Personal Data Protection Act
The Personal Data Protection Act (PDPA) B.E. 2562 (2019) is Thailand’s first comprehensive law governing data privacy. Fully enforced since June 1, 2022, and significantly refined by new subordinate regulations in early 2026, the PDPA is heavily modeled after the EU’s General Data Protection Regulation (GDPR).
However, the Thai PDPA carries its own unique local nuances, especially regarding consent, cross-border transfers, and a newly aggressive enforcement posture from the Personal Data Protection Committee (PDPC).
1. The Core Architecture: Scope and Entities
The PDPA applies to any entity that collects, uses, or discloses personal data. It distinguishes between two primary roles:
Data Controller: The person or entity with the power to make decisions regarding the collection, use, or disclosure of personal data. They carry the primary burden of compliance.
Data Processor: An entity that processes data on behalf of or according to the instructions of a Data Controller. While they follow instructions, they have independent legal duties to maintain security and notify the Controller of breaches.
Extra-territorial Reach
Crucially, the PDPA has "extra-territorial" reach. If a company outside Thailand offers goods or services to individuals in Thailand (even if no payment is involved) or monitors the behavior of individuals in Thailand, it must comply with the PDPA and appoint a local representative in Thailand.
2. Lawful Bases for Processing
Under the PDPA, you cannot process personal data unless you have a "lawful basis." Organizations often mistakenly believe consent is the only way to process data. In reality, the PDPA provides seven distinct bases:
Consent: Explicit permission from the data subject.
Contractual Necessity: To perform a contract to which the data subject is a party.
Legal Obligation: To comply with other laws (e.g., labor or tax laws).
Vital Interest: To prevent danger to a person's life, body, or health.
Public Interest: For tasks carried out in the public interest or the exercise of official authority.
Legitimate Interest: Balancing the company’s business needs against the individual’s rights (this requires a "Legitimate Interest Assessment").
Research/Statistics: For historical documents, archives, or research purposes with appropriate safeguards.
Sensitive Data: A Higher Bar
For "Sensitive Personal Data"—which includes health records, religion, sexual orientation, criminal records, and genetic data—the PDPA is much stricter. Processing these usually requires explicit consent unless a specific exception (like medical diagnosis or legal claims) applies.
3. Data Subject Rights
The PDPA shifts the power dynamic from the corporation to the individual. As of 2026, the PDPC has streamlined the process for individuals to exercise these rights:
Right to Withdraw Consent: Must be as easy to withdraw as it was to give.
Right of Access: Individuals can request a copy of their data.
Right to Data Portability: Requesting data in a machine-readable format to move it to another provider.
Right to Object: Objecting to processing for direct marketing or based on legitimate interests.
Right to Erasure (Right to be Forgotten): Requesting deletion when data is no longer necessary or consent is withdrawn.
4. The 2026 Updates: Cross-Border Transfers and BCRs
One of the most complex areas of the PDPA is the transfer of data outside Thailand (Sections 28 and 29). For a long time, businesses operated in a gray area regarding "adequate protection" in destination countries.
Binding Corporate Rules (BCRs)
In February 2026, the PDPC officially launched the BCR Regulation. This allows multinational corporations to create an internal data protection policy that, once certified by the PDPC, permits the seamless transfer of data between global branches without needing individual consent for every transfer.
Standard Contractual Clauses (SCCs)
For transfers to third parties (non-affiliates) in countries without "adequate protection," companies must now use Standard Contractual Clauses—legally binding templates provided by the PDPC—to ensure the receiving party maintains Thai-equivalent standards.
5. Security Measures and Breach Notifications
The PDPA mandates "appropriate security measures" which must cover technical, administrative, and physical safeguards.
The 72-Hour Rule
If a data breach occurs and it is "likely to result in a risk" to individuals, the Data Controller must notify the PDPC within 72 hours of becoming aware of the incident. If the breach is a "high risk" to individuals, the Controller must also notify the data subjects directly and provide remedial measures.
6. The Rise of Enforcement (2024–2026)
Initially, the PDPC focused on education. However, the "grace period" is over. Recent cases highlight the risks of non-compliance:
Major Retailer Fine (2024): A tech retailer was fined 7 million THB for failing to appoint a Data Protection Officer (DPO) and failing to report a significant breach.
Hospital Leak (2025): A hospital was fined over 1.2 million THB after sensitive patient records were leaked due to improper disposal by a third-party contractor.
Government Oversight: Even state agencies are being held accountable; a government agency was recently fined for hiring an "unqualified" processor who lacked proper security controls.
7. Practical Steps for Compliance
To survive a PDPC audit in 2026, organizations should follow this roadmap:
Data Mapping: Identify exactly what data you have, where it is stored, and who has access to it.
Privacy Notices: Update websites and contracts with clear, layered privacy notices.
Appoint a DPO: Many organizations are legally required to have a Data Protection Officer, especially if they process large volumes of data or sensitive info.
Record of Processing (ROPA): Maintain a log of all data activities. This is the first thing a regulator will ask to see.
Processor Agreements: Ensure every third-party vendor (cloud storage, HR payroll, etc.) has a signed Data Processing Agreement (DPA).
Conclusion
The Thai PDPA has matured into a sophisticated regulatory framework that demands more than just a "tick-box" approach. With the 2026 emphasis on accountability—meaning you must be able to prove your compliance with documentation—and the new rules on international transfers, the cost of ignorance has never been higher.
In the digital economy of 2026, data protection is no longer just a legal hurdle; it is a prerequisite for consumer trust and international trade.
Ensure Your Business is in Compliance with the PDPA Thailand’s Personal Data Protection Act 2019, commonly known as the PDPA, outlines stric
Since its full enforcement began in June 2022, Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has fundamentally reshape










