Thailand’s Personal Data Protection Act (PDPA) applies to anyone who collects and uses personal data — and pharmacies are squarely in scope. Every time you record a customer’s name, phone, purchase history or details from a prescription, you are collecting and processing personal data as the law defines it.
Many shops assume PDPA is only for large organisations, but small pharmacies have duties too. This article explains how PDPA relates to a pharmacy, which data needs extra care, how consent and customer rights work, and how to choose a POS and loyalty system designed to be PDPA-aligned.
What PDPA is and how it relates to a pharmacy
PDPA (Personal Data Protection Act) requires anyone who collects, uses or discloses personal data to do so on a lawful basis, transparently and securely. A pharmacy is a "data controller" because it decides what customer data to collect and what to use it for.
As a controller, your core duties are to collect only what you need, tell people what you will use it for, keep it secure, and respect customer rights when they ask. A system that stores data tidily and restricts access is a key foundation for PDPA compliance.
What counts as personal data in a pharmacy
Personal data is information that can identify a person. In a pharmacy this is collected almost every day, and some of it is data the law protects especially strictly:
- Identifiers such as name, phone number and email
- Purchase history and items tied to each customer
- Prescription details such as patient name, prescriber and the medicines
- Health data, which is "sensitive data" requiring stricter care than ordinary data
- Membership and loyalty points tied to a customer
Consent and stating your purpose
A central PDPA principle is having a "lawful basis" to collect data. For some purposes, consent is the common basis — for example signing up for a loyalty programme or sending promotional messages. You should explain to customers what you collect and why before asking for consent.
But not everything requires consent. In some cases you rely on other bases, such as legal obligation (keeping the drug registers the law requires) or contract performance (issuing receipts and providing the service the customer asked for). Knowing which basis applies to which data helps you collect correctly and avoid over-collecting.
Data-subject rights your shop must support
PDPA grants customers several rights, which the shop must act on when it receives a lawful request. A system that can find and manage customer data per individual lets you actually honour these rights:
- The right to access and obtain a copy of their data
- The right to have data corrected and kept up to date
- The right to erase or restrict use where the law allows
- The right to withdraw consent previously given
Choose a PDPA-aligned POS and loyalty system
Complying with PDPA does not mean you stop collecting data — it means collecting it in an orderly, secure and access-controlled way. A well-designed system reduces this burden, because customer data lives in one place, is searchable per person, can be edited or managed, and is reachable only by authorised staff.
CuraLink designs data handling to be PDPA-aligned: customer data and purchase history are stored in a central, searchable, editable database, with role-based access control (RBAC) for admin, manager, pharmacist, cashier and assistant, and financial data hidden from roles that do not need it. Sensitive prescription data is handled through the pharmacist-side prescriptions feature with restricted access.
- Customer data and purchase history in one system, searchable per person
- Role-based access (admin/manager/pharmacist/cashier/assistant)
- Financial data hidden from unauthorised roles
- Sensitive prescription data handled via the pharmacist-side feature
- Loyalty and points tied to clearly identified customers
PDPA checklist for pharmacies
Before you start or review your data handling, check whether your shop can do the following:
- Know what personal data you hold and where it is kept
- State your purpose and obtain consent where needed (e.g. loyalty sign-up)
- Restrict data access to relevant staff by role
- Find, correct or manage an individual customer’s data
- Keep data in a secure system rather than scattered books or files
Frequently asked questions
Do small pharmacies have to comply with PDPA?
Yes. PDPA applies to anyone who collects and uses personal data, not only large organisations. A pharmacy that records customer names, phones, purchase history or prescription details is collecting personal data and has duties under the law.
Is keeping customer purchase history against PDPA?
Not if done correctly: with a lawful basis, collecting only what is needed, stating your purpose, keeping it secure and respecting customer rights. Using a system that centralises data and restricts access makes meeting these requirements easier.
How does a POS help with PDPA?
A good system keeps customer data in one place, searchable and manageable per person, with role-based access and financial data hidden from those who do not need it — a key foundation for PDPA. The shop still has to set its own policies and obtain consent.
How is health data different from ordinary data?
Health data is sensitive data the law protects more strictly than ordinary data. Collect only what you need, restrict access to relevant staff, and manage it through access-controlled features such as pharmacist-side prescriptions.
Run your pharmacy smarter
POS, inventory and compliance in one platform. Free until your first 50 sales.