Thailand’s PDPA is the country’s first omnibus data-privacy law. It brought modern data-protection rules into national practice, created the Personal Data Protection Committee (PDPC) as regulator, and introduced compliance duties that organizations — local and foreign — must treat as permanent business costs and risk drivers. This guide explains scope and territorial reach, core legal obligations (controllers/processors), data-subject rights, cross-border transfers, breach rules and enforcement, and gives a practical compliance checklist you can apply right away.
Quick headline: what the PDPA does and when it landed
The PDPA (Personal Data Protection Act B.E. 2562 (2019)) became law in 2019 and, after implementation steps and subordinate regulations, came into full force on 1 June 2022. The PDPC now issues detailed notifications and enforces the law.
Who the law covers — scope and extraterritorial reach
The PDPA applies to personal data (any information relating to an identified or identifiable natural person) processed by controllers and processors inside Thailand — and it also applies extraterritorially in many cases: foreign organizations that offer goods or services to, or monitor the behaviour of, individuals in Thailand can fall within its scope. That means cross-border digital services, apps and targeted advertising aimed at Thai residents commonly trigger PDPA obligations.
Core duties — controllers, processors and lawful bases
Key operational duties mirror international practice but have Thai specificities:
- Lawful bases: processing must rest on a permitted ground (consent, contractual necessity, legal obligation, vital interests, public interest, legitimate interests as defined by subordinate rules).
- Controller / processor roles: controllers set purposes and must ensure processors are contractually bound to comply and use adequate safeguards.
- Data minimisation & purpose limitation: collect only what’s necessary and keep it only as long as required.
- Transparency & privacy notices: data subjects must receive clear information about purpose, rights and transfer practices.
- Security measures: controllers must adopt suitable technical and organizational measures and review them periodically.
Many organizations initially focused on consent, but modern PDPA practice recognizes multiple lawful bases and emphasizes documentation of legal basis and DPIAs for high-risk processing.
Sensitive personal data — tighter rules
The PDPA treats certain categories (health, biometric identifiers, race, political opinions, sexual life, criminal history, and other sensitive items) with higher protection. Processing sensitive data typically requires explicit consent or a specifically enumerated exception; the PDPC’s notifications and guidance expand on how to handle special categories in healthcare, employment and background checks. Treat any sensitive data processing as higher risk and plan extra controls (encryption, strict access controls, limited retention).
Data subject rights — what people can demand
Thai law gives data subjects a broad set of rights similar to other modern regimes: right to access, right to obtain a copy, right to rectification, deletion (erasure) in some circumstances, objection to processing, restriction, and the right not to be subject to solely automated decisions where significant effects occur. You must publish mechanisms to receive and respond to these requests, and you must do so within the timeframes set by PDPC guidance. Practical point: set a single internal workflow and SLAs for SARs (subject access requests) and log every step.
Cross-border transfers — adequacy, safeguards and exceptions
Cross-border data transfer rules require that personal data leaving Thailand have an adequate level of protection in the destination jurisdiction, or that the exporter has implemented PDPC-approved safeguards (binding contractual clauses, codes of conduct, certification mechanisms or specific notifications). The PDPC also lists specific exceptions (e.g., where the transfer is necessary for contract performance or vital interests). In practice, most organizations use updated contractual clauses and transfer impact assessments to satisfy the PDPA for cloud and regional processing.
Data breach notification — the 72-hour standard (practical)
The PDPC requires data controllers to notify the regulator without undue delay and, where feasible, within 72 hours after becoming aware of a breach that poses risk to individuals’ rights and freedoms. Internal triage is essential: not every security incident must be reported, but you must document the risk assessment that led to a non-notification decision. The PDPC’s clarifications set out timing (the clock starts when you reasonably believe a breach occurred or may occur) and required content of notifications.
Enforcement, fines and recent trends
The PDPC has authority to impose administrative fines, orders to cease processing, corrective measures, and public reprimands. Enforcement has become real: since 2024 the PDPC has started issuing high-profile administrative fines covering millions of baht for failures such as missing DPOs, poor security and breaches that led to fraud or leakage. Expect enforcement to increase and for the PDPC to publish enforcement guidance and follow-up rulings that tighten expectations.
Practical technical & organizational controls
At minimum, the PDPA expects documented measures proportionate to risk:
- Governance: appoint a DPO where required (or a responsible person), maintain an internal data-protection policy, and keep a processing register.
- Access controls & least privilege: role-based access, strong authentication, and logging.
- Encryption & pseudonymisation: protect data at rest and in transit.
- Patch & asset management: timely software updates and managed inventory.
- Vendor controls: security clauses, audits, and right to inspect processors.
- Incident response: detection, containment, forensics, notification and post-incident remediation.
Technical measures must be paired with staff training and a culture of data protection.
Compliance roadmap — pragmatic steps for businesses
- Map: inventory personal data flows and build a record of processing activities (ROPA).
- Assess: DPIAs for high-risk systems (profiling, health data, large-scale monitoring).
- Lawful basis: document the legal basis for each processing activity and update privacy notices.
- Contracts: update vendor contracts and include PDPA-compliant transfer clauses.
- Breach plan: draft and test an incident response playbook including 72-hour notification triggers.
- Rights process: implement an operational SAR workflow with verification steps and SLAs.
- Train & test: mandatory staff training, phishing exercises and tabletop incident drills.
- Monitor & audit: periodic reviews, third-party audits and KPI dashboards for privacy risk.
Final practical tips & common traps to avoid
- Don’t rely solely on checkbox consent: diversify lawful bases and keep consent records where you use consent.
- Keep originals and logs: in Thai practice, documentary proof and logs matter in audits and enforcement.
- Plan cross-border architecture early: migrating services to regional cloud providers requires transfer assessments and contractual remedies.
- Start with high-risk areas: HR files, customer databases, CCTV and health data are frequent audit targets.
- Budget for enforcement: fines and remediation costs are real; treat PDPA as an operational compliance program, not a one-off project.
Checklist — immediate actions (30/60/90 days)
- 0–30 days: run a data inventory and appoint a PD lead; map high-risk assets.
- 30–60 days: implement SAR workflow, update privacy notices, and start DPIAs for top 3 systems.
- 60–90 days: update contracts with processors, test incident response and patch critical systems.
- Ongoing: staff training every quarter, annual audits, and board reporting on privacy KPIs.