PDPA Essentials Every Thai Business Must Know
A practical guide for business owners — not lawyers. Featuring insights from Ms. Nanthanat Saengthong, PDPA Lead at Legal Advance Solution.
Authors: Thundthornthep Yamoutai, Ph.D. — Founder & Managing Director, Legal Advance Solution Co., Ltd. | Co-authored by Ms. Nanthanat Saengthong — PDPA Lead, LAS
Published: April 3, 2026 | Category: Data Protection & Privacy Law | Reading Time: ~8 minutes
Contents
1. Introduction: PDPA Is in Force, but Most Businesses Are Not Ready
Thailand's Personal Data Protection Act B.E. 2562 (2019), commonly known as PDPA, has been fully enforceable since June 1, 2022. Yet, a significant number of Thai businesses have not taken the steps required by law. Some business owners are not even aware that their operations fall within the scope of PDPA.
Many entrepreneurs assume that PDPA is only relevant to technology companies or large corporations. In reality, every business that collects customer or employee data — whether a restaurant, a beauty clinic, an online store, or even a freelancer with a client database — must comply with PDPA.
Surveys by the Office of the Personal Data Protection Committee (OPDPC) indicate that over 70% of Thai SMEs still lack a legally compliant Privacy Policy, and more than 80% have never prepared a Record of Processing Activities (ROPA). These figures demonstrate that a large number of Thai entrepreneurs are at risk of penalties without realizing it.
This article breaks down PDPA in accessible terms — written for business owners, not lawyers. It features practical insights from Ms. Nanthanat Saengthong, PDPA Lead at Legal Advance Solution, a specialist in PDPA compliance for businesses.
2. What Is PDPA? (One-Minute Summary)
PDPA stands for the Personal Data Protection Act B.E. 2562 (2019) (Thai: พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562). It establishes the legal framework for the collection, use, and disclosure of personal data in Thailand. Its purpose is to protect the rights of data subjects from the unlawful use of their personal information.
Who Does PDPA Apply To?
The law applies to every organization that collects, uses, or discloses personal data, including:
- Limited companies and partnerships — that have employees or customers
- Online shops — that collect names, addresses, and phone numbers
- Clinics and hospitals — that collect health data (classified as sensitive data)
- Restaurants and hotels — that collect data through booking systems or loyalty programs
- Freelancers and independent professionals — that maintain client databases
Three Tiers of Penalties
| Penalty Type | Details | Legal Basis |
|---|---|---|
| Civil Liability | Actual damages + punitive damages up to 2x the actual amount | PDPA Sections 77-78 |
| Criminal Penalties | Imprisonment up to 1 year and/or fines up to 1 million THB | PDPA Section 79 |
| Administrative Fines | Fines up to 5 million THB per violation | PDPA Section 90 |
Important: Company directors and authorized officers may be held personally liable if the violation occurred as a result of their order, action, or failure to act.
3. Five Things Every Entrepreneur Must Do Immediately
Action 1: Draft a Privacy Policy
A Privacy Policy is the document that informs customers and employees about what data you collect, why you collect it, how long you retain it, and who has access to it. PDPA requires data controllers to provide these details to data subjects before or at the time of collection.
A good Privacy Policy should be written in plain, accessible language — not dense legal jargon — and should be easy to find, such as on your website or within your mobile application.
Action 2: Obtain Consent Properly
Under PDPA Section 19, consent must be freely given, specific, informed, and unambiguous. It cannot be a pre-ticked checkbox. Consent must be presented separately from other terms and conditions, written in clear language, and the data subject must be able to withdraw consent as easily as it was given.
What not to do: Use pre-ticked checkboxes, bundle consent within other agreements, or make consent a mandatory condition for receiving a service (unless the data is strictly necessary for that service).
Action 3: Appoint a DPO or Responsible Person
Under PDPA Sections 41-42, certain organizations are required to appoint a Data Protection Officer (DPO), particularly those that process data on a large scale or process sensitive personal data. For SMEs that are not legally required to appoint a DPO, it is strongly recommended to designate at least one person to oversee PDPA compliance. A DPO may be an internal employee or an external service provider.
Action 4: Prepare a Record of Processing Activities (ROPA)
A ROPA is a document that records what data your organization collects, where it comes from, how it is used, where it is stored, how long it is retained, and who it is shared with. This document serves as key evidence that your organization complies with PDPA.
A ROPA does not need to be complex. For small businesses, it can start as a simple spreadsheet listing: data category, purpose, lawful basis, retention period, and data recipients.
Action 5: Establish a Breach Notification Plan
Under PDPA Section 37(4), if a personal data breach occurs, the data controller must notify the OPDPC within 72 hours of becoming aware of the breach. If the breach is likely to pose a high risk to the rights of data subjects, the data subjects must also be notified.
Every business should have a Breach Response Plan that clearly defines: who receives reports, the risk assessment process, the channel for notifying the OPDPC, and the method for notifying affected data subjects. It is far better to prepare this in advance than to scramble during an actual incident.
4. PDPA Insights by Ms. Nanthanat Saengthong
Ms. Nanthanat Saengthong (Khun Mhew)
PDPA Lead, Legal Advance Solution Co., Ltd.
Specialist in personal data protection law for businesses
Insight 1: "Health Data Is Not Content"
Ms. Nanthanat emphasizes that patient photographs, before-and-after treatment images, or any information about medical conditions all constitute "sensitive personal data" under PDPA Section 26. Sensitive data is subject to stricter protections than ordinary personal data.
Any beauty clinic, dental practice, or healthcare facility that posts patient photos on social media for marketing purposes without obtaining explicit consent from the data subject is in immediate violation of PDPA — even if the face is blurred or the name is omitted, if the person can still be identified.
Recommendation: Prepare a separate consent form specifically for the use of images and health data in marketing materials, distinct from the consent form for medical treatment.
Insight 2: "No Name Does Not Mean No PDPA"
Many business owners mistakenly believe that if they do not include a person's name, PDPA does not apply. Ms. Nanthanat points out that under PDPA Section 6, "personal data" means any information that enables the identification of a person, whether directly or indirectly.
Examples include: national ID numbers, passport numbers, email addresses, phone numbers, facial photographs, GPS location data, IP addresses, Cookie IDs, or even a combination of multiple data points that together can identify an individual. All of these qualify as personal data under the law.
Recommendation: Always assess whether the data your business collects can "identify a person" before concluding that PDPA does not apply.
Insight 3: Social Media Marketing and Targeted Ads
Using customer data for targeted advertising on social media platforms — such as uploading a Customer List to create a Custom Audience on Facebook, or using purchase behavior data for retargeting campaigns — requires a lawful basis under PDPA.
Ms. Nanthanat advises that business owners must determine which lawful basis applies: Consent under Section 19, Legitimate Interest under Section 24(5), or another basis. In all cases, the data subject must have been informed of the marketing purpose.
Recommendation: Clearly state "marketing and advertising" as a purpose in your Privacy Policy, and obtain separate consent for promotional communications.
5. Penalties You Need to Know
PDPA imposes three tiers of penalties, and all three can apply simultaneously for a single violation:
Administrative Fines (Section 90)
Up to 5,000,000 THB per violation. Imposed by the Expert Committee without the need for court proceedings. Examples of conduct that may result in fines include: collecting data without disclosing the purpose, failing to implement appropriate security measures, failing to notify a breach within 72 hours, and failing to maintain a ROPA.
Criminal Penalties (Section 79)
Imprisonment up to 1 year and/or fines up to 1,000,000 THB. These apply to intentional violations, such as using sensitive personal data without consent, or unlawfully disclosing personal data in a manner that causes harm, reputational damage, or public contempt.
Civil Liability (Sections 77-78)
Actual damages plus punitive damages up to twice the actual amount as determined by the court. Data subjects may bring civil claims for both actual harm and emotional distress. Notably, the burden of proof falls on the data controller — not the data subject.
Critical note: Company directors, managers, and authorized officers of a juristic person may be held personally liable if the violation is proven to have resulted from their order, action, or failure to act. PDPA compliance is not just a "company issue" — it is a personal responsibility of business leaders.
6. Follow Ms. Nanthanat Saengthong
BizLaw by Mhew
Ms. Nanthanat Saengthong (Khun Mhew) creates accessible PDPA and business law content for entrepreneurs and business owners. Follow her work:
- Instagram: @bizlawbymhew
- Facebook: BizLaw by Mhew
- Facebook Video: PDPA Content Series
7. Contact LAS for PDPA Advisory
Legal Advance Solution Co., Ltd. (LAS) provides end-to-end PDPA advisory services, from gap analysis and document preparation (Privacy Policy, Consent Forms, ROPA, Data Processing Agreements) to employee training and outsourced DPO services.
The LAS PDPA team is led by:
- Thundthornthep Yamoutai, Ph.D. — Founder & Managing Director, 20+ years in Thai business law
- Ms. Nanthanat Saengthong — PDPA Lead, specialist in data protection compliance for businesses
Related Resources
Disclaimer: This article is for educational and general informational purposes only and does not constitute specific legal advice. Readers should consult a legal advisor before taking any action.
About the Authors
Thundthornthep Yamoutai, Ph.D.
Founder and Managing Director of Legal Advance Solution Co., Ltd. with over 20 years of experience in Thai business law. Lecturer at Kasetsart University, Bangkokthonburi University, and Suan Sunandha Rajabhat University. NIA-funded AI legal technology researcher. ACI-published scholar. Parliamentary Committee member. Signature practice areas include Due Diligence, Condition Precedent analysis, and PDPA compliance advisory.
Ms. Nanthanat Saengthong (Khun Mhew)
PDPA Lead at Legal Advance Solution Co., Ltd. Specialist in personal data protection compliance for businesses. Creator of PDPA and business law content through BizLaw by Mhew.
Official Profile | Knowledge Hub | LAS Website | @bizlawbymhew