PDPA and Employee Data — What HR Needs to Know from Recruitment to Resignation
A practical guide for HR on managing employees’ personal data in compliance with the PDPA, covering every stage from recruitment and employment to resignation and post-termination data retention.
HR Is the Department That Holds the Most Personal Data in the Organization
Consider the types of information HR handles every day: resumes, copies of national ID cards, medical certificates, payslips, leave records, and performance evaluations. All of these are personal data under the Personal Data Protection Act B.E. 2562 (2019) (PDPA).
Although the PDPA has been fully in force since 1 June 2022, surveys show that many organizations still do not manage employee data in a legally compliant way. Common issues include retaining copies of ID cards without a defined retention period, sending salary information by unencrypted email, or allowing external vendors to access employee data without a data processing agreement.
This article is a practical guide for HR teams to manage employee data in full compliance with the PDPA.
PDPA Legal Bases HR Must Understand
Many people mistakenly believe that the PDPA requires organizations to obtain consent every time they collect employee data. In reality, the PDPA provides several legal bases, and HR can choose the basis that is appropriate for each situation.
1. Employment Contract — Section 24(3)
Data collected as necessary to perform an employment contract, such as full name, address, and bank account number, may rely on the contractual basis without separate consent, because the data is needed to pay salary and administer the employment relationship.
2. Legal Obligation — Section 24(6)
Certain data must be collected by HR because the law requires it, such as withholding tax, social security contributions, and labor law reporting. In these cases, HR may rely on the legal obligation basis.
3. Legitimate Interests — Section 24(5)
Where the organization needs to process data for its legitimate interests, and such processing does not override employees’ rights, HR may rely on this basis. Examples include CCTV recordings in the workplace for security and monitoring the use of the organization’s IT systems.
4. Consent — Section 19
Consent should be used only when no other legal basis applies, such as collecting employee photos for a company profile or taking photos at internal events for publication on social media. Importantly, consent must be freely given, and employees must be able to refuse without any impact on their employment.
Legal Basis
HR Use Case Example
Key Caution
Contract (Sec. 24(3))
Collecting data for salary payment, benefits
Collect only what is necessary for the contract
Legal Obligation (Sec. 24(6))
Tax withholding, social security submission
Must reference the specific law requiring collection
Legitimate Interests (Sec. 24(5))
CCTV, IT system monitoring
Must conduct a balancing test against employee rights
Consent (Sec. 19)
Posting photos on social media
Must be freely given and withdrawable at any time
Employee Data Lifecycle: 5 Stages HR Must Manage
Managing employee data under the PDPA does not begin when an employee starts work. It begins on the day recruitment opens. And it does not end when an employee leaves, because certain data must still be retained as required by law.
Stage 1: Recruitment
Collect only data that is necessary for candidate evaluation. Do not ask for information unrelated to the role, such as marital status, religion, or family planning.
Provide a Privacy Notice for job applicants before collecting data, clearly stating the purposes, retention period, and data subject rights.
Delete unsuccessful candidate data within 6 months. If you want to retain it in a candidate database or talent pool, obtain additional consent and specify a clear retention period.
Do not forward resumes to other departments or entities without informing the applicant. If you want to share them with affiliated companies for consideration, this should be stated in the Privacy Notice or covered by separate consent.
Stage 2: Onboarding
Prepare a Privacy Notice for employees separate from the applicant Privacy Notice, specifying the data collected, purposes, legal bases, recipients, retention period, and employee rights.
State purposes clearly and specifically. Avoid broad wording such as “for the company’s general purposes.”
Use a separate Consent Form for data processing that requires consent. Do not combine it with the employment contract.
Collect copies of ID cards only where necessary and mark the copy with the purpose of use.
Stage 3: During Employment
Health data, religion, and biometric data are considered Sensitive Data under Section 26 and require separate explicit consent, distinct from general consent.
Restrict access based on the Need-to-Know principle. Not everyone in HR needs access to salary data or medical examination results.
Maintain records of processing activities (ROPA) under Section 39 to demonstrate that the organization complies with the PDPA.
Review data periodically and delete information that is no longer necessary, such as old medical certificates for sick leave from many years ago.
Stage 4: Offboarding
Delete or destroy data that no longer needs to be retained within the defined period.
Revoke all system access rights of departing employees.
Retain only data that must be kept by law, with clear documentation of the reason and retention period.
Inform departing employees which data will continue to be retained, why it is being kept, and for how long.
Stage 5: Post-Employment Retention
Different laws impose different retention periods. HR should establish a Retention Schedule aligned with all relevant legal requirements.
Data Type
Relevant Law
Retention Period
Employee register
Labour Protection Act
2 years after employment ends
Wage-related documents
Labour Protection Act
2 years after employment ends
Withholding tax documents
Revenue Code
5 years from the filing date
Social security documents
Social Security Act
5 years
Civil claims under general law
Civil and Commercial Code
10 years (general prescription period)
Work-related accident documents
Workmen’s Compensation Act
10 years
Once the retention period expires, data must be securely destroyed, whether in paper form (shredding) or digital form (secure deletion).
Sensitive Data HR Often Overlooks
Under Section 26 of the PDPA, Sensitive Data must be protected at a higher level than general personal data. Below are types of Sensitive Data that HR often collects without realizing that special conditions apply.
Criminal records — Pre-employment background checks must have a valid legal basis. Not every role requires such checks. They should be limited to positions where they are genuinely necessary, such as roles involving finance or security.
Medical examination results — Medical certificates containing detailed examination results are Sensitive Data. HR should retain only the summary result, such as fit or unfit for work, rather than all medical details.
Religion — Many organizations collect religious information on job application forms without necessity. If it is not being used for religious leave arrangements or specific benefits, it should not be collected.
Biometric Data — Fingerprints or facial scans used for attendance tracking are Sensitive Data under Section 26. Explicit consent is required, and an alternative option, such as an employee card, should be provided for those who do not consent.
Trade union information — Trade union membership is Sensitive Data and must not be used in decisions relating to hiring, promotion, or termination.
Drug test results — Some positions may require testing, but the results are health data and must be handled with particular care, with access restricted only to authorized decision-makers.
For all types of Sensitive Data, HR should obtain separate explicit consent for each item, clearly state the purpose, and provide an alternative for employees who do not consent.
10 Common Mistakes in Managing Employee Data
1. Keeping copies of ID cards indefinitely — No retention period is defined, and the data is not destroyed when it is no longer necessary.
2. Sending salary information by unencrypted email — Payslips sent as standard attachments may be intercepted. Use encrypted systems or allow employees to access them through an HR platform with authentication.
3. Allowing vendors to access employee data without a DPA — Payroll providers, HR system vendors, and health screening companies are all Data Processors and require a Data Processing Agreement (DPA) under Section 40.
4. Using consent as the legal basis for every case — Requiring employees to sign consent for everything means consent is not freely given and may be legally invalid.
5. Not having a Privacy Notice for employees — Many organizations have a Privacy Policy for customers but forget to prepare a Privacy Notice for employees, even though this is required under Section 23.
6. Collecting excessive data — Asking for irrelevant information on application forms, such as parents’ names and occupations, for positions where such checks are unnecessary.
7. Failing to restrict access rights — All HR staff can access all data, including salary and medical examination results. A Role-Based Access Control system should be implemented.
8. Having no process for handling data subject rights requests — When employees request access, correction, or deletion, HR has no clear procedure and cannot respond within the 30-day timeframe required by law.
9. Transferring data overseas without safeguards — Using a cloud-based HR system with servers located abroad constitutes a cross-border transfer. The organization must ensure that the destination country has adequate data protection standards or implement appropriate safeguards under Section 28.
10. Not training HR personnel — An HR team handling data without understanding the PDPA poses one of the highest risks to the organization. Training should be conducted at least once a year.
HR Checklist: 8 Actions You Must Take
To ensure your organization manages employee data in compliance with the PDPA, review the following checklist:
Prepare a Privacy Notice for employees that fully specifies the data collected, purposes, legal bases, retention periods, and employee rights.
Create a Data Inventory and ROPA to identify all employee data being processed, along with the legal basis, purpose, and recipients for each item.
Use separate Consent Forms for data processing that requires consent, especially Sensitive Data such as biometric data, medical examination results, and criminal records.
Define a Retention Schedule stating how long each type of data must be retained under relevant laws, together with a process for destruction once the period expires.
Put a DPA in place with every vendor that accesses employee data, including payroll providers, cloud HR systems, tax advisors, and health screening companies.
Implement Access Control based on job roles and responsibilities, restricting access to Sensitive Data to only those with a legitimate need.
Establish a process for handling data subject rights requests with defined steps, responsible personnel, and SLAs so requests can be fulfilled within 30 days.
Provide PDPA training to the HR team at least once a year, covering legal bases, data subject rights, data breach handling, and best practices in employee data management.
How to Handle Data Breaches Involving Employee Data
Data breaches involving employee data can occur in many forms, such as an email containing salary information being sent to the wrong recipient, an HR system being hacked, or paper documents containing employee data being lost. HR should be prepared to respond as follows:
Notify the Personal Data Protection Committee Office within 72 hours of becoming aware of the incident, in accordance with Section 37(4).
Inform affected employees without delay if the breach is likely to result in a high risk to their rights and freedoms.
Document the incident, including details of the breach, remediation measures, and steps taken to prevent recurrence.
Review security measures after every incident to close any identified gaps.
Having a clear Data Breach response plan (Incident Response Plan) enables the organization to respond quickly and reduce potential damage.
Summary
HR is the function with the most critical role in an organization’s PDPA compliance because it collects and processes the personal data of every employee throughout the employment lifecycle. Proper handling not only helps the organization avoid PDPA penalties, which may include fines of up to THB 5 million, but also builds employee trust that their data is being handled responsibly.
If you would like to assess your organization’s readiness for PDPA compliance, you can start with our PDPA Compliance Assessment or explore PrivacyHub, a platform that helps organizations manage consent, ROPA, data breaches, and data subject rights requests in one place.
For organizations that need specialized advice, you can contact Enersys to speak directly with our PDPA experts.
