Knowledge Base

PDPA Compliance for Freight Operations

Understanding Thailand's Personal Data Protection Act and its implications for freight forwarders handling shipper, consignee, and cargo data.

CustomsPDPA for Freight

Overview

The Personal Data Protection Act B.E. 2562 (2019), commonly known as the PDPA, is Thailand's comprehensive data privacy law. Fully effective since June 1, 2022, it regulates the collection, use, disclosure, and transfer of personal data by organizations operating in Thailand or processing the personal data of individuals in Thailand.

For the freight forwarding industry, the PDPA has significant implications. Every shipment involves the processing of personal data — shipper names, consignee addresses, phone numbers, email addresses, national ID or passport numbers, and tax identification numbers. This data flows through multiple parties in the supply chain: the shipper, the forwarder, customs brokers, carriers, warehouse operators, and government agencies.

The PDPA applies to freight forwarders in two capacities:

  • Data Controller — when the forwarder determines the purposes and means of processing (e.g., collecting client contact details for its own booking system).
  • Data Processor — when the forwarder processes data on behalf of another party (e.g., submitting a declaration to Customs using data provided by the shipper).

Non-compliance with the PDPA can result in administrative fines of up to 5 million THB, criminal penalties including imprisonment of up to one year, and civil liability for actual damages with potential punitive damages of up to twice the actual amount. Beyond legal penalties, data breaches erode client trust and can result in loss of business.

Personal Data in Freight Operations

Freight forwarders routinely handle several categories of personal data protected under the PDPA:

Data TypeExamplesWhere It Appears
Identity dataFull name, national ID, passport numberAWB, B/L, customs declaration, certificates of origin
Contact dataAddress, phone number, email, LINE IDBooking records, delivery instructions, AWB notify party
Financial dataTax ID, bank account (for duty refunds), credit termsCustoms declaration, invoice, payment records
Shipment dataGoods description, value, origin/destinationAWB, commercial invoice, packing list

While shipment data (goods description, HS codes, weights) is generally not personal data on its own, it becomes personal data when it is linked to an identifiable individual — for example, a consignee who is a natural person rather than a corporation.

The PDPA defines personal data broadly as any information relating to an individual that can directly or indirectly identify that person. A Thai 13-digit tax ID assigned to a sole proprietor, for example, is personal data even though it is also a business identifier.

Freight forwarders should maintain a data inventory — a comprehensive record of what personal data they collect, why they collect it, where it is stored, who has access, and how long it is retained. KabyTech provides a built-in data mapping tool that auto-identifies personal data fields across all shipment records.

Data Processing and Consent Requirements

Under the PDPA, personal data may only be processed with a valid legal basis. The most relevant bases for freight operations are:

  • Contractual necessity — processing is necessary to perform a contract with the data subject (e.g., using a consignee's address to deliver their shipment). This is the most commonly relied-upon basis in freight.
  • Legal obligation — processing is required by law (e.g., submitting shipper/consignee data to Thai Customs as required by the Customs Act).
  • Legitimate interest — processing is necessary for a legitimate interest of the controller, provided it does not override the data subject's rights (e.g., fraud prevention, internal audit).
  • Consent — the data subject has given explicit, informed, and freely given consent. This is required when none of the other bases apply.

In most freight forwarding scenarios, contractual necessity and legal obligation cover the majority of data processing activities. Explicit consent is typically needed only for marketing communications, sharing data with third parties for non-operational purposes, or processing sensitive data (e.g., health data for dangerous goods declarations involving biological samples).

Regardless of the legal basis, forwarders must provide a privacy notice to data subjects at or before the time of collection. The notice must state what data is collected, why, who it may be shared with, how long it will be retained, and how the data subject can exercise their rights (access, correction, deletion, portability).

KabyTech generates privacy notice templates customized for freight forwarding operations, covering all standard data collection points — booking forms, AWB capture, customs filing, and delivery confirmation.

Cross-Border Data Transfers

International freight forwarding inherently involves cross-border data flows. Shipper data from a Thai exporter may be transmitted to a consignee's agent in China, a carrier's system in Japan, or a customs authority in the EU. The PDPA imposes restrictions on transferring personal data outside Thailand.

The PDPA permits cross-border transfer when:

  • The destination country has adequate data protection standards as determined by the Personal Data Protection Committee (PDPC). As of the latest guidance, the PDPC has not yet published a formal adequacy list, so forwarders must rely on other mechanisms.
  • The transfer is necessary for the performance of a contract between the data subject and the controller (e.g., delivering an international shipment).
  • The transfer is necessary for compliance with a legal obligation (e.g., submitting data to a foreign customs authority as required by international trade law).
  • The data subject has given explicit consent after being informed of the inadequate protection standards in the destination country.
  • Appropriate safeguards — are in place — such as binding corporate rules, standard contractual clauses, or a group enterprise data protection policy.

For freight forwarders shipping to the EU, additional compliance with the GDPR may be required if the EU-based consignee is a natural person. For shipments to China, the PIPL (Personal Information Protection Law) imposes its own cross-border transfer requirements. KabyTech supports configurable data handling rules per destination country, ensuring that the appropriate safeguards are applied automatically.

KabyTech encrypts all personal data in transit (TLS 1.3) and at rest (AES-256). Data residency options allow customers to choose whether their data is stored in Thailand-based servers only, or replicated to regional nodes for performance. Audit logs track every cross-border data transfer for compliance reporting.

Summary

Thailand's PDPA is a comprehensive data privacy law that applies directly to freight forwarding operations. Every shipment involves personal data — names, addresses, tax IDs, contact details — and forwarders must process this data in compliance with the Act.

Key compliance points for freight forwarders:

  • Identify your role (controller vs. processor) for each data processing activity.
  • Rely on contractual necessity and legal obligation as the primary legal bases; obtain consent when required.
  • Provide a clear privacy notice at the point of data collection.
  • Implement appropriate safeguards for cross-border data transfers.
  • Maintain a data inventory and retention policy; honor data subject rights (access, correction, deletion).

KabyTech is designed with PDPA compliance built in — from field-level encryption and configurable retention policies to automated privacy notices and cross-border transfer controls. This allows freight forwarders to focus on moving cargo while KabyTech handles the data protection requirements behind the scenes.

Ready to automate customs filing?

Start your free 30-day trial. Integrate with Thai e-Customs EDI directly.

Start Free TrialView e-Customs Product