Table of Contents

Global data privacy has taken centre stage today. While the discussions mostly centre around how companies and governments can adhere to data protection & privacy regulations, this is an essential consideration for academic institutions.

Asian international schools must be careful when handling their students’ data, specifically alumni data. Many students from Asian international schools study in prestigious universities and then work at global organizations, where they are entrusted with key tasks or company data. This data is often shared when former students register for the school’s alumni program.

While alumni data is typically used to send school newsletters, major announcements, and fundraising requests, there is always a risk that alumni’s information may be misused if proper safeguards aren’t in place. Compromising alumni information can jeopardize former students jobs and also affect the goodwill built by the school.

Here, we discuss how Asian international schools – particularly those located in Thailand – can adhere to the Thailand PDPA and EUGDPR global data privacy laws.


The General Data Protection Regulation (GDPR) is a regulation passed by the European Union (EU) to protect the data privacy of EU residents. According to the GDPR, any organization or academic institution offering services to any person who is a registered resident/citizen of an EU nation must comply with the GDPR requirements when handling their personal data.


The Personal Data Protection Act B.E.2652 (Thailand PDPA) is a rigorous data privacy & protection regulation implemented by the Kingdom of Thailand to safeguard its citizens’ data privacy. The PDPA offers guidelines that companies and academic institutions serving Thailand citizens must follow when seeking to collect and process their data.


  • Definition of personal data

Both regulations consider any information – whether individual or combined with other data types – that identifies a person’s personal data. This includes text, audio, video & photos for both, with social media posts and email IDs covered under GDPR as an addition.

  • Geographical coverage

Both the PDPA and GDPR have global coverage. It doesn’t matter where your school is located in Asia. If you have/had Thailand or EU students enrolled as students in the current academic year and former students in your alumni program, then you will need to adhere to these regulations when processing their data.

  • Appointment of Data Processing Officer

All Asian international schools must hire a DPO, who will be in charge of ensuring that your school meets all the data protection regulations’ requirements. The DPO will also have to submit reports to the regulatory body (when asked) showing the framework they followed to adhere to the GDPR or PDPA.

  • Customer rights & consent

Under both regulations, EU nationals and Thailand citizens have the right to decide whether they want their personal data to be accessed and processed by the school/university. You must seek consent before using your alumni data for school marketing & operations.

If there has been a misuse of the data (i.e., you’ve used their data for something they have not expressly consented to), you must inform them of the issue within three days of the breach. Additionally, your alumni must have a seamless way to request the deletion of their personal data from your records, which you must comply with.

Key differences between EUGDPA and Thailand PDPA

Criteria Thailand PDPA GDPR
Regulatory coverage of deceased individual PDPA does not cover a person who passed away 10+ years ago but covers the individual until the 10th death anniversary. GDPR applies only to identifiable, living people and stops applying to an individual at the moment of their death.
Method of data processing Does not identify the difference between automated and non-automated data processing. Has stringent rules regarding the type of data processing used (and devices used in certain circumstances).
Data anonymity It covers data that has been anonymized. It does not include data anonymization, and anonymous alumni data does not fall under GDPR.
Bodies exempted from the regulation. Any law-making body, Governmental establishment and committees or credit bureaus hired by law-making bodies. Additionally, according to the PDPA, Data Controllers from certain businesses – including education institutions – are exempted from PDPA Chapters 2, 3, 5, 6 & 7 and Section 95 until 31 May 2021 to prepare for the regulation.  GDPR does not specifically state any exclusions from the regulations.
Nature of consent Consent can be obtained either expressly in writing or be deemed consent, and it covers all data about the individual.   Consent for one activity will not cover others. Schools must seek consent for each data processing activity individually.
What data cannot be collected, used or disclosed? There is no explicit mention of what sensitive data international schools and companies cannot collect/use/disclose. Schools cannot collect/use/disclose data regarding alumni’s religious & ethical leanings, political ideology, biometric data, medical information & union membership.
At what age should students’ consent be received? Parental consent is necessary for students under 10 years.10+ -20 years  if data processing falls outside of the contract with the parent-student, both parental and student consent should be gained unless the student can comprehend the consent being sought  and can make a balanced decision 13 or 16 years (depending on certain legal conditions). Parental consent is mandatory.
Penalties for non-compliance Up to 5mTHB for administrative finesCriminal penalties of up to 1m THB, up to one year in jail or both.Punitive damages awarded to data subjects where the controller has caused harm up to 2 x the harm suffered. €10 million to €20 million or 2%-4% of overall school’s annual revenue, whichever is greater.

Tips to collecting GDPA and PDPA compliant alumni data

Now that we know how the EUGDPR and Thailand PDPA apply to international schools in Asia (and particularly Thailand), let’s understand how your school can remain compliant with both:

  • Create an inventory of all the alumni data you have

Identify what sources you use to collect alumni data, such as email, social media, telephone, school portal, etc. and collate the data you have. You should know where your data comes from and how much of it you have.

  • Hire a Data Protection Officer to vet this data for regulatory compliance

A well-versed DPO in both the Thailand PDPA and EU GDPR can help your international school remain compliant with these regulations. If you don’t have a DPO, hire one today.

  • Seek express consent from alumni before you use their data for any alumni events

If you plan to collect, use, or dispose of alumni information, be sure to send a detailed email about it. Explain in simple and non-deceptive terms what data you’re referring to, how it will be collected, used and disposed of and when you will be doing this. Explain the role of any third parties you will be working with for this. Then implement ways to gain express consent from your alumni. This is achieved within your published privacy policy.

Any data collected from your alumni before 1st June 2021 can still be processed as long as it for the same purpose originally consented to. Always provide a clear unsubscribe provision and include a section in your privacy policy explaining the continued collection.

  • Share GDPR and PDPA privacy rules to all departments of the school.

This is really important to ensure that every branch of your international school is adhering to the same set of data privacy regulations.

  • Implement data privacy techniques to correct any potential non-compliance

If you find that you haven’t put adequate GDPR and PDPA compliant measures in place, do so immediately. Past breaches can also make your school vulnerable to penalties.

  • Audit each step for potential regulatory checks

Although you may not be asked to submit any report to the authorities to prove your compliance, it’s best to be ready. So, audit your compliance regularly and create detailed reports. This can help you show your adherence to regulators.

  • Keep track of updates in the regulations.

Read up on any amendments or updates in the EU GDPR and Thailand PDPA to ensure you remain compliant always. Cross-check between both regulations to see if you have implemented what is needed in one but is missing in the other.

Follow our social media

We use cookies to improve performance. and good experience using your website You can study the details at PDPA Terms and can manage your own privacy by clicking setting

Privacy Preferences

You can choose cookie settings by on/off. Cookies of each type are available on request, except for essential cookies.

Allow All
Manage Consent Preferences
  • Always Active