What can we do as a data subject under PDPA?

PDPA or Personal Data Protection Act 2019, which was completely official on 27 May 2020, is closer to us than we think. It does not matter if we are customers, employees, or juristic person, we are all bound to involve with personal data under this Act.

The importance of PDPA is to protect the information about an individual that allows others to directly or indirectly detect that individual such as name-surname, address, identification number, mobile number, email, educational background, job experience, financial information, medical record, the criminal record including biometric, etc. All these are protected in order to prevent the violation of data subject’s privacy that could lead to troubles and losses.


Data subject rights according to the Personal Data Protection Act 2019 are as followed:

Right to be informed

In the collection of personal information, the data controller will have to report the details of data collection all the way to the usage or disclosure to the data subject before any action or during the data collection process (except data subject is well aware of the details, for example, information for opening a bank account or registration for product trial and services). The data subject has all rights to know the objective of the collection, usage, and disclosure of their information, details of the information that will be collected, duration of the collection as well as information of the data controller such as location and contact as well as consequences of not revealing the information.

Right of access

The data subject has the right to access and ask for a copy of their personal data from a data controller. They can also ask for the revelation of how their personal data is obtained in the case that they are in doubt if consent has been given. Nevertheless, the right to access will be granted as long as it is not going against the law or court decree and the exercise of the right does not violate the right and freedom of others.

Right to data portability

In the case that data subject would like to use their personal information that was given to one data controller to another data controller, for example, the first data controller has stored the personal information into different forms that can be automatically accessed, the data subject can request for those data from the data controller or request for the information to be directly sent to other data controller if the method and technique permit. Nevertheless, the exercise of the right must not go against the law, contract, or violate the right and freedom of others.

Right to object

The data subjects can oppose the collection, usage, or disclosure of personal data whenever they desire as well as make their personal data becomes anonymous, except if there is a legal need for the information only.


Right to erasure / Right to be forgotten

If the data controller reveals the personal information to the public or makes it easily accessible, the data subject has the right to request for their information to be erased or destroyed the information or rendered it anonymous. In which, the data controller will have to be responsible for both technology and expenses to fulfill the request.

Right to withdraw consent

In the case that the data subject gave consent for the usage of their information and later changed their mind, they can withdraw the consent at any time. Nevertheless, the withdrawal of consent must not go against the legal consent or contract that is beneficial to the data subject.


Right to restrict processing

Data subject has the right to request data controller to halt the usage of personal information. It does not matter if data subject changed their mind and withdraw consent or changed their mind about erasure of information when reaches its due date because they need to use the information in legal matters or claim rights, the right to restrict the usage of personal information can be done.

Right of rectification

The data subject has the right to amend their personal information to make the information accurate, up-to-date, and does not cause misunderstanding. In which, the amendment must be done with integrity and does not go against the law.


according to the stated laws and do not violate the right or freedom of others. Also, we should always bear in mind that our personal information, if it is being used in the right way, it will be beneficial to the data subject. However, if it falls into the hand of ill-intent people, it could cause problems and losses to the data subject as well.