PDPA is a new law enacted to protect personal data, including the collection, use, processing, and disclosure of this data. This can directly affect every organization, especially within the Personnel Department and/or Human Resources Department, which tend to be departments that have the most access to personal information within an organization. Both of these kinds of departments collect information about employees and job applicants. In addition, they tend to use or forward personal data to other departments and/or other companies. It is necessary to have appropriate protection of personal data within these departments to prevent the infringement of personal data.


  • Name, surname, address, and contact details of employees, from the operational level to the management level.
  • Resume or CV of job applicants submitted to the organization.
  • Records of the work history of those who have left the organization (relocated, resigned, or fired) are kept as a database in case of inquiries from the new organization of employees.
  • Contact information for coordinating external speakers for training events.

All of this collected data is information that can identify the owner of the information. It is information that is protected by the PDPA. Therefore, every HR department should be aware of the collection, use, processing, and disclosure policies of this kind of personal data. This is to prevent data leakage or data theft, including protecting the rights of data owners and reducing the damage that will occur to the organization in the event of a breach.

Headway 5qgiuubxkwm Unsplash 845x321 1

  • HR should inform the data subject about the source of personal data collection, such as a resume or CV if it was not sent directly from the data subject. HR should also determine how long the data is kept, including the use and disclosure of personal information. The consent of the data subject must be obtained clearly at every step.
  • The HR department should also not ask for ID card information from job applicants. whether the original or a copy, until the process of considering and obtaining a position is official within the company
  • HR should state in job postings that the company will forward information to other companies for consideration for other relevant positions, if applicable. If the applicant does not meet the selection criteria for the position specified by the applicant, they must write a written statement per PDPA principles for applicants to sign consent before the information can be forwarded.
  • Resumes/CVs of unsuccessful applicants should be kept for a short period. Afterward, there should be a procedure for safely destroying that information.
  • Make a checklist of personal data types. Where is the data stored, what is it, and is there permission to store it or not? If it is unnecessary personal information, it must be destroyed properly
  • Personal Data Subject Consent can be withdrawn at a later time. The data subject also has the right to request deletion or destruction when the unlawful collection, use, or disclosure is occurring when withdrawing consent. (Read more about data destruction according to international standards here.)
  • If your company or organization needs to monitor the work of personnel via email records, web search history, and/or telephone logs, the personnel who own the data must be informed along with specifying the reason for doing so.
  • Organize training on Data Protection for personnel, staff, and officers.

This is a basic set of guidelines for HR to follow to prepare and deal with The Personal Data Protection Act (PDPA), which is in effect as of June 1st, 2022.  We created this guide for companies involved to prepare, plan and implement changes to the organization’s policies under the enforcement Personal Data Protection Act 2021

Ref: PDPA.Online , ICDL