Thailand Data Privacy Laws: PDPA Compliance Guide (2026)

Thailand's Personal Data Protection Act B.E. 2562 (PDPA), fully effective since June 1, 2022, governs the collection, use, disclosure, and storage of personal data for any organization that processes data about individuals in Thailand, including foreign businesses targeting Thai consumers.

What Is Thailand's Personal Data Protection Act (PDPA)?

Thailand's Personal Data Protection Act B.E. 2562 is the primary legislation governing the collection, use, disclosure, and storage of personal data in the country. Enacted on May 27, 2019, and published in the Royal Gazette on the same date, the PDPA represents Thailand's first comprehensive data protection law.

The PDPA applies to any organization that collects, uses, or discloses the personal data of individuals in Thailand, regardless of whether the organization is based within the country. This extraterritorial reach means that foreign businesses offering goods or services to people in Thailand, or monitoring the behavior of individuals located in Thailand, must comply with the law.

The legislation was originally scheduled to take full effect in 2020. Due to the COVID-19 pandemic, enforcement of key provisions was postponed multiple times. The PDPA's core data protection provisions finally came into full force on June 1, 2022.

The law is broadly modeled on the European Union's General Data Protection Regulation (GDPR), sharing many structural similarities in areas like lawful bases for processing, data subject rights, and breach notification requirements. However, the PDPA includes provisions tailored to Thailand's legal and regulatory environment, and the regulatory landscape has evolved substantially since 2022 through subordinate regulations, enforcement actions, and complementary legislation.

The Personal Data Protection Committee (PDPC)

The Personal Data Protection Committee is the primary regulatory body responsible for overseeing and enforcing the PDPA. The PDPC was formally established on January 18, 2022, when the Announcement of the Prime Minister's Office on the Appointment of Chairperson and Honorary Members was published in the Government Gazette.

PDPC Composition

The Committee consists of:

• A chairperson appointed based on knowledge, skills, and experience in data protection
• A vice-chairperson who serves as the permanent secretary of the Ministry of Digital Economy and Society (MDES)
• Five commission members designated based on their positions in specific government agencies
• Nine honorary commission members appointed based on expertise in personal data protection, consumer protection, technology, social science, law, health, finance, or related fields

The PDPC is supported by the Office of the Personal Data Protection Committee, which operates under the Ministry of Digital Economy and Society.

PDPC Powers and Responsibilities

The PDPC holds broad authority under the PDPA to:

• Develop a master plan for the promotion and protection of personal data
• Prescribe measures, criteria, and guidelines for business operators
• Issue subordinate regulations and rules under the PDPA
• Investigate complaints and impose administrative penalties
• Determine procedures and strategies for personal data protection operations
• Serve as the point of coordination for international data protection cooperation

As of January 2026, the Office of the PDPC has recorded 2,672 PDPA-related complaints, with the highest complaint volumes involving failure to comply with data minimization principles, collection without a lawful basis, and unauthorized use or disclosure of personal data.

PDPC Eagle Eye Unit

One significant operational development is the establishment of a proactive surveillance capability sometimes referred to internally as the Eagle Eye Unit. The PDPC now monitors dark web forums and public social media platforms for evidence of data leaks affecting Thai residents. This means organizations may face regulatory investigation even in the absence of any formal complaint from affected individuals. If a breach surfaces online before the organization reports it, the PDPC may initiate proceedings using this monitoring data as the basis for inquiry.

Lawful Bases for Processing Personal Data

Under the PDPA, a data controller may not collect, use, or disclose personal data unless it has a valid legal basis. Thailand recognizes seven lawful bases for processing:

1. Consent

The data subject provides freely given, specific, informed, and unambiguous consent. Consent must be distinguishable from other matters, presented in an easily accessible form using clear and plain language. The data subject may withdraw consent at any time, and withdrawal must be as easy as giving it.

A recurring concern in PDPC guidance and the 2025 draft PDPA amendment consultation is that consent is sometimes treated as the default legal basis even when another basis would be more appropriate. The PDPC has signaled that using coercive or incentivized consent -- such as conditioning service access on consent for non-essential processing -- is not valid under the PDPA.

2. Contractual Necessity

Processing is necessary for entering into or performing a contract with the data subject. This covers situations such as processing payment information to fulfill a purchase order.

3. Legal Obligation

Processing is necessary to comply with a law to which the data controller is subject. This includes regulatory reporting requirements, tax obligations, and court orders.

4. Vital Interests

Processing is necessary to prevent or suppress danger to a person's life, body, or health. This applies in emergency situations where the data subject is incapable of providing consent.

5. Public Task

Processing is necessary for tasks carried out in the public interest or under official authority vested in the data controller. Government agencies frequently rely on this basis.

6. Legitimate Interests

Processing is necessary for the legitimate interests of the data controller or a third party, provided those interests do not override the fundamental rights and freedoms of the data subject. When relying on this basis, organizations should conduct a legitimate interest assessment to document the balancing exercise.

7. Research and Statistics

Processing is necessary for preparing historical documents or archives in the public interest, or for research and statistical purposes, subject to appropriate safeguards for data subject rights.

Sensitive Personal Data

The PDPA defines sensitive personal data as information pertaining to:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Sexual behavior
• Criminal records
• Health data
• Disability
• Trade union membership
• Genetic data
• Biometric data
• Any other category the PDPC may designate

Collection of sensitive personal data is prohibited without the data subject's explicit consent, except in limited circumstances such as protecting the vital interests of a person who is incapable of giving consent, processing by a foundation or nonprofit for its members, or processing data that has been manifestly made public by the data subject.

The PDPC's enforcement action against the iris-scanning service in November 2025 (discussed below) illustrates how seriously the regulator treats biometric data. The PDPC found that financial inducements used to obtain consent rendered that consent involuntary under the PDPA, resulting in an order to halt operations and delete approximately 1.2 million iris records.

Organizations whose core activities involve large-scale processing of sensitive personal data are required to appoint a Data Protection Officer (DPO).

Data Subject Rights

The PDPA grants individuals a comprehensive set of enforceable rights over their personal data. Data controllers must respond to rights requests without undue delay and no later than 30 days from the date of the request.

Right to Be Informed

Data subjects have the right to be informed about data processing activities before or at the time personal data is collected. The privacy notice must include the purposes of collection, the categories of data collected, the identity of the data controller, and the data retention period.

Right of Access

Individuals may request access to the personal data a controller holds about them and obtain a copy of that data. The controller must provide the information in a commonly used and readable format.

Right to Rectification

Data subjects can request correction of personal data that is inaccurate, incomplete, or misleading.

Right to Erasure

Individuals may request the deletion or destruction of personal data when it is no longer necessary for the purpose for which it was collected, when consent is withdrawn, or when processing is unlawful.

Right to Data Portability

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to request that the data be transmitted directly to another data controller where technically feasible.

Right to Object

Individuals may object to the collection, use, or disclosure of their personal data at any time when processing is based on legitimate interests, public interest, or direct marketing.

Right to Restrict Processing

Data subjects may request that a controller limit the processing of their data in specific situations, such as while the accuracy of data is being verified.

Right to Lodge a Complaint

A data subject who believes that a data controller or processor has violated the PDPA may file a complaint directly with the Office of the PDPC.

Data Breach Notification Requirements

Thailand's PDPA imposes strict breach notification obligations on data controllers under Section 37(4).

72-Hour Notification to the PDPC

Data controllers must notify the PDPC of a personal data breach without undue delay and, when feasible, within 72 hours of becoming aware of the breach. The notification is required unless the breach is unlikely to pose a risk to the rights and freedoms of data subjects.

If unavoidable circumstances prevent the controller from meeting the 72-hour deadline, notification must be made no later than 15 days from the date the controller became aware of the breach. In such cases, the controller must provide a valid explanation demonstrating the delay was due to unavoidable reasons.

Notification to Data Subjects

When a breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must notify affected individuals without undue delay. The notification must describe the nature of the breach and provide recommendations for mitigating potential harm.

Risk Assessment Factors

When determining whether a breach requires notification, data controllers should consider:

• The nature and category of the breach (confidentiality, integrity, or availability)
• The type and volume of personal data affected
• The severity of potential impact on data subjects
• Whether the data was encrypted or otherwise protected
• The likelihood of harm based on the circumstances

Documentation Requirements

Controllers must retain all records of their risk assessments, investigations, and findings. These records may become critical during complaints, regulatory inquiries, or inspections by the PDPC. Every enforcement case in 2025 revealed failures in this documentation chain.

Penalty for Failure to Notify

Under Section 83 of the PDPA, failure to submit a breach notification within 72 hours subjects the data controller to an administrative fine of up to THB 3 million. Breach notification failure was cited as a violation in every one of the five enforcement cases announced in August 2025.

Penalties Under the PDPA

The PDPA establishes a three-tier penalty structure covering administrative, criminal, and civil liability.

Administrative Penalties

The PDPC's Expert Committee may impose administrative fines of up to THB 5 million per violation. The Committee also retains discretion to issue warnings or order corrective measures in lieu of monetary penalties.

When determining fine amounts, the PDPC considers factors including:

• The seriousness and scope of the violation
• Actions taken by the controller or processor in response to the breach
• The extent to which affected data subjects received remedies
• The timing and adequacy of post-incident measures
• Any prior violations by the same entity

Criminal Penalties Under the PDPA

Criminal penalties under the PDPA include:

• Unauthorized disclosure: A person who obtains personal data through duties under the PDPA and discloses it to unauthorized persons faces imprisonment of up to six months, a fine of up to THB 500,000, or both
• Unlawful use of sensitive data: Using sensitive personal data to cause harm carries imprisonment of up to one year, a fine of up to THB 1 million, or both
• Corporate liability: If the offense is committed by a legal entity, directors or responsible persons who knew of the violation and failed to prevent it may face personal criminal liability

Civil Liability

Data controllers or processors who unlawfully process personal data and cause damage, whether intentionally or through negligence, must compensate data subjects. Courts may order punitive damages of up to twice the amount of actual losses incurred.

The Emergency Decree on Technology Crimes No. 2 (2025)

The Emergency Decree on Measures for Prevention and Suppression of Technology Crimes (No. 2) B.E. 2568 was published in the Government Gazette on April 12, 2025, and took effect on April 13, 2025. This legislation works alongside the PDPA to address the use of personal data in technology-facilitated crime.

New Criminal Provisions for Personal Data Misuse

The Emergency Decree introduced distinct criminal offenses targeting the weaponization of personal data:

• Basic offense: Collecting, possessing, or disclosing personal data -- whether directly or indirectly identifiable -- with intent to enable a technology crime or any other criminal offense carries imprisonment of up to 1 year and/or a fine of up to THB 100,000
• Commercial exploitation: Buying, selling, or profiting from personal data unlawfully carries imprisonment of up to 5 years and/or a fine of up to THB 500,000

These penalties apply regardless of whether the actor originally collected the data. Possessing a database of personal data with criminal intent is itself an offense under the Decree.

Expanded Operator Obligations

The Decree places mandatory obligations on payment service providers, digital asset operators, and telecommunications providers. Covered operators must:

• Implement procedures to detect and prevent technology crimes
• Share information with financial intelligence units and regulatory bodies
• Refuse, suspend, or close accounts linked to criminal activity when instructed
• Monitor communications for indicators of crime (telecommunications providers)

Joint Liability and Compensation

Business operators and financial institutions share joint liability for compensating victims of technology crimes unless they can demonstrate full compliance with the standards prescribed by relevant regulators. This creates a direct financial incentive for operators to maintain robust data protection and fraud detection programs.

Center for Prevention and Suppression of Technology Crimes (CPOT)

A dedicated enforcement unit, the Center for Prevention and Suppression of Technology Crimes, was established under the Office of the Permanent Secretary of the Ministry of Digital Economy and Society. CPOT operates as a joint task force involving the Royal Thai Police, Department of Special Investigation, and Anti-Money Laundering Office. CPOT can notify financial institutions and digital asset operators about account addresses linked to suspected criminal activity.

PDPC Enforcement Record

Thailand's enforcement history demonstrates a clear trajectory from initial restraint to active, financially significant penalties.

August 2024: The First Administrative Fine

On August 21, 2024, the PDPC issued Thailand's first administrative penalty since the PDPA became fully enforceable. The Expert Committee imposed a THB 7 million fine on a major online retail company. The case involved:

• A data breach affecting more than 100,000 customers
• Failure to appoint a required Data Protection Officer
• Inadequate technical and organizational security measures
• Failure to report the breach to the PDPC within 72 hours

The breached data was subsequently exploited by call center fraud networks, which the PDPC cited as evidence of the downstream harm that compliance failures enable. The THB 7 million figure approached the maximum administrative fine possible under the PDPA.

August 2025: Eight Fines Across Five Cases

On August 1, 2025, the PDPC announced eight administrative fines across five separate enforcement cases, totaling approximately THB 14.5 million. The cases spanned both public and private sector entities:

Case 1 -- State Agency and Software Developer: A government agency and its contracted software developer were each fined following a cyberattack that exposed the personal data of approximately 200,000 individuals. Combined fines exceeded THB 306,000. Investigators found weak password practices, no risk assessment procedures, and an absent Data Processing Agreement between the agency and its developer.

Case 2 -- Private Hospital: A private hospital and a contractor were fined a combined THB 1.2 million for inadequate security measures and failure to notify the PDPC of a breach affecting patient data.

Case 3 -- Computer and Accessories Retailer: The retailer was fined THB 7 million -- again approaching the statutory maximum -- for a combination of no DPO appointment, failure to report a data breach, and weak security measures.

Case 4 -- Cosmetics Company: Fined THB 2.5 million for inadequate security safeguards and failure to notify the PDPC of a data breach within the required period.

Case 5 -- Collectible Toy Retailer and Processor: Combined fines of approximately THB 3.5 million for vendor security failures, lack of a Data Processing Agreement, and failure to report a breach.

The PDPC identified four recurring compliance failures across all five cases: insufficient security measures, breach notification failure, missing DPO, and inadequate processor oversight through Data Processing Agreements.

November 2025: Worldcoin Iris-Scanning Shutdown

In November 2025, the PDPC ordered the operator of the World (formerly Worldcoin) iris-scanning program to halt all biometric enrollment in Thailand and delete the iris data of approximately 1.2 million users. The program offered cryptocurrency tokens as an incentive for individuals to scan their irises.

The PDPC's investigation found:

• Consent was not freely given because financial incentives undermined the voluntariness requirement under the PDPA
• Insufficient transparency regarding the purposes for which biometric data would be used
• Failure to comply with requirements governing cross-border transfers and long-term storage of sensitive data

The case confirmed the PDPC's willingness to use its administrative power to order data deletion, not just impose fines. Thailand's action followed similar orders in Germany, Portugal, and the Philippines.

Cumulative Enforcement Total

As of May 2026, the PDPC has issued administrative fines totaling approximately THB 21.5 million (roughly USD 660,000 at current exchange rates). The enforcement pace is accelerating, and the PDPC has announced that e-commerce, healthcare, telecommunications, and public services are its priority sectors for 2026 investigations.

Cross-Border Data Transfers

The PDPA restricts transfers of personal data outside Thailand under Sections 28 and 29. Transfer regulations were published in late 2023 and took effect on March 24, 2024.

Adequacy Decisions (Section 28)

Personal data may be transferred to a destination country or international organization that the PDPC has determined provides an adequate standard of data protection. As of May 2026, the PDPC has not yet published an adequacy list. This means most organizations must rely on alternative mechanisms for routine transfers.

Binding Corporate Rules -- Now Operational

The PDPC published its Regulation on the Examination and Certification of Binding Corporate Rules (BCRs) B.E. 2568 (2025) on September 29, 2025. A revised version was published in the Royal Gazette on February 17, 2026. The BCR framework covers two categories:

• BCR-C: Binding Corporate Rules for Controllers
• BCR-P: Binding Corporate Rules for Processors

The review process takes approximately 180 days from submission of a complete application. Organizations that already hold EU or UK BCR approvals may pursue an accelerated review process by submitting their existing approval alongside a Thai-specific addendum addressing PDPA requirements. The PDPC approved its first two BCR applications on September 30, 2025, making the mechanism fully operational in practice.

Standard Contractual Clauses

When neither adequacy nor BCRs are available, organizations may rely on Standard Contractual Clauses (SCCs) based on:

• ASEAN Model Contractual Clauses for Cross-Border Data Flows
• EU Standard Contractual Clauses for the Transfer of Personal Data to Third Countries
• Any other model clauses prescribed by the PDPC

SCCs must include Thai-specific obligations, including the requirement for 72-hour breach reporting by the data importer.

Derogations

Cross-border transfers may proceed without the above mechanisms when necessary for legal compliance, when the data subject has given informed consent after being told about the destination's protection standards, for contractual fulfillment, for vital interests, or for important public interest purposes.

Data Protection Officer (DPO) Requirements

Since the PDPC Notification under Section 41(2) took effect in December 2023, organizations must appoint a DPO in specified circumstances. A further notification published in the Royal Gazette in October 2025 extended the mandatory DPO requirement to all state agencies designated by the PDPC.

When Appointment Is Mandatory

• The data controller or processor is a public authority prescribed by the PDPC
• Core activities involve the regular monitoring of personal data or data systems
• Core activities require large-scale processing of personal data (defined as processing data of 100,000 or more data subjects, or activities such as behavioral advertising, insurance, or telecommunications)
• Core activities involve processing sensitive personal data on a large scale

DPO Responsibilities

The DPO must:

• Ensure ongoing PDPA compliance within the organization
• Monitor and audit data protection activities
• Provide advice and recommendations on data protection matters
• Serve as the contact point for the PDPC and data subjects
• Maintain confidentiality regarding complaints and breach reports

Penalties for Non-Appointment

Organizations that fall under the mandatory DPO requirements and fail to appoint one face an administrative fine of up to THB 1 million. In both the 2024 and 2025 enforcement waves, absence of a DPO was cited as an aggravating factor leading to higher fines.

Recent Developments (2025-2026)

Draft PDPA Amendment Bill

Toward the end of 2025, the PDPC launched a public consultation on proposed amendments to the PDPA itself. The amendment process is the first comprehensive review of the statute since it came into force. Key proposals under discussion include:

• Repositioning the PDPA as a primary framework rather than a floor standard
• Clarifying definitions of "data controller" and "data processor" to resolve ambiguities that emerged in enforcement
• Revisiting the classification of criminal records as sensitive personal data
• Restructuring the hierarchy of legal bases to reduce over-reliance on consent
• Clarifying when explicit consent requires express affirmative action versus implied conduct

The first round of public consultation has concluded, and a revised draft is proceeding through the formal legislative process. No amendment has been enacted as of May 2026.

PDPC Draft AI Guidelines

On February 17, 2026, the PDPC released Draft Guidelines on Personal Data Protection in the Development and Use of Artificial Intelligence for public consultation. The guidelines translate existing PDPA obligations into AI-specific expectations. Key expectations include:

• Privacy by design and by default integrated into AI system architecture
• Lawful basis requirements applied to training data collection
• Data minimization principles applied to model inputs
• Contractual restrictions in data processing agreements preventing unauthorized model training on personal data
• Transparency obligations regarding automated decision-making

The AI guidelines are not yet legally binding, but they signal how the PDPC will interpret and apply the PDPA to AI-driven data processing in future enforcement actions.

Public Consultation on PDPA Guidelines (April 2026)

The PDPC held a two-day public hearing on April 1-2, 2026, following online stakeholder engagement in March 2026. Six priority compliance areas were the subject of stakeholder input:

1. Legal bases for processing
2. Security measures and breach notification
3. DPO obligations
4. Marketing and direct marketing
5. Records of Processing Activities (ROPA)
6. Data collection through CCTV and national ID card scanning

Formal guidelines covering these areas are expected later in 2026.

Trust Mark Certification Initiative

The PDPC is developing a data protection Trust Mark certification scheme. A questionnaire framework was in preparation as of mid-2026, with formal announcement expected in Q2-Q3 2026. The Trust Mark is expected to function as a compliance differentiator in procurement, commercial partnerships, and consumer trust contexts.

Business Compliance Priorities

Organizations operating in Thailand or processing the personal data of Thai residents should treat the following as active compliance obligations, not aspirational goals:

• Map all data processing activities and document the lawful basis for each. Where consent is used, verify it meets the freely given, specific, informed, and unambiguous standard
• Update privacy notices to meet PDPA disclosure requirements, including retention periods and data subject rights
• Implement technical security controls including access management, multi-factor authentication, encryption at rest and in transit, and periodic risk assessments
• Establish breach detection and response procedures with clear internal escalation paths to meet the 72-hour PDPC notification window
• Appoint a DPO if processing activities meet the mandatory thresholds -- state agencies now have a separate mandatory obligation
• Execute Data Processing Agreements with all third-party processors. The absence of a DPA was cited in every 2025 enforcement case involving processor relationships
• Review cross-border transfers and implement BCRs, SCCs, or documented derogations. The BCR pathway is now operational
• Maintain Records of Processing Activities (ROPA) covering all processing operations and the legal bases for each
• Conduct Data Protection Impact Assessments for high-risk processing activities, including AI-driven profiling and large-scale sensitive data processing
• Train all employees handling personal data on PDPA obligations, breach recognition, and internal reporting procedures
• Monitor the PDPC's developing guidelines on AI, CCTV, direct marketing, and ROPA, as formal guidance is expected in the second half of 2026

Thailand's enforcement environment in 2026 is qualitatively different from 2022. The PDPC has demonstrated it will impose near-maximum fines, order data deletion, and investigate proactively without waiting for complaints. For businesses that have treated PDPA compliance as a paperwork exercise, the 2024-2025 enforcement record is a material legal and financial risk signal.

For information on recording laws in Thailand, see our guide to Thailand recording laws.