Thailand’s Personal Data Protection Act (PDPA) modernized Thai privacy law, created the Personal Data Protection Committee (PDPC) as regulator, and turned data protection from a “best practice” into a day-to-day operational and legal requirement for organizations doing business in or targeting people in Thailand. Below is a practical, practitioner-friendly guide: scope and timing, core duties, sensitive data and data-subject rights, cross-border transfers, breach rules and enforcement trends, plus concrete controls and a 30/60/90-day compliance checklist.
Quick headline — where we are now
The PDPA (Personal Data Protection Act B.E. 2562) was enacted in 2019 and — after subordinate rules and implementation phases — came into full force on 1 June 2022. The PDPC now issues guidance and enforces the law.
Who the law covers — scope and extraterritorial reach
The PDPA applies to personal data about identifiable natural persons processed by data controllers and processors in Thailand. It also reaches foreign organizations in many cases: businesses outside Thailand that offer goods or services to, or monitor the behaviour of, individuals in Thailand will likely fall within PDPA scope — so digital services, apps and targeted advertising aimed at Thai residents commonly trigger obligations.
Core duties — controllers, processors and lawful bases
Key operational duties mirror international practice but have Thai specifics:
-
Lawful bases: process personal data only where a lawful basis exists (consent, contractual necessity, legal obligation, vital interests, public interest or other PDPC-recognized grounds). Document the legal basis for each processing activity.
-
Controller/processor roles: controllers determine purposes; processors act only on instructions and must be contractually bound. Controllers bear the primary duty to ensure processors are compliant.
-
Purpose limitation & minimization: collect only what’s necessary and keep it no longer than required.
-
Transparency: provide clear privacy notices that tell data subjects what you do and why.
-
Security: adopt appropriate technical and organizational measures proportionate to the risk (access controls, encryption, logging).
Practical point: modern PDPA practice emphasizes documented risk assessments (DPIAs) for high-risk processing and records of processing activities (ROPA).
Sensitive personal data — handle with care
The PDPA treats special categories (health, biometric identifiers, racial/ethnic origin, political opinions, sexual life, criminal history, and similar) with heightened protection. Processing these categories generally requires explicit consent or a specific statutory exception, and organizations must justify why they need such data and what extra protections are in place. For healthcare, HR and background checks, plan extra technical (encryption, restricted access) and contractual controls.
Data subject rights — what people can demand
Thai law gives data subjects rights similar to other modern regimes: access, rectification, erasure (in some cases), objection, restriction, data portability and the right not to be subject to solely automated decisions that produce legal or similarly significant effects. Organizations must publish mechanisms to receive and reliably verify and respond to these requests within PDPC timeframes. Build a single operational SAR workflow, identity verification steps and an audit log.
Cross-border transfers — adequacy & safeguards
Transfers of personal data out of Thailand require that the destination has an adequate level of protection, or that the exporter implements PDPC-approved safeguards (standard contractual clauses, binding instruments, certifications or other appropriate safeguards). The PDPC’s notifications spell out adequate-country considerations and practical safeguards — most organizations will rely on updated contractual clauses and transfer impact assessments for cloud and regional processing.
Practical tip: maintain a transfer register, map where processing occurs, and attach contractual clauses and DPIAs to each cross-border flow.
Breach notification — the practical 72-hour standard
The PDPC requires controllers to notify the regulator without undue delay and — where feasible — within 72 hours after becoming aware of a breach that poses risk to individuals’ rights and freedoms. Not all incidents must be reported (low-risk incidents can be documented but not reported), but you must keep a written risk assessment supporting any non-notification decision. The PDPC has clarified that the 72-hour clock starts when the controller reasonably believes a breach has occurred.
Prepare an incident triage playbook that documents detection → containment → risk assessment → PDPC notification and data-subject communications.
Enforcement trends & penalties — real money at risk
Enforcement under the PDPA has moved from awareness to action. The PDPC has imposed administrative fines (including seven-figure baht penalties in serious cases), ordered corrective measures, and publicly reprimanded organizations. Criminal penalties also exist in limited cases. Recent enforcement action in 2024–2025 shows the regulator targets high-risk sectors (healthcare, finance, large service providers) and incidents that expose wide-scale personal or sensitive data. Budget for remediation, legal costs and potential penalties.
Practical technical & organizational controls (must-haves)
At minimum, proportionate, documented measures should include:
-
Governance: appointed PD lead or DPO where required, privacy policy, ROPA and DPIAs for high-risk systems.
-
Access control & least privilege: role-based access and strong authentication, with privileged access reviews.
-
Encryption & pseudonymization: for sensitive fields and backups.
-
Vendor due diligence: security clauses, right to audit, and evidence of processor compliance.
-
Incident response: detection, playbooks, forensic capability, PDPC notification templates and data-subject communications.
-
Staff training: role-based PDPA training and phishing awareness.
Match controls to risk and document everything — PDPC audits are document intensive.
30/60/90-day compliance checklist (practical)
0–30 days
-
Map personal-data flows (high level) and appoint a PD lead.
-
Draft/update privacy notice and publish on the main website.
30–60 days
-
Run DPIAs for top 2–3 high-risk systems (CCTV, HR, health data, tracking).
-
Update vendor contracts with PDPA-compliant clauses and record processor responsibilities.
60–90 days
-
Test incident response with a tabletop breach exercise and prepare PDPC notification templates.
-
Implement SAR workflow with SLA (log every request).
Final practical advice
Treat PDPA compliance as an ongoing operational program, not a one-off project. Focus first on: (1) mapping your flows and documenting legal bases, (2) protecting high-risk datasets (health, biometrics), (3) fixing cross-border contracts and transfer records, and (4) building a tested breach response that meets the PDPC’s 72-hour expectation.