The definitive English-language guide to Thailand's Personal Data Protection Act B.E. 2562 (2019) — lawful bases, data subject rights, penalties, cross-border transfers, and a complete compliance checklist
Author: Thundthornthep Yamoutai, Ph.D. — Founder & Managing Director, Legal Advance Solution Co., Ltd. | Ph.D. (DPA) | 20+ years in Thai corporate and data protection law | Lecturer at Kasetsart University, Bangkokthonburi University & Suan Sunandha Rajabhat University | NIA-funded AI Legal Researcher | ACI-published Scholar | Parliamentary Committee Member
Published: April 2026 | Category: Data Protection & Privacy Law | Reading Time: ~18 minutes
The Personal Data Protection Act B.E. 2562 (2019), commonly known as PDPA, is Thailand's first comprehensive data protection legislation. Often compared to the European Union's General Data Protection Regulation (GDPR), the PDPA establishes a legal framework governing the collection, use, disclosure, and transfer of personal data by organizations operating in or targeting individuals within the Kingdom of Thailand.
The PDPA was enacted to address growing concerns about data privacy in Thailand's rapidly digitalizing economy. Before PDPA, data protection obligations were scattered across sector-specific regulations — including the Computer Crime Act B.E. 2550 (2007), the Credit Information Business Act, and various notifications from the National Broadcasting and Telecommunications Commission (NBTC). The PDPA consolidated and strengthened these protections into a single, unified law with extraterritorial reach.
Official Name: Personal Data Protection Act B.E. 2562 (2019)
Thai Name: พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562
Administered by: Personal Data Protection Committee (PDPC) and Office of the Personal Data Protection Committee (OPDPC)
Scope: Any organization collecting, using, or disclosing personal data of individuals in Thailand
The PDPA defines "personal data" broadly as any information relating to a person that enables the identification of that person, whether directly or indirectly — but not including information of a deceased person. This includes names, identification numbers, addresses, phone numbers, email addresses, photographs, biometric data, IP addresses, cookie identifiers, location data, and any other information that can identify a natural person.
The law further recognizes a special category of "sensitive personal data" (Section 26), which includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union membership, genetic data, biometric data used for identification, health data, disability, sexual orientation, and any other data prescribed by the PDPC. Sensitive data is subject to heightened protection requirements and generally cannot be processed without explicit consent.
| Role | PDPA Definition | Examples |
|---|---|---|
| Data Subject | A natural person whose personal data is collected, used, or disclosed | Customers, employees, website visitors, patients |
| Data Controller | A person or entity that determines the purposes and means of personal data processing (Section 6) | Employers, hospitals, e-commerce platforms, banks |
| Data Processor | A person or entity that processes personal data on behalf of and under the instructions of the data controller (Section 6) | Cloud service providers, payroll vendors, marketing agencies |
| Data Protection Officer (DPO) | A designated officer responsible for monitoring and advising on PDPA compliance (Section 41-42) | Internal compliance officer, external DPO-as-a-service provider |
The PDPA's path to full enforcement was marked by several postponements, largely due to the COVID-19 pandemic. Understanding this timeline is important for organizations assessing their compliance obligations and potential liability exposure.
| Date | Event |
|---|---|
| May 27, 2019 | PDPA published in the Royal Gazette (enacted) |
| May 28, 2019 | Certain provisions take immediate effect (establishment of PDPC, appointment of Secretary-General) |
| May 27, 2020 | Original date for full enforcement of all provisions |
| May 2020 | First Royal Decree postpones full enforcement by 1 year due to COVID-19 |
| May 2021 | Second Royal Decree postpones full enforcement by another year |
| June 1, 2022 | Full enforcement begins — all provisions of PDPA are in effect |
| 2022-2023 | PDPC issues subordinate regulations, guidelines, and notifications clarifying compliance requirements |
| 2024-2026 | PDPC continues issuing sector-specific guidelines and increasing enforcement activity; first enforcement actions reported |
Important: Since June 1, 2022, all provisions of the PDPA are fully enforceable. Organizations that have not yet achieved compliance face potential administrative fines of up to 5 million THB per violation, criminal penalties, and civil liability for damages.
The PDPA has a broad scope of application. It applies to the collection, use, and disclosure of personal data by data controllers and data processors in the following circumstances:
| Entity Type | Example Obligations |
|---|---|
| Private companies (Thai and foreign) | Customer data privacy notices, employee data policies, vendor DPAs |
| SMEs and startups | Simplified but mandatory compliance — privacy notice, consent where required, data security |
| Multinational corporations | Full compliance plus cross-border data transfer mechanisms |
| E-commerce and digital platforms | Cookie consent, privacy policy, data subject rights portal |
| Healthcare providers | Heightened obligations for sensitive health data, explicit consent |
| Financial institutions | Additional sector-specific regulations alongside PDPA |
| Government agencies | Subject to PDPA with certain exemptions for national security and law enforcement |
| Non-profit organizations | Subject to PDPA when processing personal data of members, donors, or beneficiaries |
The PDPA provides limited exemptions (Section 4), including:
It is critical to note that these exemptions are narrowly construed. Most organizations — regardless of size, industry, or nationality — must comply with PDPA if they process personal data of individuals in Thailand.
Under PDPA Section 24, a data controller may not collect personal data without the consent of the data subject, unless one of the other lawful bases applies. This "consent by default" framework is one of the key features of the PDPA that organizations must understand.
| # | Lawful Basis | PDPA Section | Description | Examples |
|---|---|---|---|---|
| 1 | Consent | Section 19 | The data subject has given explicit consent to the processing. Consent must be freely given, specific, informed, and unambiguous. It must be clearly distinguishable from other matters and presented in an easily accessible and intelligible form using clear and plain language. | Marketing emails, cookie tracking, sharing data with third-party partners |
| 2 | Contract | Section 24(3) | Processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract. | Processing delivery address for an online purchase, salary payment for employees |
| 3 | Legal Obligation | Section 24(6) | Processing is necessary for compliance with a law to which the data controller is subject. | Tax reporting, anti-money laundering requirements, labor law compliance |
| 4 | Vital Interest | Section 24(2) | Processing is necessary to prevent or suppress a danger to the life, body, or health of a person. | Emergency medical treatment, disaster response |
| 5 | Public Interest / Official Authority | Section 24(4) | Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. | Public health surveillance, national statistics, census data |
| 6 | Legitimate Interest | Section 24(5) | Processing is necessary for the legitimate interests of the data controller or a third party, unless overridden by the fundamental rights of the data subject. Requires a balancing test. | Fraud prevention, network security, internal analytics, direct marketing to existing customers (with opt-out) |
Practical Tip from Thundthornthep Yamoutai, Ph.D.: Many Thai organizations over-rely on consent as their sole lawful basis. This creates operational risk because consent can be withdrawn at any time (Section 19, paragraph 5). Where possible, identify and document an alternative lawful basis — particularly contract performance and legitimate interest — to build a more resilient data processing framework. A qualified PDPA advisory lawyer can help you conduct this analysis.
For sensitive personal data (Section 26), the PDPA imposes stricter requirements. Processing of sensitive data is generally prohibited unless:
The PDPA grants data subjects eight fundamental rights regarding their personal data. Organizations must establish internal processes to handle these rights requests and respond within 30 days of receiving a valid request.
| # | Right | PDPA Section | Description |
|---|---|---|---|
| 1 | Right to Be Informed | Section 23 | Data subjects have the right to be informed about the collection and processing of their personal data before or at the time of collection. This is fulfilled through privacy notices. |
| 2 | Right of Access | Section 30 | Data subjects may request access to their personal data held by the data controller and obtain a copy of such data. The controller must respond within 30 days. |
| 3 | Right to Data Portability | Section 31 | Data subjects may request that the data controller transmit their personal data in a commonly used, machine-readable format to another data controller, where technically feasible. |
| 4 | Right to Object | Section 32 | Data subjects may object to the collection, use, or disclosure of their personal data, particularly when processing is based on legitimate interest or public interest. |
| 5 | Right to Erasure (Right to Be Forgotten) | Section 33(5) | Data subjects may request the deletion or destruction of their personal data when it is no longer necessary for the purpose for which it was collected, when consent is withdrawn, or when processing is unlawful. |
| 6 | Right to Restrict Processing | Section 34 | Data subjects may request that the data controller restrict the processing of their personal data in certain circumstances, such as when accuracy is contested or while an objection is being evaluated. |
| 7 | Right to Rectification | Section 36 | Data subjects may request that inaccurate or incomplete personal data be corrected, updated, or supplemented. |
| 8 | Right to Withdraw Consent | Section 19(5) | Where processing is based on consent, data subjects may withdraw their consent at any time. Withdrawal must be as easy as giving consent. Withdrawal does not affect the lawfulness of processing conducted prior to the withdrawal. |
Enforcement Note: Failure to respond to data subject rights requests within the statutory 30-day period, or refusing requests without legitimate grounds, may result in complaints to the PDPC and subsequent administrative sanctions. Organizations should establish a documented intake and response process, ideally with a dedicated email address or web form for rights requests.
Beyond understanding lawful bases and data subject rights, organizations must implement several operational compliance measures under the PDPA. This section covers the five most critical requirements that every data controller and data processor must address.
Data controllers must provide a privacy notice to data subjects before or at the time of data collection. The privacy notice must include:
Where consent is the lawful basis for processing, the PDPA imposes specific requirements:
When a data controller engages a data processor (e.g., a cloud service provider, payroll vendor, or marketing platform), the controller must enter into a written Data Processing Agreement (DPA) that specifies:
A Data Protection Officer (DPO) must be appointed in the following situations:
The DPO's responsibilities include:
The DPO can be an internal employee or an external service provider. The data controller must ensure the DPO has sufficient independence, resources, and access to carry out their functions without interference. The DPO's contact details must be published and communicated to the PDPC.
72-Hour Rule: In the event of a personal data breach, the data controller must notify the PDPC within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject. If the breach is likely to result in high risk to the rights and freedoms of the data subject, the controller must also notify the affected data subjects without undue delay.
The breach notification to the PDPC must include:
Sections 28 and 29 of the PDPA regulate the transfer of personal data to foreign countries. This is particularly relevant for multinational companies, organizations using cloud services hosted abroad, and businesses that share data with overseas partners.
A data controller may transfer personal data to a foreign country only if the destination country has adequate data protection standards as prescribed by the PDPC. As of April 2026, the PDPC has not yet published a definitive list of countries deemed to have adequate standards, though guidance is evolving.
Even without an adequacy determination, cross-border transfers are permitted in the following circumstances:
| # | Exception | Description |
|---|---|---|
| 1 | Compliance with law | The transfer is necessary to comply with a legal obligation |
| 2 | Consent | The data subject has been informed of the inadequate standards and has given consent |
| 3 | Contract performance | The transfer is necessary for the performance of a contract between the data subject and the data controller |
| 4 | Pre-contractual measures | The transfer is necessary at the data subject's request prior to entering into a contract |
| 5 | Vital interests | The transfer is necessary to protect the vital interests of the data subject or another person |
| 6 | Important public interest | The transfer is necessary for an important reason of public interest |
| 7 | Legal claims | The transfer is necessary for the establishment, exercise, or defense of legal claims |
| 8 | Binding Corporate Rules (BCRs) | Intra-group transfers under BCRs that provide appropriate safeguards, as approved by the PDPC |
Practical Guidance: Organizations using major cloud platforms (AWS, Google Cloud, Microsoft Azure) with servers located outside Thailand should conduct a transfer impact assessment and, where appropriate, implement Standard Contractual Clauses or BCRs. A PDPA lawyer can help structure these mechanisms to comply with Thai law while maintaining operational flexibility. For expert assistance, see our PDPA advisory services.
The PDPA imposes three categories of penalties for non-compliance: administrative, criminal, and civil. These can be imposed concurrently, meaning an organization could face all three types of liability for a single violation.
| Violation | Maximum Penalty |
|---|---|
| Failure to comply with data controller/processor obligations | Up to 5,000,000 THB per violation |
| Failure to appoint a DPO when required | Up to 3,000,000 THB |
| Failure to comply with orders of the Expert Committee | Up to 5,000,000 THB |
| Failure to maintain records of data processing activities | Up to 1,000,000 THB |
| Non-compliance with cross-border transfer restrictions | Up to 5,000,000 THB |
| Offense | Imprisonment | Fine |
|---|---|---|
| Unauthorized use or disclosure of sensitive personal data | Up to 6 months | Up to 500,000 THB |
| Use or disclosure causing damage to another person, reputation, or to gain an unfair advantage | Up to 6 months | Up to 500,000 THB |
| Unauthorized disclosure of personal data obtained in the performance of duties under PDPA | Up to 6 months | Up to 500,000 THB |
| If committed by a data controller with intent to cause damage | Up to 1 year | Up to 1,000,000 THB |
Director and Officer Liability (Section 90): If a legal entity commits an offense under the PDPA, and the offense was committed by the order, by the action, or with the knowledge and consent of a director, manager, or person responsible for the operations of that legal entity, such person shall also be liable to the same penalty as the legal entity. This personal liability provision makes PDPA compliance a board-level concern.
Under Sections 77-78 of the PDPA:
The following checklist provides a structured, practical roadmap for organizations seeking to achieve and maintain PDPA compliance. This is the methodology used by Legal Advance Solution (LAS) in advising clients across industries.
| Step | Action | Key Deliverables | Priority |
|---|---|---|---|
| 1 | Appoint a PDPA Project Lead or DPO Designate a responsible person or team. Appoint a DPO if legally required (public authority, large-scale monitoring, or large-scale sensitive data processing). |
DPO appointment letter; PDPC notification; published contact details | Critical |
| 2 | Conduct Data Mapping & Inventory Identify all personal data collected, used, stored, disclosed, and transferred. Document data flows, storage locations, retention periods, and third-party sharing. |
Data inventory register; data flow diagrams; Records of Processing Activities (ROPA) | Critical |
| 3 | Perform Gap Analysis Compare current data processing practices against PDPA requirements. Identify gaps in policies, procedures, contracts, and technical controls. |
Gap analysis report; risk assessment matrix; remediation roadmap | Critical |
| 4 | Identify Lawful Bases For each data processing activity, determine and document the appropriate lawful basis under PDPA Section 24. Minimize reliance on consent where other bases apply. |
Lawful basis register; processing purpose documentation | High |
| 5 | Draft and Publish Privacy Notices Create comprehensive privacy notices for each stakeholder group (customers, employees, vendors, website visitors). |
External privacy notice; employee privacy notice; website privacy policy; cookie notice | Critical |
| 6 | Implement Consent Mechanisms Deploy compliant consent collection tools with clear opt-in, purpose specification, and easy withdrawal mechanisms. |
Consent forms; cookie consent platform; consent database/log | High |
| 7 | Execute Data Processing Agreements (DPAs) Enter into written agreements with all third-party data processors. Review existing vendor contracts for PDPA compliance. |
DPA template; vendor compliance assessment; contract addenda | High |
| 8 | Establish Data Subject Rights Procedures Create workflows to receive, verify, and respond to data subject rights requests within 30 days. |
Rights request form; internal SOP; response templates; tracking log | High |
| 9 | Implement Data Security Measures Deploy appropriate technical and organizational security controls — access controls, encryption, pseudonymization, regular testing. |
Information security policy; access control matrix; encryption standards; security audit reports | Critical |
| 10 | Create a Data Breach Response Plan Establish procedures for detecting, containing, assessing, and reporting data breaches. Ensure PDPC notification within 72 hours. |
Breach response plan; notification templates; incident log; escalation procedures | Critical |
| 11 | Review Cross-Border Data Transfers Identify all transfers of personal data outside Thailand. Implement appropriate safeguards (BCRs, contractual clauses, or consent). |
Transfer impact assessment; BCRs or SCCs; data transfer register | High |
| 12 | Conduct Data Protection Impact Assessments (DPIAs) Perform DPIAs for high-risk processing activities, including large-scale profiling, automated decision-making, and systematic monitoring. |
DPIA reports; risk mitigation measures; PDPC consultation (if required) | Medium |
| 13 | Employee Training and Awareness Conduct PDPA training for all employees, with specialized training for HR, IT, marketing, and customer-facing teams. |
Training materials; attendance records; knowledge assessments | High |
| 14 | Ongoing Monitoring and Review Establish a regular review cycle (at least annually) to update policies, procedures, and technical measures in response to regulatory changes and organizational developments. |
Annual compliance review report; updated ROPA; regulatory change log | Ongoing |
Expert Recommendation: PDPA compliance is not a one-time project — it is a continuous obligation. Organizations should treat data protection as an integral part of their governance, risk, and compliance (GRC) framework. Regular audits, employee training refreshers, and policy updates are essential to maintaining compliance as the PDPC issues new guidelines and enforcement evolves.
Legal Advance Solution Co., Ltd. (LAS), founded by Thundthornthep Yamoutai, Ph.D., provides comprehensive PDPA advisory services that combine over 20 years of legal practice expertise with cutting-edge AI-powered legal technology.
Why Choose LAS for PDPA Compliance?
Contact LAS for PDPA Advisory: Visit laslegal.co.th or see our PDPA Advisory page for more details.
PDPA stands for the Personal Data Protection Act B.E. 2562 (2019), Thailand's comprehensive data protection law. It was enacted in May 2019 and came into full enforcement on June 1, 2022, after multiple postponements due to the COVID-19 pandemic. The law is administered by the Personal Data Protection Committee (PDPC) and the Office of the Personal Data Protection Committee (OPDPC). It applies to any organization that collects, uses, or discloses personal data of individuals in Thailand, regardless of whether the organization is based in the country.
PDPA imposes three types of penalties: (1) Administrative fines of up to 5 million THB per violation, issued by the Expert Committee; (2) Criminal penalties including imprisonment of up to 1 year and/or fines of up to 1 million THB for certain offenses such as unauthorized use of sensitive data; and (3) Civil liability including actual damages, with punitive damages of up to twice the actual damages awarded by the court. Directors and officers can be held personally liable if the violation occurred by their order or with their knowledge and consent.
Under Section 41 of the PDPA, a DPO must be appointed when: (1) the data controller or processor is a public authority; (2) the organization's core activities require regular and systematic monitoring of data subjects on a large scale; or (3) the organization's core activities involve large-scale processing of sensitive personal data. The DPO can be an employee or an external service provider, and their contact details must be published and communicated to the PDPC. Even when not legally required, appointing a DPO is considered best practice.
Yes, but cross-border data transfers are restricted under PDPA Sections 28-29. The receiving country must have adequate data protection standards as determined by the PDPC, or the transfer must fall under specific exceptions: compliance with law, consent of the data subject (after being informed of inadequate standards), performance of a contract, vital interests, important public interest, or legal claims. Organizations can also use Binding Corporate Rules (BCRs) or Standard Contractual Clauses approved by the PDPC for intra-group or third-party transfers.
A specialized PDPA lawyer helps businesses achieve compliance through: data mapping and gap analysis; drafting compliant privacy notices, consent forms, and data processing agreements; advising on lawful bases; establishing breach notification procedures (72-hour rule); setting up data subject rights request workflows; advising on cross-border transfer mechanisms; conducting DPIAs; training staff; and acting as or supporting the DPO. Thundthornthep Yamoutai, Ph.D. and Legal Advance Solution (LAS) provide end-to-end PDPA advisory services leveraging AI-powered legal research tools.
Disclaimer: บทความนี้จัดทำเพื่อวัตถุประสงค์ทางวิชาการและให้ความรู้ทั่วไปเท่านั้น ไม่ถือเป็นคำแนะนำทางกฎหมายเฉพาะราย ผู้อ่านควรปรึกษาที่ปรึกษากฎหมายก่อนตัดสินใจดำเนินการใด ๆ
Thundthornthep Yamoutai, Ph.D.
Attorney, PDPA compliance specialist, AI legal technology researcher, and Founder & Managing Director of Legal Advance Solution Co., Ltd. (LAS). Thundthornthep Yamoutai, Ph.D. holds a Ph.D. (DPA) and has over 20 years of experience in corporate law, contract law, PDPA compliance, real estate, due diligence, and dispute resolution. He lectures at Kasetsart University, Bangkokthonburi University, and Suan Sunandha Rajabhat University, and has published research through ACI (Academic Conferences International). His NIA-funded AI legal research system represents one of Thailand's most advanced applications of artificial intelligence to legal practice. He serves as a member of a Parliamentary Committee related to legal affairs. His signature practice areas include Due Diligence (DD), Condition Precedent (CP) analysis, and PDPA compliance advisory.
Official Profile | PDPA Advisory | Knowledge Hub | LAS Website