Regulation
PDPA (Thailand)
The Personal Data Protection Act B.E. 2562 (2019) — Thailand's comprehensive data-protection law. Applies to any organization processing personal data of people in Thailand, regardless of company size or country of registration.
The Personal Data Protection Act B.E. 2562 (2019), commonly abbreviated PDPA, is Thailand's principal data-protection statute. It is closely modeled on the European GDPR but adapted to Thai legal context.
Key obligations under PDPA:
- Lawful basis for every processing purpose (consent, contract, legal obligation, vital interest, public interest, legitimate interest).
- Data subject rights including access, rectification, erasure, restriction, portability, and objection.
- Record of Processing Activities (ROPA) for both controllers and processors.
- Breach notification within 72 hours to the Personal Data Protection Committee.
- Cross-border transfer safeguards (adequacy or contractual safeguards).
- Data Protection Officer required for organizations processing sensitive data at scale or whose core activities involve regular monitoring.
Maximum administrative fine is 5 million baht per incident, plus uncapped civil liability and criminal sanctions for sensitive-data violations.
Unlike GDPR, PDPA has no small-business exemption and requires Thai-language documentation for consumer-facing notices and consent.
Sources
- [2]Royal Thai Government. Personal Data Protection Act B.E. 2562 (2019). Ministry of Digital Economy and Society, Thailand, 2019. https://www.pdpc.or.th
- [2]Royal Thai Government. Personal Data Protection Act B.E. 2562 (2019). Ministry of Digital Economy and Society, Thailand, 2019. https://www.pdpc.or.th