challenges Sponsors Face
For life sciences companies, the PDPA introduces additional responsibilities,
including:
- Implementing robust security measures to protect against unauthorized access, loss, destruction, alteration, or unavailability of personal data.
- Breach notification obligations: data breaches that pose a risk to individuals must be reported to the PDPC within 72 hours, and in some cases affected individuals must also be informed.
- Establishing clear data governance policies and regular staff training to ensure ongoing compliance and awareness.
- Maintaining proper records of processing activities (RoPA) and ensuring data retention/destruction policies are followed.
- Appointing a Data Protection Officer (DPO) when processing involves large-scale sensitive health data, which is typical in clinical research.
- Appointing a Data Protection Representative (DPR) if established outside of Thailand
- Ensuring lawful cross-border data transfers, only under adequacy, safeguards, or PDPC-recognized exemptions.
- Accountability for violations: companies face administrative fines, civil liability (including punitive damages), and in some cases, criminal penalties for responsible individuals.
Final Thoughts
Thailand is a fantastic location for clinical research, but the PDPA means sponsors can’t take shortcuts with data privacy. By aligning early with compliance requirements and building strong governance structures, sponsors can unlock the country’s research potential while respecting the rights of participants.
Data Excellium can support you to ensure your clinical trials run smoothly, remain fully compliant, and avoid costly regulatory setbacks.