THIM logo
Thai Immigration Application
Privacy Notice
PRIVACY NOTICE

THAI IMMIGRATION APPLICATION (THIM)

This page presents the Privacy Notice for the Thai Immigration mobile application operated by the Immigration Bureau of Thailand.

Immigration Bureau emblem

PRIVACY NOTICE
THAI IMMIGRATION APPLICATION

WHEREAS, the Immigration Bureau of Thailand, Ministry of Interior, Kingdom of Thailand ("Bureau", "we", "us", or "our") operates the Thai Immigration mobile application ("Application" or "THIM");

WHEREAS, the Bureau is vested with authority under the Immigration Act B.E. 2522 (1979) and Personal Data Protection Act B.E. 2562 ("PDPA") to collect, process, and maintain personal data for immigration control purposes;

NOW THEREFORE, this Privacy Policy ("Policy") sets forth the terms and conditions governing the collection, use, processing, storage, disclosure, and protection of personal data obtained through the Application.

I - DEFINITIONS AND INTERPRETATION

1.1 Definitions.

For purposes of this Policy, the following terms shall have the meanings set forth below:

  1. "Data Controller" means the Immigration Bureau of Thailand, Ministry of Interior, Kingdom of Thailand;
  2. “Data Processor” means any person or entity appointed by the data controller to handle personal data on their behalf, without authority to determine the purposes or means of processing.
  3. "Data Subject" means any natural person who is the subject of Personal Data;
  4. "Personal Data" means any information relating to an identified or identifiable natural person;
  5. "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or destruction;
  6. "Third Party" means any natural or legal person other than the Data Subject, Data Controller, or persons authorized by the Data Controller to process Personal Data.

1.2 Statutory Authority.

This Policy is promulgated pursuant to:

  • Immigration Act B.E. 2522 (1979), as amended;
  • Personal Data Protection Act B.E. 2562;
  • Computer Crime Act B.E. 2550 (2007);
  • Royal Decree on Personal Data Protection B.E. 2564.

II - DATA CONTROLLER INFORMATION

2.1 Identity of Data Controller:

  • Legal Entity: Immigration Bureau of Thailand
  • Ministry: Ministry of Interior, Kingdom of Thailand
  • Registered Address: Chalermprakiat Building, His Royal Highness Crown Prince Maha Vajiralongkorn, 60th Birthday Anniversary, No. 904, Village No. 6, Ban Mai Subdistrict, Pak Kret District, Nonthaburi Province 11120, Kingdom of Thailand
  • Contact: saraban_imm@police.go.th | Tel: +66-2-141-9889

2.2 Data Protection Officer:

  • Designated Officer: Data Protection Officer, Immigration Bureau
  • Contact: dpo.tdac@immigration.go.th
  • Jurisdiction: Personal Data Protection Committee of Thailand

III - CATEGORIES OF PERSONAL DATA COLLECTED

3.1 Personal Data.

The following categories of Personal Data are collected as mandatory requirements for immigration processing:

  1. Identification Data: Legal first name, legal surname, passport number, nationality, gender, date of birth;
  2. Contact Data: Electronic mail address, mobile telephone number;

3.2 Location Data.

Location-related data, including real-time or periodic location information, collected through the Application or User device permissions, where required for the provision of specific Services.

IV - CATEGORIES OF SENSITIVE DATA COLLECTED

4.1 Sensitive Data.

The following categories of sensitive data are collected strictly where necessary and legally permitted under the Personal Data Protection Act B.E. 2562 (PDPA):

  1. Biometric Data: Facial biometric template derived from liveness detection photograph;
  2. Document Data: Machine-readable zone data extracted via optical character recognition from passport;
  3. Electronic Data: Near Field Communication chip data embedded in passport;

V – RIGHTS IN PERSONAL DATA

  1. 5.1 Right to Withdraw Consent: The right to withdraw consent to the collection, use, or disclosure of personal data at any time, without affecting prior lawful processing.
  2. 5.2 Right of Access: The right to access and obtain a copy of personal data held by the Company, and to request information on how such data was obtained.
  3. 5.3 Right to Rectification: The right to request correction of inaccurate or incomplete personal data.
  4. 5.4 Right to Erasure: The right to request deletion or anonymization of personal data under specific legal grounds.
  5. 5.5 Right to Restrict Processing: The right to request suspension of personal data processing under certain conditions.
  6. 5.6 Right to Data Portability: The right to obtain and transmit personal data to another data controller where technically feasible.
  7. 5.7 Right to Object: The right to object to the processing of personal data for certain purposes, such as direct marketing or legitimate interest processing.

VI – COLLECTION, USE, AND DISCLOSURE OF PERSONAL DATA WITHOUT CONSENT

6.1 Personal data may be collected, used, or disclosed without prior consent only when permitted by law, including:

  1. For research, statistical, or archival purposes with appropriate safeguards;
  2. To protect life, health, or safety in emergencies;
  3. As necessary to perform a contract or fulfill pre-contractual requests;
  4. To carry out duties in the public interest or under official authority;
  5. For legitimate interests, unless overridden by the data subject’s fundamental rights;
  6. To comply with legal obligations.

VII – COLLECTION, USE, AND DISCLOSURE OF SENSITIVE DATA

7.1 Sensitive data may be collected, used, or disclosed without prior consent only when legally permitted and strictly necessary, including:

  1. To prevent or mitigate danger to the life, body, or health of individuals unable to give consent.
  2. For lawful activities by foundations, associations, or non-profit organizations related to political, religious, philosophical, or trade union purposes—limited to internal use with safeguards.
  3. Where data has been made public with the data subject’s explicit consent.
  4. For the establishment, exercise, or defense of legal claims.
  5. As required by law to achieve specific purposes, including:
    • Preventive or Occupational Medicine: Health assessments, medical diagnosis, or social/medical service provision, especially under confidentiality obligations.
    • Public Health: Protection from communicable diseases, regulation of drugs or medical devices, with appropriate confidentiality safeguards.
    • Labor Protection & Social Security: For healthcare, accident compensation, and other social welfare under applicable laws.
    • Research or Public Interest: For scientific, historical, or statistical research, with safeguards aligned with PDPA requirements.
    • Significant Public Interest: With protective measures for individual rights and freedoms.

VIII - LEGAL BASIS FOR PROCESSING

  1. 8.1 Primary Legal Basis. Processing of Personal Data is undertaken pursuant to Section 24(1) of the PDPA, being the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
  2. 8.2 Statutory Authority. Such processing is specifically authorized under:
    • Immigration Act B.E. 2522 (1979), Sections 12, 34, and 35;
    • Ministerial Regulation on Immigration Procedures;
    • Cabinet Resolution on Digital Government Transformation.
  3. 8.3 Legitimate Interests. Where applicable, processing may also be based on legitimate interests including:
    • National security and border control;
    • Prevention of immigration fraud;
    • Facilitation of lawful travel and commerce.

IX - PURPOSES OF PROCESSING

9.1 Primary Purposes.

Personal Data is processed for the following purposes:

  1. Identity Verification: Authentication of Data Subject's identity through biometric and documentary evidence;
  2. Immigration Control: Facilitation of border control procedures and entry authorization;
  3. Security Screening: Assessment of security risks and prevention of unlawful entry;
  4. Service Delivery: Generation of digital credentials and provision of expedited immigration services;
  5. Record Keeping: Maintenance of immigration records as required by law;
  6. Communication: Delivery of service-related notifications and updates.
  7. Location Verification: Verification of the Data Subject’s physical presence within the Kingdom of Thailand for the purpose of providing certain immigration or administrative Services.

9.2 Secondary Purposes.

  • Statistical analysis and policy development;
  • System security and fraud prevention;
  • Quality assurance and service improvement.

X - DISCLOSURE AND SHARING

10.1 Authorized Recipients.

Personal Data may be disclosed to:

  1. Government Agencies: Royal Thai Government agencies including but not limited to Tourist Police Bureau, Ministry of Foreign Affairs, Royal Thai Armed Forces, National Intelligence Agency;
  2. Immigration Officers: Authorized immigration officers at ports of entry throughout the Kingdom of Thailand;
  3. Law Enforcement: Thai law enforcement agencies pursuant to lawful requests or court orders;
  4. Service Providers: Third-party processors operating under written data processing agreements, specifically KYCNow Company Limited for biometric and document verification services.

10.2 International Transfers.

Personal Data may be transferred internationally when:

  • Required by international treaty or agreement;
  • Necessary for diplomatic or consular purposes;
  • Requested by foreign law enforcement through mutual legal assistance;
  • Authorized by Data Subject's explicit consent.

10.3 Legal Safeguards.

All disclosures are governed by:

  • Written data sharing agreements;
  • Adequate security measures;
  • Purpose limitation principles;
  • Data minimization requirements.

XI - DATA SECURITY AND PROTECTION

Technical Safeguards. The following technical measures are implemented:

  • End-to-end encryption for data in transit;
  • Advanced encryption standard (AES-256) for data at rest;

XII - DATA RETENTION

  1. 12.1 Retention Period. Personal Data shall be retained for a period of three (3) years from the date of collection or last processing activity, whichever is later.
  2. 12.2 Extended Retention. Retention may be extended beyond the standard period when:
    • Required by ongoing legal proceedings;
    • Necessary for national security purposes;
    • Mandated by court order or legal obligation;
    • Needed for legitimate government purposes.
  3. 12.3 Secure Disposal. Upon expiration of retention periods, Personal Data shall be anonymized beyond reasonable possibility of re-identification.

XIII - INTERNATIONAL DATA SUBJECTS

  1. 13.1 Jurisdictional Application. This Policy applies to processing of Personal Data of Data Subjects regardless of nationality or location when using the Application.
  2. 13.2 Cross-Border Processing. International Data Subjects acknowledge that:
    • Thai law governs data processing activities;
    • Data will be processed within Thailand for immigration purposes;
    • Local privacy laws may provide additional protections;
    • Diplomatic recourse may be available through respective embassies.

XIV - AUTOMATED DECISION-MAKING

  1. 14.1 Automated Processing. The Application employs automated systems for:
    • Identity verification through biometric matching;
    • Document authenticity assessment;
    • Risk scoring for security purposes;
    • QR code generation for service delivery.
  2. 14.2 Human Oversight. All automated decisions are subject to:
    • Human review and intervention capabilities;
    • Appeal processes through immigration officers;
    • Manual override procedures;
    • Regular algorithm auditing.

XV - POLICY AMENDMENTS

  1. 15.1 Amendment Authority. This Policy may be amended by the Immigration Bureau to reflect:
    • Changes in applicable law or regulation;
    • Updates to Application functionality;
    • Enhanced security measures;
    • International best practices.
  2. 15.2 Notice of Changes. Material amendments shall be communicated through:
    • Updated Policy posted in Application;
    • Email notification to registered users;
    • Publication on official government websites;
    • In-application notifications upon next use.

XVI - GOVERNING LAW AND JURISDICTION

  1. 16.1 Applicable Law. This Policy and all data processing activities are governed by the laws of the Kingdom of Thailand.
  2. 16.2 Jurisdiction. Thai courts possess exclusive jurisdiction over disputes arising from this Policy, subject to applicable diplomatic immunities.

IN WITNESS WHEREOF

This Privacy Notice has been duly adopted by the Immigration Bureau of Thailand.

IMMIGRATION BUREAU OF THAILAND
MINISTRY OF INTERIOR
KINGDOM OF THAILAND

Date: 1 March 2026