PDPA Compliance Guide for Business in Thailand:
The C-Suite Legal Guide

1. Introduction — Why B2B Businesses Must Prioritize Thailand's PDPA The PDPA and its Implications for B2B Operations

When the Personal Data Protection Act B.E. 2562 (2019) (PDPA) came into full effect on 1 June 2022, most Thai businesses directed their compliance attention toward consumer-facing data practices — cookie banners on websites, marketing consent forms, and customer data registers. Business-to-Business (B2B) companies frequently underestimated their PDPA exposure, operating under the misconception that the law primarily governed retail and e-commerce contexts.

In reality, B2B companies process personal data at virtually every stage of their commercial operations. The names, email addresses, and identification details of client employees who are contact persons, the authorized signatories of counterparty companies, HR data obtained in outsourcing engagements, and user account data in Software-as-a-Service (SaaS) and Cloud Computing platforms — all of these fall squarely within the scope of the Personal Data Protection Act B.E. 2562 (2019).

Moreover, B2B businesses typically operate in more complex roles within the PDPA ecosystem than their B2C counterparts. A single company may simultaneously act as a Data Controller with respect to its own employees' data, while functioning as a Data Processor on behalf of its corporate clients who are Data Controllers. This dual-role complexity makes PDPA compliance for B2B significantly more technically demanding than for B2C and requires a higher degree of legal expertise to implement correctly.

This guide is prepared for C-Suite executives and in-house legal teams who require a comprehensive understanding of the PDPA in the B2B business context. It covers key definitions, the seven lawful processing bases, the role of the Data Processing Agreement (DPA) in the supply chain, cross-border data transfer requirements, penalties, case studies, and a 30-item compliance checklist for immediate implementation.

2. Legal Framework — Personal Data Protection Act B.E. 2562 (2019) Scope, Key Definitions, Lawful Bases, and Data Subject Rights

The Personal Data Protection Act B.E. 2562 (2019) was published in the Royal Gazette on 27 May 2019 and entered into full force on 1 June 2022. The Act's purpose is to protect the rights of natural persons (data subjects) and to impose obligations on Data Controllers and Data Processors regarding the collection, use, and disclosure of personal data. The Act draws heavily on the structural framework of the European Union's General Data Protection Regulation (GDPR) while adapting it to the Thai legal context.

2.1 Key Definitions: Data Controller vs Data Processor

Understanding the distinction between Data Controller and Data Processor is the most fundamental prerequisite for PDPA compliance in the B2B context. The legal duties and liability exposure of the two roles differ substantially under the Act.

2.2 Seven Lawful Bases for Processing Personal Data

The Personal Data Protection Act B.E. 2562 (2019), Section 24 provides six lawful bases on which a Data Controller may process personal data without requiring the data subject's consent, in addition to the consent basis under Section 19, bringing the total to seven lawful processing bases:

2.3 Eight Data Subject Rights

Chapter 3 of the Personal Data Protection Act B.E. 2562 (2019) (Sections 30–43) establishes eight rights of data subjects that Data Controllers must have mechanisms in place to accommodate:

3. PDPA for B2B Businesses — Key Differences from B2C Compliance Structural Complexity, Cross-Border Transfer, and DPA Requirements

PDPA compliance for B2B businesses presents distinct challenges and unique legal issues that differ substantially from B2C compliance. The following analysis identifies the areas of greatest practical significance for B2B operators.

3.1 Client Employee Data vs Consumer Data

In the B2B environment, companies routinely collect and process personal data of individuals who are employees of other juristic persons — managing directors, departmental managers, procurement officers, and IT contacts of client companies. Each of these individuals is a "data subject" with full rights under the PDPA, regardless of the fact that the data was collected in a business-to-business commercial context rather than a consumer transaction.

Unlike B2C scenarios where the data subject is typically the end consumer and is aware of providing their data, in B2B supply chains the data subject — often a client's employee — may have no awareness that their personal data has been shared further down the service chain. A single dataset may pass from a parent company to an IT service provider, to an overseas data center, without the individual employee ever being informed. This creates significant Transparency and Notice compliance risk.

3.2 Cross-Border Data Transfers

The Personal Data Protection Act B.E. 2562 (2019), Section 28 restricts the transfer or sending of personal data to foreign countries or international organizations. The destination country or organization must provide an adequate standard of personal data protection — a requirement of particular significance for B2B companies that rely on foreign-hosted Cloud or SaaS systems.

The Office of the Personal Data Protection Committee (PDPC) has issued notifications governing cross-border data transfers, establishing the following lawful transfer mechanisms:

1. Adequacy Decision: The destination country has been formally recognized as providing an adequate level of data protection by the PDPC (the list of adequate countries is still being developed as of the date of this article).
2. Standard Contractual Clauses (SCC): A data transfer agreement using standard clauses prescribed or recognized by the PDPC, ensuring a level of protection equivalent to Thai law.
3. Binding Corporate Rules (BCR): For intra-group transfers within a corporate group, internal rules approved by the PDPC may substitute for bilateral SCC arrangements between each pair of group entities.
4. Explicit Consent: In certain limited circumstances, the data subject's explicit consent may be relied upon, provided the data subject is informed in advance that the destination country may not provide an adequate standard of protection.

3.3 Data Processing Agreement (DPA) Between Business Partners

A Data Processing Agreement (DPA) is a written contract that defines the duties, responsibilities, and security measures governing the relationship between a Data Controller (the client) and a Data Processor (the B2B service provider). The Personal Data Protection Act B.E. 2562 (2019), Section 40 requires Data Controllers to use Data Processors that provide sufficient data protection measures and mandates that the processing relationship be governed by a written contract.

A comprehensive DPA in the Thai B2B context should include the following essential provisions:

1. Scope and Purpose of Processing: Precisely defines what personal data the Processor is authorized to process, for which purposes, with an express prohibition on processing for any other purpose.
2. Categories of Personal Data and Data Subjects: Specifies the types of data (e.g., name, email, national ID) and the categories of data subjects (e.g., employees, customers).
3. Technical and Organizational Security Measures: Establishes minimum security requirements including encryption, access controls, backup and recovery procedures, and incident logging.
4. Sub-Processor Authorization: Defines the conditions and restrictions governing the Processor's engagement of sub-processors, typically requiring prior written consent from the Controller.
5. Breach Notification: Sets out the timeframe and procedure for notifying the Controller of any personal data breach discovered by the Processor.
6. Audit Rights: Grants the Data Controller the right to audit the Processor's compliance with the DPA and the PDPA.
7. Data Return or Deletion: Requires the Processor to return or securely delete all personal data upon termination of the service agreement.

4. The 6-Step PDPA Compliance Roadmap Building a Robust PDPA Framework for B2B Operations

Establishing a PDPA compliance framework for a B2B business should follow a structured six-step process. Each step has a clearly defined deliverable that allows progress to be measured and reported to senior management.

4.1 Data Mapping — The Essential Starting Point

Data Mapping — the process of identifying and documenting all personal data flows within and out of the organization — is the indispensable first step of any PDPA compliance program. For B2B companies, data mapping should be organized into the following categories to reflect the multiple roles in which personal data arises:

1. Employee Data: Name, address, national ID number, banking details, health information (where applicable) — the latter constituting sensitive personal data under Section 26, requiring an elevated standard of care.
2. B2B Contact Data: Names, job titles, email addresses, and phone numbers of contact persons at client and partner companies — personal data of natural persons even when collected in a commercial context (Section 6).
3. Data Processed as Processor: All personal data received from clients in the capacity as Data Processor, subject to the terms of the applicable DPA.
4. Digital Systems Data: Log files, IP addresses, cookies, and user behavior data generated through the organization's digital infrastructure.

4.2 When Is a DPIA Required?

A Data Protection Impact Assessment (DPIA) is mandatory for processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. In the B2B context, this includes:

1. Large-scale processing of sensitive personal data under Section 26 — including health data, biometric data, and religious affiliation data.
2. Automated processing (including profiling) that produces legal or similarly significant effects on individuals.
3. Processing of personal data of vulnerable groups, including minors and elderly persons.
4. Combining datasets from new sources in ways that may enable re-identification of data subjects.
5. Large-scale cross-border transfers of personal data.

4.3 DPO — Role, Qualifications, and When Required

The Data Protection Officer (DPO) under the Personal Data Protection Act B.E. 2562 (2019), Section 41 has four core functions: advising the organization on PDPA compliance, monitoring compliance with the Act, coordinating with the PDPC, and serving as a point of contact for data subjects exercising their rights under the Act.

A DPO is not required to be an internal employee — an external DPO arrangement is expressly authorized under Section 41, paragraph 2, making it a cost-effective option for mid-sized B2B companies that do not have the resources for a dedicated full-time compliance role. The DPO must have sufficient knowledge of applicable data protection law to fulfil the functions of the role effectively.

5. Penalties — Administrative, Civil, and Criminal Cumulative Penalty Exposure Under Thailand's PDPA

The Personal Data Protection Act B.E. 2562 (2019) establishes penalties across three distinct legal tracks — administrative, civil, and criminal — which may all apply concurrently to the same violation. The potential cumulative financial exposure is therefore substantially greater than any single penalty category suggests.

5.1 Personal Liability of Directors and Executives

The Personal Data Protection Act B.E. 2562 (2019), Section 91 provides that where a juristic person commits an offense under the Act and the cause is attributable to the direction, act, or omission of a director, manager, or person responsible for the management of the juristic person, that individual shall be subject to the same penalty as the juristic person.

This means that a CEO, CFO, or CTO of a B2B company may face personal criminal liability if a PDPA violation can be attributed to their direction or supervisory failure. This is the most compelling reason for C-Suite executives to take PDPA compliance seriously at the organizational governance level.

6. Case Studies — PDPA Enforcement Scenarios in Thailand Anonymized Composite Cases for Illustrative Purposes

In accordance with LAS client confidentiality standards, the following case studies are anonymized composite illustrations (companies designated A, B, C, D) and are presented for educational purposes only. They are not descriptions of any specific adjudicated case.

7. B2B PDPA Compliance Checklist — 30 Action Items Structured Across 5 Compliance Categories

The following 30-item checklist covers the essential actions B2B businesses should implement to build a robust PDPA compliance framework. Items are organized across five categories for ease of implementation planning.

Category A — Data Governance Foundation

• A1. Prepare a Record of Processing Activities (RoPA) covering all personal data processing activities across the organization.
• A2. Designate a Data Owner and Data Steward for each data category.
• A3. Establish a Data Retention Policy specifying retention periods for each category of personal data.
• A4. Publish an up-to-date Privacy Policy on the corporate website and all contact channels.
• A5. Prepare separate Privacy Notices for employees, clients, business partners, and vendors.
• A6. Document the lawful basis for each processing activity and record it in the RoPA.

Category B — Vendor & Partner Management

• B1. Inventory all vendors and sub-processors that access personal data on the organization's behalf.
• B2. Execute a Data Processing Agreement (DPA) with every vendor acting as a Data Processor.
• B3. Verify that vendor DPAs address minimum security measures required under the Act.
• B4. Establish a sub-processor authorization policy requiring Controller approval before any sub-processor engagement.
• B5. Confirm that all foreign Cloud and SaaS providers have a lawful cross-border transfer mechanism compliant with the PDPA.
• B6. Implement a PDPA Vendor Assessment Form for onboarding new vendors who will process personal data.

Category C — Technical Security Measures

• C1. Encrypt personal data both in transit and at rest using appropriate encryption standards.
• C2. Apply the principle of Least Privilege to all personal data access controls.
• C3. Maintain Audit Logs for access to and processing of sensitive personal data.
• C4. Conduct Penetration Testing and Vulnerability Assessments at least annually.
• C5. Implement a Data Breach Detection System with defined alert thresholds.
• C6. Apply Privacy by Design principles to all new system and product development initiatives.

Category D — People & Process

• D1. Train all employees involved in personal data processing on PDPA requirements at least annually.
• D2. Establish a documented workflow (SOP) for handling Data Subject Requests (DSR) within the 30-day statutory response period.
• D3. Implement a Consent Management process for all processing activities relying on the consent lawful basis.
• D4. Develop a Data Breach Incident Response Plan and conduct tabletop exercises at least annually.
• D5. Conduct a DPIA for every high-risk processing activity before it commences.
• D6. Appoint a DPO or Privacy Officer with clearly defined responsibilities and publicly accessible contact information.

Category E — Monitoring & Governance

• E1. Review and update the RoPA, Privacy Policy, and all DPAs whenever processing activities materially change.
• E2. Conduct an internal PDPA Compliance Audit at least annually.
• E3. Monitor PDPC notifications, guidelines, and regulatory updates on an ongoing basis.
• E4. Report PDPA Compliance Status to the Board of Directors or equivalent governance body at least annually.
• E5. Conduct a Privacy Impact Assessment for every new project, product, or service before launch.
• E6. Build a Privacy-First organizational culture with visible commitment from senior leadership.

8. Conclusion PDPA Compliance as a Competitive Advantage for B2B Businesses

The Personal Data Protection Act B.E. 2562 (2019) is not merely a legal compliance burden for B2B businesses — it is an opportunity to build demonstrable trust with clients and business partners. Companies with a mature, well-documented PDPA framework gain a tangible competitive advantage, particularly as corporate clients increasingly impose data governance requirements as a condition of contracting with service providers.

There are five core takeaways for B2B executives: (1) Understand your role — whether you are acting as Data Controller, Data Processor, or both — and structure your compliance program accordingly. (2) Execute DPAs with all vendors and clients before processing commences, without exception. (3) Address cross-border data transfer compliance before selecting any foreign-hosted platform or cloud service. (4) Maintain a documented and tested Data Breach Incident Response Plan. (5) Review and update your compliance program on a regular cadence, not just at implementation.

For B2B businesses at the early stages of PDPA compliance, the recommended starting point is Data Mapping and DPA template development. These two activities form the foundation upon which every other compliance measure is built. Investing in PDPA compliance today is an investment in long-term business sustainability and organizational reputation protection.

Frequently Asked Questions