Complete Guide to PDPA Compliance in Thailand

1. What is PDPA? Thailand's Personal Data Protection Act B.E. 2562 (2019)

The Personal Data Protection Act B.E. 2562 (2019), commonly known as PDPA, is Thailand's first comprehensive data protection legislation. Often compared to the European Union's General Data Protection Regulation (GDPR), the PDPA establishes a legal framework governing the collection, use, disclosure, and transfer of personal data by organizations operating in or targeting individuals within the Kingdom of Thailand.

The PDPA was enacted to address growing concerns about data privacy in Thailand's rapidly digitalizing economy. Before PDPA, data protection obligations were scattered across sector-specific regulations — including the Computer Crime Act B.E. 2550 (2007), the Credit Information Business Act, and various notifications from the National Broadcasting and Telecommunications Commission (NBTC). The PDPA consolidated and strengthened these protections into a single, unified law with extraterritorial reach.

The PDPA defines "personal data" broadly as any information relating to a person that enables the identification of that person, whether directly or indirectly — but not including information of a deceased person. This includes names, identification numbers, addresses, phone numbers, email addresses, photographs, biometric data, IP addresses, cookie identifiers, location data, and any other information that can identify a natural person.

The law further recognizes a special category of "sensitive personal data" (Section 26), which includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union membership, genetic data, biometric data used for identification, health data, disability, sexual orientation, and any other data prescribed by the PDPC. Sensitive data is subject to heightened protection requirements and generally cannot be processed without explicit consent.

1.1 Key Roles Under PDPA

2. When Did PDPA Come Into Effect? Enforcement Timeline and Key Milestones

The PDPA's path to full enforcement was marked by several postponements, largely due to the COVID-19 pandemic. Understanding this timeline is important for organizations assessing their compliance obligations and potential liability exposure.

3. Who Must Comply with PDPA? Scope of Application — Territorial and Extraterritorial Reach

The PDPA has a broad scope of application. It applies to the collection, use, and disclosure of personal data by data controllers and data processors in the following circumstances:

• Organizations located in Thailand — Any company, partnership, foundation, association, or governmental body that collects, uses, or discloses personal data within the Kingdom of Thailand.
• Organizations outside Thailand (extraterritorial scope) — The PDPA applies to foreign organizations if they: (a) offer goods or services to data subjects in Thailand, regardless of whether payment is required; or (b) monitor the behavior of data subjects in Thailand.

3.1 Entities Subject to PDPA

3.2 Exemptions (Section 4)

The PDPA provides limited exemptions, including:

• Personal or household activities with no commercial connection
• Operations of public media in accordance with professional ethics
• Activities of the House of Representatives, Senate, and Parliament
• Court proceedings and judicial activities
• Credit bureau operations already governed by specific legislation

4. The 6 Lawful Bases for Data Processing PDPA Section 24 — Conditions for Lawful Collection and Use

Under PDPA Section 24, a data controller may not collect personal data without the consent of the data subject, unless one of the other lawful bases applies. This "consent by default" framework is one of the key features of the PDPA that organizations must understand and apply correctly for each processing activity.

4.1 Special Rules for Sensitive Personal Data (Section 26)

For sensitive personal data, the PDPA imposes stricter requirements. Processing of sensitive data is generally prohibited unless:

• The data subject has given explicit consent (not merely implied)
• Processing is necessary to protect the vital interests of the data subject who is incapable of giving consent
• Processing relates to data manifestly made public by the data subject
• Processing is necessary for the establishment, exercise, or defense of legal claims
• Processing is necessary for compliance with a law (e.g., occupational health requirements)
• Processing is carried out by a non-profit body for its members, with appropriate safeguards

5. 8 Data Subject Rights Under PDPA Rights Guaranteed to Individuals — 30-Day Response Requirement

The PDPA grants data subjects eight fundamental rights regarding their personal data. Organizations must establish internal processes to handle these rights requests and respond within 30 days of receiving a valid request.

6. Key Compliance Requirements Operational Obligations for Data Controllers and Processors

Beyond understanding lawful bases and data subject rights, organizations must implement several operational compliance measures under the PDPA. This section covers the five most critical requirements that every data controller and data processor must address.

6.1 Privacy Notice (Section 23)

Data controllers must provide a privacy notice to data subjects before or at the time of data collection. The privacy notice must include:

• The purpose of collecting, using, or disclosing personal data
• The categories of personal data collected
• The period of data retention (or the criteria used to determine that period)
• The categories of persons or entities to whom personal data may be disclosed
• Contact details of the data controller and, where applicable, the DPO
• The rights of the data subject
• If applicable, consequences of refusing to provide personal data

6.2 Consent Management (Sections 19–20)

Where consent is the lawful basis for processing, the PDPA imposes specific requirements:

• Consent must be freely given, specific, informed, and unambiguous
• The request for consent must be clearly distinguishable from other matters
• Consent for sensitive data must be explicit
• Pre-ticked boxes or silence do not constitute valid consent
• Consent must be as easy to withdraw as it was to give
• The data controller bears the burden of proving that valid consent was obtained
• Consent obtained through deception or misleading the data subject is void

6.3 Data Processing Agreement (Section 40)

When a data controller engages a data processor (e.g., a cloud service provider, payroll vendor, or marketing platform), the controller must enter into a written Data Processing Agreement (DPA) that specifies:

• The scope and purpose of data processing
• Instructions from the controller to the processor
• Data security measures the processor must implement
• Obligations regarding sub-processing
• Data breach notification obligations
• Data return or destruction upon termination of the agreement

6.4 Data Protection Officer (Sections 41–42)

A Data Protection Officer (DPO) must be appointed in the following situations:

• The data controller or processor is a public authority
• Core activities require regular and systematic monitoring of data subjects on a large scale
• Core activities involve large-scale processing of sensitive personal data

The DPO's responsibilities include:

• Advising the data controller or processor on PDPA compliance
• Monitoring data processing operations for compliance
• Cooperating with the PDPC and serving as the contact point for the PDPC
• Maintaining confidentiality in performing their duties

The DPO can be an internal employee or an external service provider. The data controller must ensure the DPO has sufficient independence, resources, and access to carry out their functions without interference. The DPO's contact details must be published and communicated to the PDPC. Even where a DPO is not legally required, appointing one is considered best practice.

6.5 Data Breach Notification (Section 37(4))

The breach notification to the PDPC must include:

• The nature of the personal data breach, including categories and approximate number of affected data subjects
• The name and contact details of the DPO or relevant contact point
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate adverse effects

7. Cross-Border Data Transfer Under PDPA Sections 28–29 — International Data Transfer Rules

Sections 28 and 29 of the PDPA regulate the transfer of personal data to foreign countries. This is particularly relevant for multinational companies, organizations using cloud services hosted abroad, and businesses that share data with overseas partners.

7.1 General Rule

A data controller may transfer personal data to a foreign country only if the destination country has adequate data protection standards as prescribed by the PDPC. As of April 2026, the PDPC has not yet published a definitive list of countries deemed to have adequate standards, though guidance is evolving.

7.2 Exceptions Allowing Cross-Border Transfer

Even without an adequacy determination, cross-border transfers are permitted in the following circumstances:

8. PDPA Penalties and Enforcement Administrative, Criminal, and Civil Liability

The PDPA imposes three categories of penalties for non-compliance: administrative, criminal, and civil. These can be imposed concurrently, meaning an organization could face all three types of liability for a single violation.

8.1 Administrative Penalties

8.2 Criminal Penalties

8.3 Civil Liability (Sections 77–78)

• A data controller or processor who violates the PDPA and causes damage to a data subject is liable for actual damages
• The court may award punitive damages of up to twice the actual damages
• The burden of proof is on the data controller/processor to demonstrate they were not negligent (reverse burden of proof)
• Data subjects may file complaints with the PDPC or bring civil lawsuits directly
• Class actions are possible under the Thai Class Action Procedure

9. Step-by-Step PDPA Compliance Checklist 14-Step Methodology Used by LAS in Client Engagements

The following checklist provides a structured, practical roadmap for organizations seeking to achieve and maintain PDPA compliance. This is the methodology used by Legal Advance Solution (LAS) in advising clients across industries.

10. How LAS Helps with PDPA Compliance End-to-End PDPA Advisory Services by Legal Advance Solution Co., Ltd.

Legal Advance Solution Co., Ltd. (LAS), founded by Thundthornthep Yamoutai, Ph.D., provides comprehensive PDPA advisory services that combine over 20 years of legal practice expertise with cutting-edge AI-powered legal technology.

LAS PDPA Advisory Services Include:

• PDPA Gap Analysis and Compliance Assessment — Comprehensive review of current data processing practices against PDPA requirements, with a prioritized remediation roadmap
• Privacy Notice and Policy Drafting — Preparation of legally compliant privacy notices, cookie policies, and internal data protection policies tailored to your business
• Consent Management Advisory — Design and implementation of consent collection mechanisms that meet PDPA standards
• Data Processing Agreement (DPA) Drafting and Review — Preparation of DPAs for vendor relationships and review of existing contracts for PDPA compliance
• DPO-as-a-Service — Outsourced Data Protection Officer services for organizations that need a DPO but prefer external expertise
• Data Breach Response Planning — Development of breach notification procedures and templates to meet the 72-hour PDPC notification requirement
• Cross-Border Data Transfer Advisory — Assessment and structuring of international data transfers using appropriate legal mechanisms
• Employee PDPA Training — Customized training programs for management, HR, IT, marketing, and operational teams
• Data Protection Impact Assessments (DPIAs) — Risk assessments for high-risk processing activities
• Ongoing Compliance Monitoring — Regular reviews and updates to ensure continued compliance as regulations evolve

11. Frequently Asked Questions FAQ — PDPA Compliance in Thailand

Q1: What is PDPA and when did it come into full effect in Thailand?

PDPA stands for the Personal Data Protection Act B.E. 2562 (2019), Thailand's comprehensive data protection law. It was enacted in May 2019 and came into full enforcement on June 1, 2022, after multiple postponements due to the COVID-19 pandemic. The law is administered by the Personal Data Protection Committee (PDPC) and the Office of the Personal Data Protection Committee (OPDPC). It applies to any organization that collects, uses, or discloses personal data of individuals in Thailand, regardless of whether the organization is based in the country.

Q2: What are the penalties for PDPA non-compliance in Thailand?

PDPA imposes three types of penalties: (1) Administrative fines of up to 5 million THB per violation, issued by the Expert Committee; (2) Criminal penalties including imprisonment of up to 1 year and/or fines of up to 1 million THB for certain offenses such as unauthorized use of sensitive data; and (3) Civil liability including actual damages, with punitive damages of up to twice the actual damages awarded by the court. Directors and officers can be held personally liable if the violation occurred by their order or with their knowledge and consent.

Q3: Do I need a Data Protection Officer (DPO) under Thailand's PDPA?

Under Section 41 of the PDPA, a DPO must be appointed when: (1) the data controller or processor is a public authority; (2) the organization's core activities require regular and systematic monitoring of data subjects on a large scale; or (3) the organization's core activities involve large-scale processing of sensitive personal data. The DPO can be an employee or an external service provider, and their contact details must be published and communicated to the PDPC. Even when not legally required, appointing a DPO is considered best practice.

Q4: Can personal data be transferred outside Thailand under PDPA?

Yes, but cross-border data transfers are restricted under PDPA Sections 28–29. The receiving country must have adequate data protection standards as determined by the PDPC, or the transfer must fall under specific exceptions: compliance with law, consent of the data subject (after being informed of inadequate standards), performance of a contract, vital interests, important public interest, or legal claims. Organizations can also use Binding Corporate Rules (BCRs) or Standard Contractual Clauses approved by the PDPC for intra-group or third-party transfers.

Q5: How can a PDPA lawyer help my business achieve compliance in Thailand?

A specialized PDPA lawyer helps businesses achieve compliance through: data mapping and gap analysis; drafting compliant privacy notices, consent forms, and data processing agreements; advising on lawful bases; establishing breach notification procedures (72-hour rule); setting up data subject rights request workflows; advising on cross-border transfer mechanisms; conducting DPIAs; training staff; and acting as or supporting the DPO. Thundthornthep Yamoutai, Ph.D. and Legal Advance Solution (LAS) provide end-to-end PDPA advisory services leveraging AI-powered legal research tools.