Telemedicine Practices and Data Protection Compliance in Thailand

I. Introduction to Telemedicine in Thailand

Telemedicine has emerged as one of the most transformative innovations in healthcare. By leveraging modern communication technologies, telemedicine enables the delivery of medical services regardless of geographic barriers. As the global demand for accessible, efficient, and cost-effective healthcare increases, many countries have embraced telemedicine to overcome traditional challenges such as distance, cost, and limited access to medical expertise.

Thailand, with its rapidly developing digital infrastructure and progressive approach to healthcare, is becoming a prominent destination for telemedicine providers. However, alongside its tremendous growth potential, Thailand presents unique challenges, particularly in the realm of data protection and privacy. For both local and international telemedicine platforms, understanding and complying with the local legal environment is critical. The country’s evolving legal landscape, especially concerning data protection, patient privacy, and healthcare standards—requires providers to implement robust compliance measures. Doing so not only safeguards sensitive patient information but also builds trust with users, ensuring sustainable business growth in a competitive market.

In this guide, we delve into the key considerations for data compliance, discuss the relevant regulatory frameworks under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), and outline practical steps for telemedicine platforms to navigate these regulations. By doing so, telemedicine providers can effectively mitigate risks, secure patient data, and maintain a competitive edge in the Thai market.

II. Health Information Protection Before the Enforcement of the Personal Data Protection Law

1. The National Health Act and Ministerial Regulation

Thailand’s regulatory framework for data protection has undergone significant evolution over recent years. Prior to the enactment of the PDPA in 2019, Thailand relied on a combination of the Thai Constitution, the Thai Civil and Commercial Code, and sector-specific regulations like the National Health Act B.E. 2550 (2007) (“National Health Act”) played pivotal roles. The National Health Act mandated that personal health information be kept confidential. Specifically, Section 7 of the National Health Act required that such information not be disclosed in a manner that could harm the data subject, except when authorized by the individual or required by law.

The Ministerial Regulation on the Protection and Management of Personal Health Information B.E. 2561 (2018) (“MR”) provided further details on the scope and nature of personal health information. Clause 4 of the MR defined personal health information as encompassing a variety of documents, case files, reports, and other materials capable of identifying an individual’s health status. Clause 11 offered an exhaustive list of items considered personal health information, such as:

• Health History: Such as height, weight, blood type, and body shape.
• Medical Records: Such as nursing records, laboratory examinations, and x-ray films.
• Related Documents: Any documents or objects that relate to the above data.
• Photographic Evidence: Images of medical personnel or actions during treatment.
• Additional Information: Any further information as specified by the Personal Health Data Protection and Management Committee.

1. Penalties for Non-Compliance

Before the PDPA’s enactment, violations regarding the unlawful or unauthorized disclosure of personal health information were met with the penalties prescribed under the NHA. Under Section 49 of the National Health Act, such violations could result in imprisonment of up to six months, fines of up to 10,000 THB, or both. Moreover, wrongful use of personal data was addressed under Section 420 of the Civil and Commercial Code, which provided for civil liability in cases where data misuse resulted in harm to the data subject.

1. Transition to the PDPA

In 2019, the PDPA was published in the Royal Gazette, marking a significant shift in Thailand’s data protection landscape. With its comprehensive framework, the PDPA rendered the earlier MR obsolete. The Medical Council of Thailand subsequently issued a new Ministerial Regulation on the Revocation of the MR B.E. 2565 (2022). This evolution represents Thailand’s commitment to aligning its data protection standards with international best practices.

III. What Is Health Information?

As a result of MR revocation, Thailand no longer has a statutory definition of health information, which is crucial in terms of personal data protection and compliance with obligations under the PDPA. Telemedicine platforms need to understand the personal data in their possession and handle such data according to the PDPA.

In the absence of the subordinate regulations, directives, or guidelines to clarify the extent and scope of health information under the PDPA, it is worth exploring the definition given under the European Union General Data Protection Regulations (2016/679) (“EU GDPR”), which was a core foundation of the Thai PDPA, containing many similar provisions with differences tailored to Thailand’s contexts.

Article 4 (15) of the EU GDPR defines ‘data concerning health’ as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. This broad definition is intended to encompass a wide range of data points that can directly or indirectly indicate a person’s health condition.

Additionally, the European Parliament and the Council of the European Union opined that ‘personal data concerning health’ should include all data pertaining to the health status of a data subject which reveals information relating to the past, current, and future physical or mental health status of the data subject. This include information about the natural person collected in the course of the registration for, or the provision of, health care services, including a number or symbol particularly assigned to a natural person to uniquely identify the natural person for health purposes, information derived from the testing or examination of a body part or bodily substance, any information on a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source like a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

Clause 51 of the same, further specified that in certain cases, the processing of certain types of personal data should not systematically be considered a special category of personal data, however, with a specific technical means and context of personal data processing, it could be considered a special category of personal data. The given example is of the processing of photographs which should not systematically be considered to be the processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.

By this principle, personal data that is not obviously and clearly health information, could be considered health information depending on the context of personal data processing activities.

V. Overview of PDPA Compliance for Telemedicine Platforms

The PDPA extends its reach not only to local businesses but also to international data controllers who process the personal data of Thai residents. This extraterritorial effect means that even telemedicine platforms headquartered outside Thailand must comply with the PDPA if they process personal data of individuals located in the country.

1. Extraterritorial Applicability

According to Section 5, Paragraph 2 of the PDPA, foreign data controllers are subject to the PDPA if any of the following criteria are met:

1. Processing Data of Thai Residents: If the platform processes personal data of data subjects located in Thailand.
2. Offering Goods or Services: If the platform offers goods or services to data subjects in Thailand, irrespective of whether payment is received.
3. Monitoring Behavior: If the platform monitors the behavior of data subjects while they are in Thailand.

1. Obligations for Telemedicine Providers

Once the PDPA applies, telemedicine providers (whether local or international provider) must adhere to various obligations under the PDPA, some of which include:

• Data Collection and Processing: Ensure that personal data is collected, used, and disclosed with legal bases supporting each processing activities.
• Privacy Notices: Clearly communicate to data subjects how their personal data will be used.
• Security Measures: Implement appropriate technical and organizational measures to safeguard personal data.
• Data Subject Rights: Provide mechanisms for data subjects to exercise their rights (e.g., access, correction, deletion).
• Breach Notification: Establish procedures to notify both the regulatory authority and affected data subjects in the event of a data breach.
• Record-Keeping: Maintain a Record of Processing Activities (ROPA) to document data processing practices.

These obligations are critical for maintaining compliance, preventing legal liability, and preserving the trust of patients who rely on telemedicine services.

VI. Privacy Notice / Privacy Policy Under the PDPA

One of the foundational requirements under the PDPA is the preparation and dissemination of a comprehensive privacy notice or privacy policy (hereinafter referred to as “privacy policy”). This document serves to inform data subjects about how their personal data is collected, processed, stored, and shared.

1. Content of / Privacy Policy

Under Section 23 of the PDPA, data controllers must notify data subjects of the purposes of data collection prior to or at the time of collection. Although the PDPA does not mandate a specific method of communication, common practices include written notices, electronic pop-ups on websites or applications, or verbal communications as applicable.

1. Best Practices for Drafting a Privacy Policy

For telemedicine platforms, drafting a privacy policy involves a deep understanding of the personal data flows within the organization. Therefore, understanding the customer journey is vital for telemedicine platforms in the preparation of the privacy policy, as each touchpoint involves the collection and processing of personal data. Let’s explore this journey in detail:

1. Sign-Up / Registration

During the initial sign-up process, users are generally required to provide basic personal data such as their name, age, contact details, and in some cases, initial health information, such as their height, weight, medical history, passport or national identification card, contact information, and information relating to personal allergies. This stage sets the foundation for subsequent interactions and must be handled with the highest level of security and clarity regarding data usage. During this phase, explicit consent is often required, particularly if sensitive personal data is being collected.

1. Booking / Appointment Scheduling

Once registered, users schedule appointments with healthcare providers. The booking process may involve selecting a healthcare professional based on specialty, availability, or patient reviews. Additional forms might be used to capture medical history or current health conditions.

1. Consultation

Consultations are the core of telemedicine services. Whether conducted via video calls, chat sessions, or telephone, these interactions involve real-time exchange of sensitive health information. Data from these sessions may include verbal communications, visual data, and records of diagnosis and treatment.

1. Post-Consultation Services

After the consultation, several processes may occur:

• Payments: Patients make payments through integrated or third-party payment gateways. This process generally involves third-party service providers.
• Insurance Claims: In some cases, patients may file insurance claims. Telemedicine platforms might assist in this process by forwarding relevant health information to insurers.
• Medicine Delivery: If medication is prescribed, delivery logistics come into play. This may involve sharing personal data (such as address and contact information) with third-party courier services.
• Follow-up Appointments: Follow-up consultations or treatment plans may be scheduled, requiring further data collection.
• Feedback and Reviews: Post-consultation feedback is often solicited to improve service quality. While this may involve general data, any health-related feedback is treated with heightened sensitivity.

VII. Legal Bases for Each Activity

Different stages of the customer journey require distinct legal bases under the PDPA. For example:

Important Remark: Please be reminded that the table set forth above shall only be used as a reference for consideration. Subject to the actual data processing activities, personal data involve, facts, and circumstances, hence the legal basis for each activity may differ.

Notably, Section 26 (5)(a) of the PDPA allows the data controller to process sensitive personal data without obtaining the consent from the data subject if it is necessary for compliance with a law in respect to preventive medicine or occupational medicine, medical diagnosis, provision of health and social care, medical treatment, or if it was not for compliance with the law, it must be for compliance with the contract between the data subject and the medical practitioner. In this regard, though the provision of medical services may rely on consent exemption, the other process involved in the patient’s customer journey still does not qualify for this exemption (e.g., if sensitive personal data is used in the sign-up/registration process or the booking/appointment process). The exemption under Section 26 (5)(a) also does not extend to the use of sensitive data for processes necessary to enter into a contract like Section 24 (3), hence, consent requesting is still required in the data subject uses of telemedicine platform.

VIII. Processing Personal Data of Minor, Quasi-Incompetent Person, or Incompetent Person:

Where a patient is under 20 years of age, or is a quasi-incompetent person, or is an incompetent person (collectively referred to as “sensitive data subject”), Section 20 of the PDPA requires their consent to be accompanied by a consent from their respective legal representatives, guardians, or curators. However, if the patient is under 10 years of age, sole consent from the legal representative of such a minor is sufficient.

It must also be noted that, Section 24 of the Thai Civil and Commercial Code provides an exemption to this consent requesting scheme – stating that if the act was deemed suitable for such a minor’s conditions in life and actually required for their reasonable needs, they may be done so without obtaining the consent from the legal representative.

In this regard, it may be considered that a minor (who is between 10 and 20 years of age) may give sole consent for collection, use, and disclosure of personal data and sensitive personal data for telemedicine consultation purposes, as it deems suitable and actually required for their reasonable needs.

IX. Data Subject Rights and Request Compliance Under the PDPA

The PDPA enshrines several rights for data subjects. Telemedicine platforms must have robust processes to facilitate these rights and ensure that data subjects can exercise them without undue barriers.

1. Overview of Data Subject Rights

The PDPA grants data subjects the following rights:

1. Right to Access: Data subjects may request copies of their personal data.
2. Right to Data Portability: Individuals can obtain their personal data in a structured, commonly used format.
3. Right to Object: Data subjects may object to certain personal data processing activities.
4. Right to Delete: Also known as the “right to be forgotten,” this allows data subjects to request deletion or anonymization of their personal data.
5. Right to Restrict Processing: In certain circumstances, processing may be limited or suspended.
6. Right to Rectification: Data subjects can have inaccurate or incomplete personal data corrected.
7. Right to Lodge a Complaint: Data subjects can lodge complaints with regulatory authorities.
8. Right to Withdraw Consent: Where processing is based on consent, data subjects may withdraw that consent at any time.

1. Procedures for Data Subject Rights Requests (DSRR)

Upon receiving a data subject request, telemedicine platforms should follow a set of protocols in compliance with the DSSR, to ensure that the request has been processed timely and effectively and logged in accordance with the law. We hereby summarize a sample DSRR process as follows:

1. Verification: Confirm the identity of the data subject or their representative, including the representative’s authority to act on behalf of the data subject (e.g., the power of attorney).
2. Clarification: Request additional information if the request is ambiguous.
3. Documentation: Record all details of the request, including the data subject’s identity, nature of the request, and any provided details.
4. Data Retrieval: Locate and compile the relevant data per the DSRR.
5. Review for Exemptions: Determine if any exemptions apply (e.g., legal obligations to retain data for medical records).
6. Response: Communicate a clear response—either fulfilling the request, rejecting it, or outlining why an exception applies.
7. Record-Keeping: Maintain records of the request and response for regulatory audits.

1. Challenges and Best Practices

Timely and effective handling of DSRRs is critical to maintaining trust and regulatory compliance. Organizations are encouraged to establish internal guidelines, provide staff training, and consider automating parts of the DSRR process where feasible.

X. Record of Processing Activities (ROPA)

Maintaining a detailed Record of Processing Activities (ROPA) is not only a regulatory requirement under Section 39 of the PDPA, but also a best practice that facilitates accountability and transparency.

1. What Must Be Recorded

A comprehensive ROPA should include, (1) the collected personal data; (2) the purpose of the collection of personal data in each category; (3) details of the data controller; (4) the retention period of personal data; (5) rights and methods for accessing personal data, including conditions for exercising these rights; (6) the use or disclosure of personal data; (7) rejection or objection to the data subject’s rights request; and (8) explanation of the appropriate security measures.

1. Exemptions for SMEs

However, certain data controllers may be exempt from recording items (1) through (6) and (8), provided they qualify as a small organization. The PDPC defines a “small organization” in its Announcement on Exemptions for Small and Medium Enterprises (SMEs). An SME may be exempt from maintaining a full ROPA if it employs less than 100 people and has annual revenue of no more than 300,000,000 THB. Nevertheless, an SME data controller may still be required to maintain a full set of ROPA where their personal data processing activities (1) pose risks to the rights and freedom of data subjects; (2) is not an occasional occurrence (i.e., periodically processing); or (3) involves sensitive personal data.

Therefore, in terms of the telemedicine platforms, where sensitive personal data like health information is integral to the customer journey, it becomes inadvertently and unavoidable to maintain a full set of ROPA.

XI. Appropriate Security Measures for Telemedicine Platforms

Prescribed under Section 37 (1) of the PDPA, where a data controller is required to provide appropriate security measures to prevent unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data. In this regard, the appropriate security measures for the telemedicine platforms shall focus on the maintenance of personal data’s confidentiality, integrity, and availability.

According to the PDPC’s Announcement on Security Measures for Personal Data ,  the security measures should contain at least the following mechanism: (1) access controls, allowing access to personal data only on a need-to-know basis provided that there shall also be an identity proofing, authentication, and authorization procedure; (2) user access management including registration and de-registration of access provision; (3) user responsibilities shall be prescribed; (4) implement an audit traits to enable the reviewing of access, change, alteration, or deletion of personal data.

The duty to implement appropriate security measures shall be extended to the imposition of obligations onto the data processor of the telemedicine platforms (such as medicine delivery service providers), to prevent unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of personal data.

XI. Personal Data Breach and Breach Notification Procedures

Despite the best security measures, data breaches can still occur. The PDPA and related guidelines require prompt and transparent actions in response to any breach of personal data.

1. Definition

Under PDPC’s Announcement on the Criteria and Methods for Reporting Personal Data Breach Incident[1], a personal data breach is defined as personal data breach as a breach of security measures that results in the loss, access, use, alteration, modification, or disclosure of personal data without authorization or unlawfully, whether caused by intention, willfulness, negligence, unauthorized or unlawfully, computer-related crimes, cyber threats, errors, malfunctions, or accident, or any other cause. This definition encompasses many events that could be considered a personal data breach, ranging from an employee losing a computer containing personal data of a patient to a breach of telemedicine platform’s implemented security measures.

1. Procedures

In the event of a personal data breach, the telemedicine platform may consider the following protocols:

1. In the event of a personal data breach being reported by sources: (1) assess the reliability of the information, investigate the facts regarding the breach as soon as possible; and (2) assess the risk that such a breach of personal data will affect the rights and freedom of the data subject or not.
2. Upon assessing the reliability of the information that the personal data breach actually occurs and that it may affect the rights and freedom of the data subject, the data controller must notify the personal data breach to the PDPC as soon as possible, and in any case, not exceeding 72 hours after having become aware of the incident. The content of the breach notification shall include the following, (1) brief information on the personal data breach including the nature of the breach (e.g., whether it is a confidentiality breach, integrity breach, or availability breach) and the number of the affected data subjects; (2) name, place, and method to contact the data controller and the data controller’s data protection officer; (3) information regarding the potential effects that may arise from the incident; and (4) measures that the data controller has taken or will take to prevent or remedy the personal data breach or to remedy the damage.
3. If the breach is likely to result in a high risk to the rights and freedom of the data subject, the data controller must also notify the personal data breach incident to the affected data subject without delay.
4. Proceed to mitigate, respond, rectify, and/or restore the situation resulting from such a personal data breach and take necessary measures that the personal data breach of the same nature will not happen again in the future by reviewing the security measures to ensure efficiency and effectiveness.

It is recommended that the telemedicine platform service providers exercise careful consideration when determining/assessing the level of risk associated with the personal data breach incident. The personal data breach incident will likely be regarded as a high risk to the rights and freedom of the data subject – hence, the telemedicine platform service provider may be required to notify the personal data breach incident to the data subject as well.

XII. Processing of Sensitive Personal Data by Data Processors

Based on our basic customer journey of telemedicine platform users set out above, it can be seen that, throughout the customer journey, a data processor may be involved in at least one or more processes (e.g., outsourcing registration provider or courier services for medicine delivery), depending on the actual business conducted by each telemedicine platform provider. Disregarding the number of data processors involved, a data controller is required under Section 37 (2) of the PDPA, to take action to prevent the recipient of personal data (who is not a data controller) from using or disclosing such personal data unlawfully or without authorization. Although the statutory text did not give a clear direction as to how might the data controller prevent the data recipient from using or disclosing the personal data so received, Section 40 Paragraph 3 reaffirms that the data controller is required to prepare an agreement to control the activities carried out by its data processor to be in accordance with the data processor’s obligations under the PDPA, such agreement is commonly known as a data processing agreement or a “DPA”)

1. Data Processing Agreements (DPAs)

A general DPA shall contain at least the following provisions, (1) restriction of right to make use or disclosure of the personal data received – provided that the data processor must process personal data processing activities only in accordance with the instructions given by the data controller or within the scope of authority granted by the data controller; (2) requires the data processor to put in place appropriate security measures to prevent unauthorized or unlawful access, use, alteration, correction, or disclosure of personal data; (3) requires the data processor to record their personal data processing activities (details of which shall be different from the one data controller is required to prepared and maintained as prescribed under the PDPC’s Announcement on Criteria and Methods for Preparing and Maintaining a Record of Personal Data Processing Activities for a Data Processor B.E. 2565), provided such record of personal data processing activities must be accessible by the PDPC or the data controller upon request; and (4) the data processor shall notify the data controller of personal data breach incident (as soon as possible or within a reasonable timeframe, provided that the data controller are still obligated to notify the personal data breach within 72 hours after becoming aware of the personal data breach incident).

In addition to the above, the telemedicine platforms provider may also consider incorporating the following additional obligations to enhance the protection of patient’s personal data, such as clauses regarding confidentiality, the duty to cooperate with the data controller in compliance with the DSRR, duty to delete, destroy, or return personal data provided by the data controller, or the restriction to hire/employ a sub-processor.

1. Practical Example

On a practical level, let us take the example of a telemedicine platform using a courier service provider to deliver the medicine to patients after consultation. The DPA must be signed between the telemedicine platform provider and the courier company, the messenger delivering medicine is merely an employee of the courier company and is not required to sign the DPA. In the DPA signed between the telemedicine platform provider and the courier company, confidentiality clauses should be put in place to ensure that the courier company’s employees are bound by the confidentiality clause even though they did not sign the DPA themselves, as well as restricting their use of telemedicine platform provided personal data. Generally, the personal data disclosed to the courier company may only include general personal data of the patients (such as name, home address, and telephone number), however, the telemedicine platform provider may enhance the protection of the patient’s personal data by incorporating a clause prohibiting the employees of courier company from opening envelopes (such as envelopes containing bills and medical certificate) which may include sensitive personal data. Thus, the DPA must be tailored for each telemedicine platform depending on the type of service they use, the personal data disclosed, and other factors.

Consider a telemedicine platform that partners with a courier service for medicine delivery. The DPA with the courier service must ensure that the employees handling the delivery are aware of confidentiality requirements and that personal data is not misused or disclosed beyond the necessary scope.

XIII. Designating a Representative and a Data Protection Officer (DPO) in Thailand

1. Designating a Representative for Foreign Providers

Foreign telemedicine providers offering services to Thai residents must designate a representative in Thailand under Section 5, Paragraph 2 of the PDPA. This representative acts on behalf of the provider for all data protection matters and ensures accountability. The representative must be located in Thailand and is subject to potential fines if the provider fails to meet PDPA obligations.

Although, an exemption to the obligation to designate a representative is prescribed under Section 38 of the PDPA but considering the nature of telemedicine platforms and how they generally process personal data, what personal data and sensitive personal data is involved in the customer journey, the telemedicine platform is highly unlikely to be exempted from such an obligation.

1. Appointment of a Data Protection Officer (DPO)

A general obligation under Section 41 of the PDPA requires the data controller to designate the data protection officer if the data controller (1) is a public authority; (2) regularly monitor the collection, use, and disclosure of personal data or process personal data in a large number; or (3) having the core personal data processing activities involves with the sensitive personal data.

Again, considering the nature of telemedicine platforms and how they generally process personal data, it is undeniable that the core business of telemedicine platforms involves processing of sensitive personal data (i.e., health information). Therefore, the telemedicine platform providers are obligated to designate a DPO. However, it is often found that SME telemedicine platform providers may not have their own legal team, hence, external or outsourced DPO may be designated for the same purposes.

XIV. Use of Sensitive Personal Data (Health Information) for Telemarketing Purposes

1. Restriction on the Use of Sensitive Personal Data for Marketing Purposes

The simple answer is no. Sensitive personal data, whether health information or any other type cannot and must not be used for telemarketing, direct marketing, account-based marketing, and/or any kind of marketing purposes, without an explicit consent from the data subject. That is, direct marketing using patient’s health information to tailor or customize the marketing communications is strictly prohibited unless the patients’ consent is given.

Instead, telemedicine platforms may send marketing advertisements to the patients relying on consent exemptions basis (e.g., legitimate interest) provided that they limit the personal data used in telemarketing process to only general personal data (e.g., emails). For example, blast communications regarding applicable discounts to all the patients’ emails without tailoring/customizing the content of marketing materials sent to each of the patients may rely on a legitimate interest basis, provided that an opt-out of marketing communications is provided for the patients.

1. Best Practices for Marketing Communications

Instead of direct marketing using sensitive data, telemedicine platforms may:

• Use general personal data (e.g., email addresses) for mass communication without tailoring/customizing the content of marketing materials sent to each of the patients may rely on a legitimate interest basis, provided that an opt-out of marketing communications is provided for the patients.
• Rely on non-personalized advertising through website or application pop-ups or social media channels.

XV. Frequently Asked Questions (FAQs)

Q1: Does Weight and Height Qualify as Health Information?

As mentioned above, under the current regimes, PDPA does not provide a clear definition of health information, nor provide any sub-ordinate regulations, directives, or guidelines as to the extent of the health information meaning. Thus, considering the context in which the weight and height information appears, information it indicates, and the purpose of personal data collection, weight and height information could considerably be either general personal data or sensitive personal data.

Take for example, a Thai national identification card has a picture of data subject standing with a height indicated background. Based on that alone, a person’s height can be indicated. However, in the general context of national identification care collection and use (e.g., identity verification and authentication), the height of a person plays no role in such personal data processing activities. Hence, it should be treated as general personal data.

However, when a person uses telemedicine services, and during the personal health background checks and confirmation, the patient is required to input their weight and height information. This set of data is then recorded and used to accompany the doctor to providing medical advice. For example, if a person were to weigh over a hundred kilograms and his/her height is one hundred and fifty centimeters, certain diseases that such person may be diagnosed with. Although, weight and height alone are not sufficient for the doctors/medical practitioners to pinpoint the exact diseases behold such a person, but it does, together with additional information, plays a vital role in doctors/medical practitioners’ analysis.

Although, a definite answer as to whether the weight and height are considered general personal data or sensitive personal data cannot be provided due to the lack of clear definition under the law, other factors involving the collection, use, or disclosure of such data must be taken into account.

Q2: Can a Patient Request Deletion of Their Health Information?

Under Section 33 (1) and (2) of the PDPA, data subjects have the right to request deletion (or anonymization) of their personal data if:

• The data is no longer necessary for the purpose for which it was collected.
• The data subject withdraws their consent, and no other legal basis for processing exists.

However, telemedicine platforms are required to retain the patient’s medical record for at least 5 years in accordance with the NHA. Therefore, unless otherwise the patient ceases to use the service of telemedicine platforms for 5 consecutive years, the telemedicine platform is exempted from complying with this DSRR.

XVI. Conclusion

As telemedicine continues to revolutionize healthcare industry, ensuring robust compliance with data protection laws like the GDPR and Thailand’s PDPA is critical. Health information, being sensitive personal data, demands the highest level of security and compliance to protect patient privacy and maintain trust in digital healthcare services.

For telemedicine platforms operating in Thailand, the interplay between local regulations and international data protection frameworks necessitates a meticulous approach to data processing. Businesses must navigate various legal challenges, including obtaining valid consent, implementing strong security measures, and complying with data subject rights.

Failure to comply with data protection laws can lead to reputational damage, regulatory penalties, and potential legal liabilities. However, by adopting best practices such as maintaining transparent privacy policies, reviewing personal data processing activities and ensuring that there are appropriate legal bases in place, and employing strict security measures, telemedicine platform providers can create a safe and legally compliant environment for handling health information.

In conclusion, the landscape of health information regulation is complex and continuously evolving. Telemedicine platform providers must proactively update their policies and compliance strategies to align with changing regulations, ensuring that patient rights remain protected while fostering innovation in digital healthcare solutions. By doing so, they can contribute to a more secure, efficient, and globally compliant telemedicine ecosystem.