Thailand Data Privacy Laws: PDPA Compliance Guide (2026)
What Is Thailand's Personal Data Protection Act (PDPA)?
Thailand's Personal Data Protection Act B.E. 2562 is the primary legislation governing the collection, use, disclosure, and storage of personal data in the country. Enacted on May 27, 2019, and published in the Royal Gazette on the same date, the PDPA represents Thailand's first comprehensive data protection law.
The PDPA applies to any organization that collects, uses, or discloses the personal data of individuals in Thailand, regardless of whether the organization is based within the country. This extraterritorial reach means that foreign businesses offering goods or services to people in Thailand, or monitoring the behavior of individuals located in Thailand, must comply with the law.
The legislation was originally scheduled to take full effect in 2020. Due to the COVID-19 pandemic, enforcement of key provisions was postponed multiple times. The PDPA's core data protection provisions finally came into full force on June 1, 2022.
The law is broadly modeled on the European Union's General Data Protection Regulation (GDPR), sharing many structural similarities in areas like lawful bases for processing, data subject rights, and breach notification requirements. However, the PDPA includes provisions tailored to Thailand's legal and regulatory environment.
The Personal Data Protection Committee (PDPC)
The Personal Data Protection Committee is the primary regulatory body responsible for overseeing and enforcing the PDPA. The PDPC was formally established on January 18, 2022, when the Announcement of the Prime Minister's Office on the Appointment of Chairperson and Honorary Members was published in the Government Gazette.
PDPC Composition
The Committee consists of:
- A chairperson appointed based on knowledge, skills, and experience in data protection
- A vice-chairperson who serves as the permanent secretary of the Ministry of Digital Economy and Society (MDES)
- Five commission members designated based on their positions in specific government agencies
- Nine honorary commission members appointed based on expertise in personal data protection, consumer protection, technology, social science, law, health, finance, or related fields
The PDPC is supported by the Office of the Personal Data Protection Committee, which operates under the Ministry of Digital Economy and Society.
PDPC Powers and Responsibilities
The PDPC holds broad authority under the PDPA to:
- Develop a master plan for the promotion and protection of personal data
- Prescribe measures, criteria, and guidelines for business operators
- Issue subordinate regulations and rules under the PDPA
- Investigate complaints and impose administrative penalties
- Determine procedures and strategies for personal data protection operations
- Serve as the point of coordination for international data protection cooperation
As of January 2026, the Office of the PDPC recorded 2,672 PDPA-related complaints, with the highest complaint volumes involving failure to comply with data minimization principles, collection without a lawful basis, and unauthorized use or disclosure of personal data.
Lawful Bases for Processing Personal Data
Under the PDPA, a data controller may not collect, use, or disclose personal data unless it has a valid legal basis. Thailand recognizes seven lawful bases for processing:
1. Consent
The data subject provides freely given, specific, informed, and unambiguous consent. Consent must be distinguishable from other matters, presented in an easily accessible form using clear and plain language. The data subject may withdraw consent at any time, and withdrawal must be as easy as giving it.
2. Contractual Necessity
Processing is necessary for entering into or performing a contract with the data subject. This covers situations such as processing payment information to fulfill a purchase order.
3. Legal Obligation
Processing is necessary to comply with a law to which the data controller is subject. This includes regulatory reporting requirements, tax obligations, and court orders.
4. Vital Interests
Processing is necessary to prevent or suppress danger to a person's life, body, or health. This applies in emergency situations where the data subject is incapable of providing consent.
5. Public Task
Processing is necessary for tasks carried out in the public interest or under official authority vested in the data controller. Government agencies frequently rely on this basis.
6. Legitimate Interests
Processing is necessary for the legitimate interests of the data controller or a third party, provided those interests do not override the fundamental rights and freedoms of the data subject. When relying on this basis, organizations should conduct a legitimate interest assessment to document the balancing exercise.
7. Research and Statistics
Processing is necessary for preparing historical documents or archives in the public interest, or for research and statistical purposes, subject to appropriate safeguards for data subject rights.
Sensitive Personal Data
The PDPA defines sensitive personal data as information pertaining to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Sexual behavior
- Criminal records
- Health data
- Disability
- Trade union membership
- Genetic data
- Biometric data
- Any other category the PDPC may designate
Collection of sensitive personal data is prohibited without the data subject's explicit consent, except in limited circumstances such as protecting the vital interests of a person who is incapable of giving consent, processing by a foundation or nonprofit for its members, or processing data that has been manifestly made public by the data subject.
Organizations whose core activities involve large-scale processing of sensitive personal data are required to appoint a Data Protection Officer (DPO).
Data Subject Rights
The PDPA grants individuals a comprehensive set of enforceable rights over their personal data. Data controllers must respond to rights requests without undue delay and no later than 30 days from the date of the request.
Right to Be Informed
Data subjects have the right to be informed about data processing activities before or at the time personal data is collected. The privacy notice must include the purposes of collection, the categories of data collected, the identity of the data controller, and the data retention period.
Right of Access
Individuals may request access to the personal data a controller holds about them and obtain a copy of that data. The controller must provide the information in a commonly used and readable format.
Right to Rectification
Data subjects can request correction of personal data that is inaccurate, incomplete, or misleading.
Right to Erasure
Individuals may request the deletion or destruction of personal data when it is no longer necessary for the purpose for which it was collected, when consent is withdrawn, or when processing is unlawful.
Right to Data Portability
Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to request that the data be transmitted directly to another data controller where technically feasible.
Right to Object
Individuals may object to the collection, use, or disclosure of their personal data at any time when processing is based on legitimate interests, public interest, or direct marketing.
Right to Restrict Processing
Data subjects may request that a controller limit the processing of their data in specific situations, such as while the accuracy of data is being verified.
Right to Lodge a Complaint
A data subject who believes that a data controller or processor has violated the PDPA may file a complaint directly with the Office of the PDPC.
Data Breach Notification Requirements
Thailand's PDPA imposes strict breach notification obligations on data controllers under Section 37(4).
72-Hour Notification to the PDPC
Data controllers must notify the PDPC of a personal data breach without undue delay and, when feasible, within 72 hours of becoming aware of the breach. The notification is required unless the breach is unlikely to pose a risk to the rights and freedoms of data subjects.
If unavoidable circumstances prevent the controller from meeting the 72-hour deadline, notification must be made no later than 15 days from the date the controller became aware of the breach. In such cases, the controller must provide a valid explanation demonstrating the delay was due to unavoidable reasons.
Notification to Data Subjects
When a breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must notify affected individuals without undue delay. The notification must describe the nature of the breach and provide recommendations for mitigating potential harm.
Risk Assessment Factors
When determining whether a breach requires notification, data controllers should consider:
- The nature and category of the breach (confidentiality, integrity, or availability)
- The type and volume of personal data affected
- The severity of potential impact on data subjects
- Whether the data was encrypted or otherwise protected
- The likelihood of harm based on the circumstances
Documentation Requirements
Controllers must retain all records of their risk assessments, investigations, and findings. These records may become critical during complaints, regulatory inquiries, or inspections by the PDPC.
Penalty for Failure to Notify
Under Section 83 of the PDPA, failure to submit a breach notification within 72 hours subjects the data controller to an administrative fine of up to THB 3 million.
Penalties and Enforcement
The PDPA establishes a three-tier penalty structure covering administrative, criminal, and civil liability.
Administrative Penalties
The PDPC's Expert Committee may impose administrative fines of up to THB 5 million per violation. The Committee also retains discretion to issue warnings or order corrective measures in lieu of monetary penalties.
When determining fine amounts, the PDPC considers factors including:
- The seriousness and scope of the violation
- Actions taken by the controller or processor in response to the breach
- The extent to which affected data subjects received remedies
- The timing and adequacy of post-incident measures
- Any prior violations by the same entity
Criminal Penalties
Criminal penalties under the PDPA include:
- Unauthorized disclosure: A person who obtains personal data through duties under the PDPA and discloses it to unauthorized persons faces imprisonment of up to six months, a fine of up to THB 500,000, or both
- Unlawful use of sensitive data: Using sensitive personal data to cause harm carries imprisonment of up to one year, a fine of up to THB 1 million, or both
- Corporate liability: If the offense is committed by a legal entity, directors or responsible persons who knew of the violation and failed to prevent it may face personal criminal liability
Civil Liability
Data controllers or processors who unlawfully process personal data and cause damage, whether intentionally or through negligence, must compensate data subjects. Courts may order punitive damages of up to twice the amount of actual losses incurred.
Enforcement Track Record
The PDPC has moved from a cautious initial approach to active enforcement:
- 2024: The PDPC imposed its first administrative penalties, fining data controllers a combined THB 7 million in connection with a customer data leak that was later exploited in call center scams
- August 2025: The PDPC announced eight new fines totaling THB 14.5 million across five cases involving one government agency and several private entities
- Cumulative total: As of late 2025, the PDPC has issued fines totaling approximately THB 21.5 million (roughly USD 660,000)
Notable cases include a cosmetics company fined THB 2.5 million for failing to notify the PDPC of a data breach and for inadequate security safeguards, and a government agency and its software developer each fined over THB 150,000 following a cyberattack that exposed the personal data of approximately 200,000 individuals.
Cross-Border Data Transfers
The PDPA restricts transfers of personal data outside Thailand under Sections 28 and 29. New regulations governing cross-border transfers were published as law in late 2023 and took effect on March 24, 2024.
Adequacy Decisions (Section 28)
Personal data may be transferred to a destination country or international organization that the PDPC has determined provides an adequate standard of data protection. The adequacy assessment evaluates:
- Alignment of the destination's legal safeguards with the PDPA (security measures, data subject rights, legal remedies)
- The existence of a competent and independent regulatory body to enforce data protection laws
As of early 2026, the PDPC has not yet published a list of countries deemed adequate. This means most organizations must rely on alternative transfer mechanisms.
Binding Corporate Rules (Section 29)
Multinational organizations may transfer data within their corporate group using Binding Corporate Rules (BCRs) that bind all affiliates worldwide and require PDPC approval. BCRs must demonstrate appropriate safeguards equivalent to PDPA protections.
Standard Contractual Clauses
When neither adequacy nor BCRs are available, organizations may rely on Standard Contractual Clauses (SCCs) drafted in accordance with:
- ASEAN Model Contractual Clauses for Cross-Border Data Flows
- EU Standard Contractual Clauses for the Transfer of Personal Data to Third Countries
- Any other model clauses prescribed by the PDPC
SCCs must include Thai-specific obligations, including the requirement for 72-hour breach reporting by the data importer.
Certification Mechanisms
The PDPA also recognizes certification schemes as a valid basis for cross-border transfers, though the PDPC has not yet established specific certification frameworks.
Derogations (Exceptions)
Cross-border transfers may proceed without the above mechanisms when:
- Required for compliance with the law
- The data subject has given informed consent after being told about the inadequate protection standards of the destination country
- The transfer is necessary to fulfill a contract with or on behalf of the data subject
- The transfer is necessary to protect vital interests of the data subject or other persons
- The transfer is necessary for important reasons of public interest
Data Protection Officer (DPO) Requirements
Since the PDPC Notification under Section 41(2) took effect in December 2023, organizations must appoint a DPO in the following circumstances:
When Appointment Is Mandatory
- The data controller or processor is a public authority prescribed by the PDPC
- Core activities involve the regular monitoring of personal data or data systems
- Core activities require large-scale processing of personal data (defined as processing data of 100,000 or more data subjects, or activities such as behavioral advertising, insurance, or telecommunications)
- Core activities involve processing sensitive personal data on a large scale
DPO Responsibilities
The DPO must:
- Ensure ongoing PDPA compliance within the organization
- Monitor and audit data protection activities
- Provide advice and recommendations on data protection matters
- Serve as the contact point for the PDPC and data subjects
- Maintain confidentiality regarding complaints and breach reports
Penalties for Non-Appointment
Organizations that fall under the mandatory DPO requirements and fail to appoint one face an administrative fine of up to THB 1 million.
Compliance Checklist for Organizations
Businesses operating in Thailand or handling Thai residents' personal data should prioritize the following:
- Map all data processing activities and identify the lawful basis for each
- Update privacy notices to meet PDPA disclosure requirements
- Implement consent management systems with clear withdrawal mechanisms
- Establish breach detection and 72-hour notification procedures
- Appoint a DPO if processing activities meet the mandatory thresholds
- Review cross-border transfers and implement SCCs, BCRs, or rely on derogations
- Maintain Records of Processing Activities (ROPA) as required under the PDPA
- Conduct Data Protection Impact Assessments for high-risk processing activities
- Train employees on data protection obligations and breach response protocols
- Establish data processing agreements with all third-party processors
Frequently Asked Questions
Sources and References
Sources and References
- Personal Data Protection Act B.E. 2562 (2019) -- Full Text (Thai Government Gazette)(pdpathailand.com).gov
- Office of the Personal Data Protection Committee (PDPC) -- Official Website(pdpc.or.th).gov
- PDPC Notification Re: Criteria and Procedures for Personal Data Breach Notification(pdpathailand.com).gov
- Thailand Establishes Personal Data Protection Commission -- Tilleke & Gibbins(tilleke.com)
- PDPC Notification Re: Criteria on Protection of Personal Data Transferred to Third Countries (Section 29, B.E. 2566)(bakermckenzie.com)
- PDPC First Administrative Penalty -- THB 7 Million Fine for Non-Compliance(nishimura.com)
- Thailand PDPA Crackdown 2025: Major Fines and Lessons -- DLA Piper(dlapiper.com)
- PDPC Notification Re: DPO Appointment Requirements under Section 41(2), B.E. 2566 (2023)(lexology.com)
- PDPA Fines and Firsts: A 6-Year Timeline of Thailand's Data Privacy Enforcement -- Herbert Smith Freehills(hsfkramer.com)
- Data Protection and Privacy 2026 -- Thailand: Trends and Developments -- Chambers and Partners(chambers.com)
- Thailand's PDPC Signals Tougher Enforcement with Multi-Million Baht Fines -- GALA(galalaw.com)
- Thailand: Operationalising PDPA -- Lawful Basis, Sensitive Personal Data, and Data Processing Safeguards -- Tilleke & Gibbins(tilleke.com)
- Thailand Cross-Border Data Transfer Overview -- Securiti(securiti.ai)
- Thailand's PDPC Clarifies Data Breach Notification Requirements -- IAPP(iapp.org)
- PDPA Enforcement in Thailand: What Every Business Must Know in 2026 -- PIM Legal(pimlegal.com)