How Long Should You Keep User Data Under PDPA?

In the digital age, storing user data has become second nature for businesses—from names and emails to purchase history and preferences. But with greater power comes greater responsibility. Under Thailand’s Personal Data Protection Act (PDPA), businesses can no longer keep personal data indefinitely “just in case.” Instead, the law requires companies to retain personal data only as long as necessary for the specific purpose for which it was collected.

So, how long is “necessary”? And how should businesses determine and manage their data retention practices?

In this article, we’ll unpack what the PDPA says about data retention, offer guidance on how to set compliant policies, and share a real-world example of how one booking platform streamlined its data lifecycle to reduce risk and improve efficiency.

What Does the PDPA Say About Data Retention?

One of the PDPA’s core principles is data minimization—only collect and keep data that you need, for as long as you need it. Section 37 of the law states that data controllers must “not keep personal data longer than necessary to fulfill the purpose of collection.”

Once the data is no longer required, it must be:

• Deleted
  
  

• Anonymized, or
  
  

• Archived securely (only in certain justified scenarios)
  
  

There’s no single number of days or months prescribed. Instead, businesses must define their own retention periods, justify them, and document them clearly.

Why Data Retention Policies Matter

1. Legal Compliance

Failure to delete outdated personal data could lead to penalties under the PDPA, especially in the event of a breach.

2. Reduced Risk

The less personal data you store, the less you risk in case of hacking, leaks, or internal misuse.

3. Cost Efficiency

Deleting old data helps reduce storage costs and database load, especially for businesses dealing with large volumes of customer information.

4. Trust and Transparency

Users feel more confident when they know their data won’t be stored forever. It shows that your business respects their privacy.

How to Set a Data Retention Policy

Here’s a step-by-step process for defining a compliant data retention framework:

Step 1: Identify What Data You Collect

Break down all the personal data points your business collects—names, emails, contact numbers, browsing history, location, etc.

Step 2: Map Each Data Point to Its Purpose

Why do you collect each type of data? Is it for account creation, marketing, analytics, or legal obligations?

Step 3: Define How Long You Need It

Base this on:

• Legal requirements (e.g., tax or accounting regulations)
  
  

• Business needs (e.g., customer support, repeat purchases)
  
  

• Reasonable expectations (what a customer would consider fair)
  
  

Examples:

• Contact form submissions: 6–12 months
  
  

• E-commerce order records: 3–5 years (for warranty or returns)
  
  

• Abandoned carts: 30 days
  
  

• Marketing analytics: 90–180 days
  
  

Step 4: Automate Deletion or Anonymization

Set up systems to:

• Flag data approaching the retention deadline
  
  

• Delete or anonymize it automatically
  
  

• Notify users if appropriate (especially for sensitive data)
  
  

Step 5: Document and Communicate

Your Privacy Policy should state:

• What data is collected
  
  

• How long it’s stored
  
  

• What happens when it’s no longer needed
  
  

• How users can request early deletion
  
  

Real Case: Hotel Booking Site Implements 180-Day Data Cap

A travel website that handled thousands of hotel reservations per month had been storing customer data—names, emails, booking dates, passport numbers—for years, without any expiration timeline.

When reviewing its PDPA compliance, the team realized this was a liability. Much of the data was no longer useful but remained accessible to staff and potentially vulnerable to breaches.

What They Did:

• Reviewed data types and mapped them to purpose
  
  

• Determined that booking-related data (excluding financial records) could be deleted after 180 days
  
  

• Automated data deletion for inactive accounts and old bookings
  
  

• Updated their Privacy Policy to reflect this lifecycle
  
  

• Trained internal teams on why and how data would be removed
  
  

The Results:

• Reduced stored user records by 38%
  
  

• Lowered cloud storage and backup costs
  
  

• Improved site performance by trimming databases
  
  

• Demonstrated transparency to customers and regulators
  
  

This move not only reduced legal risk but also improved internal processes and customer trust.

Best Practices for PDPA-Compliant Retention

• Avoid “keep forever” defaults—set a clear timeline for every data type
  
  

• Use different timelines for different purposes (e.g., marketing vs. billing)
  
  

• Build retention logic into your CMS, CRM, and data warehouse
  
  

• Have a retention and deletion log for audit purposes
  
  

• Review and update your policy annually—or whenever your operations change
  
  

What Happens If You Don’t Comply?

Under the PDPA, failing to manage data retention properly can lead to:

• Fines of up to 5 million baht per violation
  
  

• Loss of customer trust and brand damage
  
  

• Regulatory audits or enforcement actions
  
  

• Increased exposure in case of cyberattacks
  
  

Conclusion: 

Data is an asset—but only when handled responsibly. Keeping personal data longer than necessary not only exposes your business to legal and operational risks, but also undermines the customer trust that fuels loyalty.

A well-defined, PDPA-compliant retention policy helps you clean up your digital environment, reduce risk, and demonstrate your commitment to user rights. With the help of automation tools and clear internal guidelines, managing data lifecycle becomes a strategic advantage—not a legal burden.