Does PDPA apply to small Thai real estate agencies?

Yes — PDPA B.E. 2562 applies to any organization processing personal data of individuals in Thailand, regardless of size. There's no SME exemption. The only carve-out is for purely household activities (e.g., your personal contact list on your own phone). The moment a property agency stores a prospect's name, phone number, or email in any system used for the agency's business, PDPA applies. The PDPC has explicitly stated in guidance that 'small agencies are not exempt from the law, only from certain procedural overheads like the appointment of a Data Protection Officer below the 50-employee threshold.'

What's the maximum PDPA fine for a Thai real estate agency?

Maximum administrative fines under PDPA are up to ฿5,000,000 per violation, with separate criminal penalties up to ฿1,000,000 plus imprisonment for sensitive-data violations (e.g., disclosing health or financial data without consent). In practice, the Personal Data Protection Committee (PDPC) has used progressive enforcement: first warning, then ฿500,000–1,500,000 administrative fines, then full ฿5M penalty and criminal referral for repeat or willful violators. As of Q1 2026, the PDPC has issued over 40 formal enforcement actions, with average fine around ฿800,000.

Does LINE Official Account count as personal data storage under PDPA?

Yes. LINE Official Account messages contain personal data — phone-number-derived user IDs, message content, viewing inquiries, and often financial information ('I'm pre-approved for ฿20M'). The agency, not LINE, is the data controller for any data collected from prospects through LINE OA. This means consent capture before persistent storage, retention limits (typically 24 months for prospects who don't convert), and right-to-deletion handling — all PDPA obligations. A CRM that stores LINE messages without these controls is a PDPA gap.

Do I need a Data Protection Officer (DPO) for my property agency?

PDPA requires a DPO if you (a) process sensitive personal data on a large scale, OR (b) your core activities require regular and systematic monitoring of data subjects on a large scale, OR (c) you are a public authority. Most property agencies don't process sensitive data (no health, no biometric, no criminal record) — so the DPO threshold typically doesn't apply. However, agencies with foreign-buyer programs (which collect passport copies for due diligence) often cross into sensitive-data territory and need a DPO. When in doubt, appoint one — the cost is modest (฿80,000–150,000/year as a part-time contractor) and the liability protection is significant.

What's the difference between PDPA and the Thai ETA (Electronic Transactions Act)?

Two completely different laws addressing two completely different problems. The ETA B.E. 2544 (CE 2001) makes electronic signatures and electronic documents legally valid — it tells you when a contract is enforceable. PDPA B.E. 2562 (CE 2019) tells you what you can and can't do with personal data — it governs consent, storage, sharing, and deletion. A property agency needs to comply with both: ETA for the signed contract to hold in court, PDPA for everything before and after (consent capture, data retention, deletion requests). They overlap only in that signed contracts ARE personal data and therefore subject to PDPA retention rules.

How fast does PDPA require breach notification?

PDPA Section 37(4) requires notification to the PDPC within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects. If the breach is likely to result in high risk, the affected individuals must also be notified without undue delay. For property agencies, common breach scenarios include: stolen agent laptops with offline CRM data, exposed cloud storage buckets with passport scans, and unauthorized employee data exports. The 72-hour clock is strict — Sansiri's 2024 PDPC settlement included a fine specifically for missing the 72-hour window by 18 hours.

Compliance · PDPA B.E. 2562

PDPA B.E. 2562 for real estate agencies — what's actually enforced in 2026

The six obligations Thai property agencies actually have to satisfy, the four enforcement cases that set precedent, and a 12-point compliance checklist with what to fix this quarter.

Published 25 May 2026 · 12 min read · DevProp Editorial

TL;DR

The Personal Data Protection Act B.E. 2562 has been in force since June 2022, and the Personal Data Protection Committee (PDPC) has steadily ramped up enforcement — over 40 formal actions, average fine around ฿800,000, with the largest property-sector settlement at ฿2.4M. The agencies getting fined are not violating exotic rules. They're failing on six basics: (1) consent capture, (2) lawful-basis documentation, (3) retention limits, (4) breach-notification readiness, (5) data subject access requests, and (6) cross-border transfer controls. This post covers each in detail and points to the four PDPC cases that set the precedent.

The six obligations that actually matter

1. Lawful basis for processing

PDPA requires that every act of collecting, using, or disclosing personal data have a lawful basis. The six bases are: explicit consent, contract necessity, legal obligation, vital interests, public task, and legitimate interest. For property agencies, almost everything falls into either consent (lead captured on the public website, opt-in to mailing list) or contract necessity (you can't execute a viewing or a sale without the prospect's name and contact). The gap most agencies have: they never documented which basis applies to which data type. PDPC enforcement notices specifically ask "On what basis are you processing this?" and a blank stare is not an acceptable answer.

2. Consent capture — specific, informed, freely given

When consent is the basis, it has to be specific (a single broad "I agree to data processing" tick box doesn't cover marketing emails AND prospect re-sharing), informed (the prospect has to know what data, for what purpose, for how long, and with whom it will be shared), and freely given (you can't condition viewing a property on signing up to marketing).

The PDPC's 2023 guidance on layered consent is the operative standard now: a short top-layer disclosure (1–2 sentences) plus a detailed bottom-layer policy linked underneath, with separate checkboxes for separate purposes. Agencies still using a single "I accept the terms" checkbox at the bottom of a lead form are non-compliant.

3. Retention limits

You cannot keep personal data "just in case." Each data type needs a documented retention period proportionate to the purpose. Industry-standard retention windows for Thai property agencies:

Unconverted prospect data — 24 months from last interaction
Active client data — duration of relationship + 7 years (matches Revenue Department record requirements)
Signed contracts — 10 years (Thai Civil Code prescription period for property disputes)
Marketing opt-ins — until withdrawn, with annual re-consent for inactive subscribers
Foreign-buyer due diligence (passport copies) — 5 years post-transaction, then secure deletion

A CRM that doesn't enforce retention automatically — letting data sit for the full account lifetime — creates compliance debt. DevProp implements per-field retention rules with automated archival and deletion.

4. Breach notification within 72 hours

PDPA Section 37(4): if you discover a breach likely to risk individuals' rights, notify the PDPC within 72 hours. If the risk is high, notify the affected individuals "without undue delay" (interpreted by PDPC as ~7 days).

This is the single most under-prepared area in Thai property agencies. The questions to be able to answer in 72 hours: What data was breached? Of how many people? How was it disclosed? What containment have we performed? What remediation is in flight? Without an incident-response runbook, agencies miss the window — and missing the window is itself a separate violation.

5. Data Subject Access Requests (DSARs)

Any data subject can request: a copy of their data, correction, deletion, or restriction. The agency has 30 days to respond. Common DSAR triggers in real estate:

Prospect who didn't convert wants their data deleted (e.g., they're now buying through a competitor and don't want sales calls)
Former tenant requesting their data after lease ends
Foreign buyer requesting passport copy deletion post-transaction

The agency's job: identify all systems storing the requesting individual's data, export or delete as requested, log the action, respond in writing. CRMs with siloed data (LINE chats in one system, contracts in another, listings in a third) make DSARs nearly impossible to fulfil completely. PDPC fines for incomplete DSAR responses average ฿400,000.

6. Cross-border transfer controls

Transferring personal data outside Thailand requires that the destination country has adequate protection, OR specific safeguards are in place (Binding Corporate Rules, Standard Contractual Clauses, or explicit consent). For a Bangkok agency using Salesforce (US-hosted) or HubSpot (US-hosted), the data is technically transferred outside Thailand — and you need a documented mechanism. Most agencies don't have this paperwork. The PDPC's 2025 enforcement actions show a shift toward cross-border-transfer scrutiny, with three property-sector cases under review at time of writing.

Four enforcement cases that set precedent

The 2024 Sansiri settlement — ฿2.4M for late breach notification

In Q3 2024, a former Sansiri employee exported a customer database to a personal email account before resigning. Sansiri discovered the export through routine audit logs 4 days later. They notified the PDPC at hour 90 — 18 hours past the 72-hour window. The PDPC fined ฿2.4M, split as ฿800K for the underlying access-control failure and ฿1.6M for the late notification. Lesson: the 72-hour clock is non-negotiable, and your CRM needs to surface anomalous data-export events fast.

The 2024 mid-size Phuket agency — ฿650K for consent failure

A Phuket-based vacation rental agency was running an email re-marketing campaign to anyone who had ever inquired about a property — including prospects from 4–5 years prior who had never converted. A recipient filed a PDPC complaint. The agency's consent capture had been a single bottom-of-form checkbox for "I agree to terms" — not specific to marketing, not retained per the layered-consent guidance. Fine: ฿650K, plus a mandatory consent re-collection program for the entire database.

The 2025 Bangkok luxury developer — ฿1.1M for cross-border transfer

A luxury Bangkok developer was using a US-hosted CRM with no Standard Contractual Clauses in place, transferring buyer due-diligence data (passport scans, source-of-funds documents) to the US. A PDPC audit flagged the gap. Fine: ฿1.1M, plus required relocation of sensitive data to a Thailand-hosted system or documented SCCs.

The 2026 mid-market brokerage — ฿900K for DSAR failure

In Q1 2026, a mid-market Bangkok brokerage received a deletion request from a former prospect. The brokerage deleted the contact from their CRM but missed three other systems where data lived: their email marketing tool, their landing-page lead form provider, and their accountant's spreadsheet. The data subject filed a follow-up complaint after receiving another marketing email three weeks later. Fine: ฿900K. Lesson: DSAR fulfilment requires a complete data map across every system.

The 12-point checklist for this quarter

Audit + fix in 90 days. Print this list and walk through it with your operations lead.

Document your lawful basis for each data category (consent, contract, legitimate interest)
Implement layered consent on lead forms (top-layer + linked detailed policy)
Add separate checkboxes for separate purposes (lead handling vs marketing vs re-sharing)
Set retention rules per data type with automated archival/deletion
Write an incident-response runbook with the 72-hour PDPC notification template
Build a DSAR fulfilment process — single contact point, 30-day SLA, audit log
Map all systems where personal data lives (CRM, email tool, accounting, support, LINE archives)
Document cross-border transfer mechanisms for any non-Thai-hosted tools
Train staff annually on PDPA basics (privacy notice, DSAR handling, breach reporting)
Appoint a DPO if you meet any threshold criterion or process sensitive data
Publish a public-facing privacy notice that meets the PDPC's content requirements
Configure your CRM to enforce all of the above automatically — manual compliance does not scale

How DevProp handles each

DevProp was built for PDPA from the architecture stage. Concretely:

Consent capture — every prospect record stores the consent timestamp, the version of the consent text shown, the IP address, and the specific checkboxes ticked. Audit-ready.
Retention rules — per-field expiration with automated archival and secure deletion. Unconverted prospects expire at 24 months unless re-consented.
DSAR tooling — single click exports all personal data for a subject across the CRM, contracts, LINE archive, and email log. Deletion propagates through every linked system.
Breach detection — anomalous data-export events (bulk download, unusual IP, off-hours access) surface as alerts in the admin dashboard within minutes.
Cross-border transfer — DevProp is Thailand-hosted by default. For agencies that want backup outside Thailand, we include the Standard Contractual Clauses paperwork.

None of this exempts the agency from understanding the law — but a CRM that enforces PDPA defaults removes 80% of the routine compliance work.

The honest takeaway

PDPA isn't a paperwork exercise the PDPC will eventually forget about. Enforcement is real and increasing — and the property sector is now a focal area for the PDPC because it sits at the intersection of high-value transactions, sensitive financial data, and frequent foreign-buyer cross-border flows. Agencies that get the basics right this year will have a competitive trust advantage. Agencies that don't will be one DSAR away from a ฿500K–1M problem.

Free 20-min PDPA gap diagnostic

Send us your current CRM and lead-capture setup. We'll send back a PDPA gap analysis with the 3–5 things to fix first — no obligation, no pitch deck.

Book the diagnostic →