Personal Data Protection Act

Personal Data Protection Act

Thailand’s Personal Data Protection Act (PDPA) represents the country’s first comprehensive legislation governing the collection, use, disclosure, and protection of personal data. Fully enforced since June 2022, the PDPA establishes legal standards for how organizations, businesses, government entities, and individuals handle personal information within Thailand.

Modeled partly on international privacy regimes such as the European Union’s GDPR, the PDPA aims to strengthen individual privacy rights while imposing significant compliance responsibilities on organizations that process personal data. The law applies broadly to both Thai and foreign entities handling personal data connected to individuals located in Thailand.

This article provides an in-depth examination of the PDPA’s legal structure, scope of application, compliance requirements, enforcement mechanisms, and practical implications for businesses operating in Thailand.

Legal Foundation of the Personal Data Protection Act

The Personal Data Protection Act B.E. 2562 (2019) establishes Thailand’s national framework for personal data governance. Regulatory oversight is administered by the Personal Data Protection Committee (PDPC), which functions as the primary supervisory authority responsible for enforcement, rulemaking, and investigation.

The PDPA governs all activities involving personal data processing, including:

  • collection,

  • recording,

  • storage,

  • analysis,

  • modification,

  • disclosure,

  • transfer, and

  • deletion of personal data.

The law applies regardless of whether processing occurs through digital systems or physical documentation.

Scope of Application and Extraterritorial Reach

The PDPA applies to:

  • organizations established in Thailand, and

  • foreign entities offering goods or services to individuals located in Thailand or monitoring their behavior.

This extraterritorial application means overseas companies operating online platforms, e-commerce services, or digital marketing activities targeting Thai residents may fall within PDPA jurisdiction even without physical presence in Thailand.

Definition of Personal Data

Under the PDPA, personal data refers to any information capable of identifying an individual directly or indirectly.

Examples include:

  • names,

  • identification numbers,

  • contact details,

  • financial information,

  • location data,

  • online identifiers,

  • employment information.

The Act also recognizes Sensitive Personal Data, which receives heightened protection.

Sensitive data includes:

  • biometric data,

  • health records,

  • religious beliefs,

  • political opinions,

  • criminal history,

  • genetic information,

  • sexual behavior or orientation.

Processing sensitive personal data generally requires explicit consent or specific legal justification.

Key Roles Under the PDPA

The law establishes distinct responsibilities depending on an organization’s role in handling personal data.

Data Controller

A Data Controller determines the purposes and means of processing personal data. Controllers bear primary legal responsibility for compliance obligations.

Typical controllers include employers, financial institutions, service providers, and online platforms.

Data Processor

A Data Processor handles personal data on behalf of a Data Controller, such as cloud service providers or outsourced IT vendors.

Processors must follow contractual instructions and implement adequate security safeguards.

Lawful Bases for Processing Personal Data

Organizations may process personal data only when supported by a lawful basis.

Recognized legal bases include:

  • consent from the data subject,

  • contractual necessity,

  • legal obligation,

  • legitimate interests,

  • prevention of danger to life or health,

  • public interest performance,

  • compliance with governmental authority.

Consent must be freely given, informed, and revocable.

Pre-ticked consent boxes or unclear consent mechanisms may violate PDPA requirements.

Rights of Data Subjects

The PDPA significantly expands individual privacy rights.

Data subjects are entitled to:

  • access personal data held about them,

  • request correction of inaccurate information,

  • withdraw consent,

  • request deletion or anonymization,

  • restrict data processing,

  • object to certain uses,

  • request data portability.

Organizations must respond to such requests within legally prescribed timeframes.

Failure to facilitate these rights may result in regulatory penalties.

Data Collection and Transparency Requirements

Data Controllers must provide privacy notices at or before data collection explaining:

  • purpose of data use,

  • legal basis for processing,

  • retention period,

  • disclosure recipients,

  • contact information for inquiries,

  • data subject rights.

Transparency forms a core principle of PDPA compliance, ensuring individuals understand how their information is handled.

Data Security Obligations

Organizations must implement appropriate technical and organizational safeguards to prevent:

  • unauthorized access,

  • accidental disclosure,

  • data loss,

  • alteration or destruction of personal data.

Security measures may include:

  • encryption systems,

  • access controls,

  • employee confidentiality policies,

  • cybersecurity monitoring,

  • internal compliance procedures.

The level of protection required depends on data sensitivity and processing risks.

Appointment of a Data Protection Officer (DPO)

Certain organizations must appoint a Data Protection Officer, particularly when:

  • processing involves large-scale personal data,

  • sensitive data is handled extensively,

  • activities require systematic monitoring of individuals.

The DPO oversees compliance, advises management, and serves as a contact point with regulatory authorities.

The officer must operate independently and possess sufficient expertise in data protection law.

Cross-Border Data Transfers

The PDPA regulates international transfers of personal data outside Thailand.

Transfers are permitted only when:

  • the destination country maintains adequate data protection standards, or

  • contractual safeguards or consent mechanisms are implemented.

Businesses relying on global data systems must ensure transfer mechanisms meet PDPA requirements to avoid violations.

Data Breach Notification Requirements

Organizations must report personal data breaches that may pose risks to individuals.

Notification obligations include:

  • informing the PDPC without undue delay, typically within 72 hours, and

  • notifying affected individuals when significant risk exists.

Failure to disclose breaches promptly can increase regulatory exposure.

Enforcement and Penalties

The PDPA introduces substantial penalties for non-compliance.

Violations may result in:

Administrative Penalties

Fines reaching several million Thai Baht depending on severity.

Civil Liability

Affected individuals may claim compensation for damages caused by unlawful data processing.

Criminal Penalties

Serious violations involving unlawful disclosure or misuse may lead to imprisonment and criminal fines.

Executives and responsible officers may be personally liable in certain circumstances.

Corporate Compliance Challenges

Businesses frequently encounter compliance risks arising from:

  • unclear consent procedures,

  • excessive data collection,

  • inadequate employee training,

  • unsecured databases,

  • improper vendor management,

  • absence of internal privacy policies.

PDPA compliance requires organizational governance rather than isolated technical solutions.

Practical Compliance Measures for Businesses

Effective compliance programs commonly involve:

  • data mapping and classification,

  • privacy policy development,

  • employee awareness training,

  • vendor data processing agreements,

  • breach response planning,

  • internal auditing systems.

Compliance must be ongoing rather than treated as a one-time implementation exercise.

Relationship Between PDPA and Other Thai Laws

The PDPA operates alongside sector-specific regulations affecting:

  • banking,

  • telecommunications,

  • healthcare,

  • employment relationships.

Organizations must harmonize PDPA compliance with existing legal obligations governing confidentiality and recordkeeping.

Conclusion

Thailand’s Personal Data Protection Act fundamentally reshapes how personal information is managed across both public and private sectors. By establishing enforceable privacy rights and imposing structured compliance duties, the PDPA aligns Thailand with global data protection standards while strengthening consumer trust in digital and commercial environments.

Organizations operating in Thailand or handling data relating to Thai residents must understand that PDPA compliance extends beyond privacy policies. It requires institutional accountability, risk management systems, and continuous oversight of data processing activities.

Proper implementation not only reduces legal exposure but also enhances operational credibility in an increasingly data-driven economy.

Leave a comment

Your email address will not be published. Required fields are marked *

Recent Posts
Facebook Twitter Youtube

© 2026 Bangkok Lawyers. All rights reserved.