Personal Data Protection Act

Personal Data Protection Act

The Personal Data Protection Act B.E. 2562 (2019), commonly known as the Thailand PDPA, is Thailand’s first comprehensive data protection law. Modeled in part on international standards such as the EU’s GDPR, the PDPA establishes clear rules on how personal data must be collected, used, disclosed, stored, and protected. Since its full enforcement in June 2022, the PDPA has significantly reshaped how businesses, employers, service providers, and organizations operate in Thailand.

This article provides an in-depth analysis of the Thailand PDPA, covering its legal scope, key definitions, rights of data subjects, obligations of data controllers and processors, cross-border data transfers, penalties, and compliance strategies.

1. Purpose and scope of the PDPA

The PDPA was enacted to:

  • Protect individuals’ personal data

  • Prevent misuse or unauthorized disclosure

  • Establish accountability for data handlers

  • Align Thailand with international data protection standards

The law applies to any person or entity that collects, uses, or discloses personal data in Thailand. Importantly, it also applies extraterritorially to foreign organizations that process personal data of individuals in Thailand for commercial purposes.

2. Key definitions under the PDPA

Understanding the PDPA begins with its core terminology.

2.1 Personal data

Personal data refers to any information that can identify a person directly or indirectly, such as:

  • Name, address, phone number

  • Identification numbers

  • Online identifiers

  • Location data

2.2 Sensitive personal data

Sensitive data is subject to stricter controls and includes:

  • Racial or ethnic origin

  • Religious beliefs

  • Health data

  • Biometric data

  • Criminal records

  • Sexual behavior

Processing sensitive personal data generally requires explicit consent, unless a legal exemption applies.

2.3 Data controller and data processor

  • A data controller determines the purpose and means of processing personal data.

  • A data processor processes data on behalf of the controller.

Both have legal responsibilities, but the controller bears primary accountability.

3. Lawful bases for data processing

Under the PDPA, personal data may only be processed when a lawful basis exists. These include:

  • Consent from the data subject

  • Contractual necessity

  • Legal obligation

  • Legitimate interest

  • Vital interest of the data subject

  • Public interest or official authority

Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or implied consent are generally insufficient.

4. Rights of data subjects

One of the most significant aspects of the PDPA is the recognition of individual rights over personal data. Data subjects have the right to:

  • Be informed about data collection and usage

  • Access their personal data

  • Request correction of inaccurate data

  • Request deletion or anonymization

  • Withdraw consent at any time

  • Object to data processing

  • Request data portability

  • Lodge complaints with the regulator

Organizations must have procedures in place to respond to such requests within statutory timeframes.

5. Obligations of data controllers

Data controllers must comply with strict compliance duties, including:

5.1 Transparency and privacy notices

Controllers must inform data subjects of:

  • Purpose of data collection

  • Types of data collected

  • Retention period

  • Rights of the data subject

  • Contact details of the controller or Data Protection Officer (DPO)

Privacy notices must be clear, accessible, and lawful.

5.2 Data minimization and purpose limitation

Personal data must be:

  • Collected only for specific purposes

  • Limited to what is necessary

  • Not retained longer than required

5.3 Security measures

Appropriate technical and organizational safeguards must be implemented to protect data from:

  • Loss

  • Unauthorized access

  • Alteration

  • Disclosure

6. Data processors’ responsibilities

Data processors must:

  • Process data only according to controller instructions

  • Implement adequate security measures

  • Maintain confidentiality

  • Notify the controller of data breaches

Contracts between controllers and processors are mandatory and must specify compliance obligations.

7. Data breach notification requirements

A personal data breach occurs when data is lost, accessed, or disclosed unlawfully. Under the PDPA:

  • Controllers must notify the regulator without delay if a breach poses a risk

  • Data subjects must be notified if the breach is likely to result in serious harm

  • Failure to report breaches can lead to penalties

Incident response planning is therefore critical.

8. Cross-border data transfers

Personal data may be transferred outside Thailand only if:

  • The destination country has adequate data protection standards, or

  • Appropriate safeguards (such as binding corporate rules or contractual clauses) are in place, or

  • An exemption applies (e.g., consent or legal necessity)

This provision affects multinational companies, cloud service providers, and outsourcing arrangements.

9. Data Protection Officer (DPO)

Certain organizations must appoint a Data Protection Officer, including those that:

  • Process large volumes of personal data

  • Process sensitive personal data

  • Monitor individuals systematically

The DPO advises on compliance, monitors internal practices, and acts as a contact point with regulators.

10. Enforcement authority and penalties

The PDPA is enforced by the Personal Data Protection Committee (PDPC). Violations may result in:

  • Civil liability: compensation for damages

  • Administrative fines: up to THB 5 million

  • Criminal penalties: fines and imprisonment in serious cases

Directors and executives may be personally liable if violations arise from negligence or failure to supervise.

11. Exemptions and special cases

The PDPA provides limited exemptions, including:

  • Personal or household activities

  • Media activities for public interest

  • Government functions related to national security or criminal justice

However, exemptions are narrowly interpreted and should not be assumed without legal review.

12. Practical compliance challenges

Common challenges include:

  • Inadequate consent mechanisms

  • Poor data mapping and inventory

  • Lack of internal policies

  • Insufficient employee training

  • Overreliance on foreign compliance models without localization

PDPA compliance requires Thailand-specific adaptation.

13. Best practices for PDPA compliance

Effective compliance strategies include:

  • Conducting data audits and risk assessments

  • Updating privacy policies and contracts

  • Implementing internal data governance frameworks

  • Training staff regularly

  • Appointing a qualified DPO where required

  • Establishing breach response protocols

Compliance should be viewed as an ongoing process, not a one-time exercise.

Conclusion

The Thailand Personal Data Protection Act represents a fundamental shift in how personal data is regulated and protected. It places individuals at the center of data governance while imposing substantial obligations on organizations. Non-compliance carries serious legal, financial, and reputational risks.

Businesses operating in Thailand—or handling the data of individuals in Thailand—must understand the PDPA’s requirements, implement effective compliance frameworks, and remain vigilant as regulatory interpretations continue to evolve. Proper compliance not only mitigates risk but also builds trust and credibility in an increasingly data-driven economy.

Recent Posts
Facebook Twitter Youtube

Copyright © 2026 Samui Attorneys. All rights reserved.