Personal Data Protection Act

 Since its full enforcement began in June 2022, Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) has fundamentally reshaped how organizations handle personal data. Modeled in part on international frameworks like the GDPR, the PDPA establishes a comprehensive set of rules for data controllers and processors. In 2026—six years after the law was passed—the regulatory environment has entered a new phase characterized by active enforcement, clarified cross‑border transfer mechanisms, and the development of practical compliance guidelines 

For foreign investors, multinational corporations, and local businesses operating in Thailand, understanding the PDPA’s core obligations, the risks of non‑compliance, and the latest 2026 developments is essential. This guide provides an in‑depth analysis of the PDPA’s legal framework, key requirements, cross‑border data transfer rules, enforcement landscape, and strategic steps for compliance.

1. Overview of the PDPA Legal Framework

The PDPA is Thailand’s primary data protection legislation. It applies to any organization—regardless of whether it is located in Thailand—that collects, uses, or discloses the personal data of individuals in Thailand .

1.1 Key Definitions

The PDPA establishes three primary roles:

RoleDefinitionKey Responsibilities
Data ControllerA person or entity with the authority to make decisions regarding the collection, use, or disclosure of personal dataDetermines purposes and means of processing; bears primary compliance obligations
Data ProcessorA person or entity that processes personal data on behalf of a data controllerActs only on instructions from the controller; must notify controller of data breaches
Data SubjectAn identifiable natural person whose personal data is processedHas rights under the PDPA (access, rectification, erasure, objection, etc.)

The distinction between controllers and processors is critical because each bears different legal responsibilities under the law.

1.2 Types of Personal Data

The PDPA distinguishes between two categories of personal data with different protection standards:

General Personal Data includes any information that can identify an individual, such as names, addresses, phone numbers, and email addresses. Processing this data requires a lawful basis under the PDPA.

Sensitive Personal Data includes race, ethnicity, political opinions, religious or philosophical beliefs, sexual orientation, criminal records, health data, disability information, trade union membership, and biometric data (including facial recognition and fingerprints). Under Section 26 of the PDPA, sensitive data may only be processed with explicit consent or under specific statutory exemptions 

2. Core Obligations for Data Controllers

2.1 Lawful Basis for Processing

A data controller must have a valid legal basis for collecting, using, or disclosing personal data. While consent is the most well‑known basis, the PDPA provides several alternatives under Section 24.

Under the PDPA, a data controller may process personal data without consent if necessary for: (i) the performance of a contract; (ii) compliance with a legal obligation; (iii) the protection of a data subject’s vital interests; (iv) the performance of a task carried out in the public interest; or (v) legitimate interests pursued by the controller, provided those interests are not overridden by the data subject’s fundamental rights 

The ongoing development of new PDPA guidelines includes detailed clarifications on how organizations should identify, assess, and document these lawful bases. The draft guidelines emphasize necessity, proportionality, and accountability, supported by practical examples, checklists, and FAQs .

2.2 Notification and Consent Requirements

Before collecting personal data, data controllers must notify data subjects of specific information, including:

  • The purposes of the collection, use, or disclosure

  • The retention period or criteria used to determine it

  • The categories of persons or entities to which personal data may be disclosed

  • The data subject’s rights under the PDPA

Where consent is required, it must be explicit, freely given, and obtained prior to or at the time of data collection. Consent requests must be presented clearly and separately from other terms and conditions .

2.3 Data Breach Notification

Under the PDPA and the 2022 PDPC Notification on data breach notification requirements, data controllers have a strict 72‑hour breach notification obligation .

When a personal data breach occurs, the controller must:

  1. Assess the risk – Investigate the credibility and details of the breach and evaluate the level of risk to data subjects’ rights and liberties

  2. Notify the PDPC – Notify the Office of the PDPC without delay and within 72 hours of becoming aware of the breach, regardless of the assessed risk level

  3. Notify affected data subjects – If the risk is high, also notify the impacted individuals with details of the breach and recommended mitigation measures

A data processor must notify the data controller within 72 hours of becoming aware of any breach .

Critical misconception: Under PDPA, notification is required even if no actual harm has occurred—only when there is “no risk whatsoever” may notification be exempted, and the controller bears the burden of proving this exemption .

2.4 Data Protection Officer (DPO) Appointment

Not all organizations are required to appoint a Data Protection Officer (DPO). Under the PDPA, a DPO must be appointed when the organization :

  • Is a public agency

  • Engages in processing that requires regular monitoring of data subjects on a large scale

  • Processes sensitive personal data on a large scale

The 2026 draft PDPA guidelines provide further clarity on when the “large scale” threshold is triggered, including factors such as the number of data subjects, volume of data, and duration of processing .

Failure to appoint a DPO where required is subject to administrative fines. In a major 2024 enforcement action, a company was fined THB 1,000,000 specifically for failing to appoint a DPO .

2.5 Records of Processing Activities (ROPAs)

Data controllers are required to maintain records of their processing activities, including categories of data, purposes, transfers to third parties, and security measures. The 2026 draft guidelines position ROPAs as a core accountability and compliance tool, with templates and a structured approach to preparation, review, and updating .

A limited exemption exists for certain SME controllers, but this does not constitute a blanket SME exemption from the PDPA. The exemption applies only to specific RoPA record‑keeping requirements, with conditions and exclusions .

3. Cross‑Border Data Transfers (Sections 28 & 29)

For multinational organizations, cross‑border data transfers present one of the most complex compliance challenges. The PDPA regulates transfers of personal data to foreign countries based on whether the destination provides “adequate” protection or whether “appropriate safeguards” are in place.

3.1 Transfers to Countries with Adequate Protection (Section 28)

Under Section 28 of the PDPA, personal data may be transferred to a foreign country if the PDPC has determined that the destination country has “adequate” data protection standards. The Section 28 notification sets out factors for assessing adequacy, including:

  • Legal measures aligned with Thai personal data protection law

  • Enforceable rights and effective remedies for data subjects

  • Authorities with duty and power to enforce data protection rules

The notification also provides a key clarification for cloud‑based SMEs: “sending or transferring” personal data does not include data transit via intermediary networks or cloud storage where no external person can access the data and appropriate technical measures are in place .

3.2 Binding Corporate Rules (BCRs) as Appropriate Safeguards (Section 29)

A major 2026 development is the formal adoption of Binding Corporate Rules (BCRs) as a legitimized mechanism for intra‑group data transfers.

On 17 February 2026, the Regulation on the Examination and Certification of Binding Corporate Rules B.E. 2568 (2025) took effect following its publication in the Government Gazette . This new regulation establishes a formal process for multinational corporate groups to obtain PDPC certification for their BCRs.

Key Features of the BCR Regulation:

AspectDetails
Eligible applicantsThai‑incorporated entity that is part of an affiliated business or group of undertakings, either as the Thailand‑based headquarters or a designated entity responsible for data protection
Types of BCR(i) BCR for data controllers (BCR‑C); (ii) BCR for data processors (BCR‑P)
PDPC decision timelineWithin 180 days of filing
Government feeNo fee payable for examination and certification
Validity periodIndefinite, unless amended, modified, or revoked

Key Elements Required for BCR Certification:

  • Legal enforceability and group‑wide applicability – BCRs must be legally binding on all participating entities and set out comprehensive data protection standards aligned with the PDPA

  • Effective monitoring mechanisms – Internal controls such as compliance audits and corrective measures

  • Cooperation obligations – All BCR members must agree to cooperate with the PDPC during examinations and comply with its directions

  • Data subject rights safeguards – Mechanisms for handling complaints and claims arising from cross‑border transfers

  • Technical and organizational security measures – Minimum PDPA‑compliant safeguards

A special streamlined procedure exists for BCRs that have already been certified under the EU GDPR or UK GDPR. Applicants may submit such certified BCRs together with required documentation for efficiency .

3.3 Standard Contractual Clauses (SCCs)

The Section 29 notification also contemplates the use of contractual approaches similar to standard contractual clauses (SCCs) as a transfer mechanism. The notification sets out required subject matter for such clauses .

For foreign SMEs, the key takeaway is clear: if you are using overseas vendors or group companies with real access to personal data, you need a documented transfer pathway and appropriate safeguards. “We are a small company” is not a valid justification for non‑compliance .

4. Enforcement Landscape and Penalties

Thailand’s PDPA enforcement has transitioned from theoretical warnings to tangible, significant fines.

4.1 The Landmark THB 7 Million Fine (August 2024)

On 21 August 2024, the PDPC imposed an administrative fine totaling THB 7,000,000 (approximately USD 200,000) on a major private company specializing in online sales of computers and electronic devices .

The fine was imposed on the following specific grounds:

ViolationPDPA SectionFine Amount
Failure to appoint a Data Protection Officer (DPO)Section 41THB 1,000,000
Failure to implement appropriate security measures, leading to a major data breachSection 37(1)THB 3,000,000
Failure to notify the PDPC of the breach within 72 hours despite receiving 23 customer complaintsSection 37(4)THB 3,000,000

In addition to the financial penalty, the company was ordered to enhance its security measures and report the results of corrective actions to the PDPC within 30 days .

4.2 Broader Enforcement Trends

As of August 2025, Thai government communications report that cumulative administrative fines across public and private entities exceed THB 21.5 million since full enforcement began .

The violations being penalized span:

  • Inadequate security measures leading to data leaks

  • Delayed or missing breach notifications

  • Failure to appoint required DPOs

  • Insufficient vendor governance

4.3 Types of Penalties Under the PDPA

The PDPA provides for three categories of penalties :

Penalty TypeMaximum
Criminal penaltiesImprisonment up to 1 year, fine up to THB 1 million, or both
Civil penaltiesActual damages plus punitive damages up to the amount of actual damages
Administrative finesUp to THB 5 million depending on the violation

5. 2026 Regulatory Developments

5.1 Public Consultation on Draft Guidelines (April 2026)

The PDPC is actively developing comprehensive guidelines to help organizations implement the PDPA. On April 1–2, 2026, the PDPC held a two‑day public hearing to review draft guidelines covering six core thematic areas :

  1. Lawful basis for processing – Clarifying necessity, proportionality, and accountability

  2. Security measures and breach notification – A structured framework covering technical, administrative, and physical measures, plus detailed guidance on identifying, assessing, and notifying breaches

  3. Data Protection Officers (DPOs) – When a DPO is required, qualifications, independence, and reporting lines

  4. Marketing and direct marketing – Purpose limitation, data minimization, opt‑out mechanisms, and case studies

  5. Records of processing activities (ROPAs) – Mandatory content, roles of controllers and processors, and templates

  6. Use of CCTV in housing estates and condominiums – PDPA‑compliant practices for surveillance technologies

These guidelines will not have the force of law but are expected to influence regulatory expectations, compliance assessments, and enforcement decisions .

5.2 Proposed Guidelines on Data Deletion, Destruction, and De‑identification

Since June 2024, the PDPC has been developing criteria for how data controllers must delete, destroy, and de‑identify personal data when requested by data subjects under the PDPA’s right of erasure .

Under the proposed framework, data controllers must respond to erasure requests immediately and within 60 days. If immediate deletion is not possible, interim measures must ensure the data is made difficult to access. De‑identification or anonymization is permitted only under specific conditions, not when the processing was unlawful .

6. Strategic Compliance Recommendations for 2026

Given the active enforcement environment and evolving regulatory guidance, organizations should prioritize the following compliance actions:

1. Map your data processing activities.
Document what personal data you collect, from whom, for what purposes, and on what lawful basis. This foundational step is essential for all other compliance obligations.

2. Verify your DPO requirement.
Assess whether your organization meets the criteria requiring a DPO appointment. If a DPO is required, ensure the individual has appropriate qualifications, independence, and organizational support.

3. Audit your cross‑border transfers.
Identify all transfers of personal data outside Thailand. For multinational groups, evaluate whether applying for BCR certification could streamline cross‑border compliance across group entities.

4. Implement a breach response playbook.
Establish procedures for detecting, assessing, and reporting breaches within the 72‑hour window. Ensure data processors have contractual obligations to notify you immediately.

5. Review your security measures.
Conduct a security assessment, implement appropriate technical and organizational measures (encryption, access controls, auditing), and consider conducting Data Protection Impact Assessments (DPIAs) for high‑risk processing.

6. Prepare for the new guidelines.
Even though the 2026 draft guidelines are not yet final, organizations should begin reviewing current compliance frameworks against the themes identified: lawful basis documentation, RoPA maintenance, and marketing consent mechanisms.

7. Train your staff.
Human error remains a leading cause of data breaches. Regular PDPA training for employees who handle personal data is essential.

Conclusion

2026 marks a pivotal year for Thailand’s PDPA. The legal framework is now mature: active enforcement has resulted in multi‑million‑baht fines, cross‑border transfer mechanisms (including BCRs) have been fully operationalized, and detailed compliance guidelines are under active development.

For organizations doing business in Thailand, the PDPA is no longer a future concern—it is a present operational reality. The most defensible approach is not perfect paperwork but documenting a small set of key decisions and controls: lawful basis mapping for each core workflow, vendor governance, security measures, and an incident response playbook .

Entities that invest in proactive compliance will not only avoid significant financial penalties but will also build trust with customers, employees, and business partners in Thailand’s increasingly data‑conscious economy.

Comments

Post a Comment

Popular posts from this blog

Land Measurement in Thailand

  In Thailand, land is not merely an asset; it is a meticulously categorized legal entity defined by a measurement system that predates the modern metric era. While the world has largely moved toward square meters and hectares, the Thai real estate market—and its legal system—operates on a unique hierarchy of Rai , Ngan , and Square Wah . As of 2026, understanding these units is more critical than ever, as the Thai Land Department has accelerated its GIS (Geographic Information System) integration, making digital accuracy the new standard for property transactions. 1. The Thai Measurement Hierarchy The Thai system is highly structured, and conversions are exact. Unlike some historical systems that vary by region, the modern Thai Land Code standardizes these units across the Kingdom. The Core Units 1 Square Wah (Talang Wah): The basic building block, equivalent to 4 square meters . This is roughly the size of a small bathroom or a garden shed. 1 Ngan: Equal to 100 Square Wah ,...
Read more

Thailand Digital Arrival Card

I n 2026, Thailand’s entry landscape has undergone its most significant digital transformation in decades. The centerpiece of this evolution is the Thailand Digital Arrival Card (TDAC) , which officially replaced the iconic blue-and-white paper TM6 form on May 1, 2025. For decades, the physical TM6 was a staple of the "Thai experience"—usually scrambled for mid-flight or at a crowded podium in Suvarnabhumi Airport. Today, that process is entirely paperless. The TDAC is not just a digital copy of the old card; it is a sophisticated, integrated platform that links immigration, health, and security data into a single QR code. 1. The Death of the TM6 and the Birth of TDAC The transition from paper to digital was born out of necessity. In 2024, Thailand faced a surge in tourism that frequently led to "immigration bottlenecks." By digitizing the arrival card, the government has moved the data-entry burden from the border officer to the traveler, allowing for a "pre-...
Read more

Buying Land in Thailand

For foreign investors and individuals seeking to purchase land in Thailand, the legal landscape presents both significant opportunities and strict limitations. While the fundamental prohibition against foreign land ownership remains firmly in place, 2026 has brought intensified enforcement against illegal structures alongside refined pathways for compliant investment. This comprehensive guide provides an in-depth examination of the legal framework, available options, and critical compliance considerations for anyone considering land acquisition in Thailand . The Fundamental Prohibition: Foreign Land Ownership Under the  Thai Land Code B.E. 2497 (1954)  , foreign individuals and entities are generally prohibited from owning land in Thailand  . This is not a gray area or matter of interpretation—Land Code Section 86 explicitly prohibits alien land ownership, and Sections 111-113 impose criminal penalties for violations  . The prohibition applies broadly. A "foreign ent...
Read more