Understanding Thailand's Personal Data Protection Act (PDPA)

Jan 28, 2025 Blog Article

The Personal Data Protection Act (PDPA), B.E. 2562 (2019), Thailand’s first-ever data privacy legislation, took effect on June 1, 2022. This was just over three years after its introduction in the Royal Thai Government Gazette. Following a series of updates and the country’s first legal action for PDPA noncompliance, the law remains an important milestone for Thai companies and organizations dealing with the data of Thai subjects. 

George Janssen, Blancco Group Legal Counsel

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

The law regulates how businesses operating in Thailand should handle the personal data of the country’s citizens and their right to privacy. It specifically requires businesses to establish clear mechanisms for data subject consent and implement safeguards to protect sensitive data, thus aligning with international data protection norms.

A Personal Data Protection Committee (PDPC) was created to enforce the law and ensure compliance, along with publishing guidelines, standards, and exceptions for data controllers. The PDPC’s release of additional sub-regulations in March 2024 further clarified compliance requirements, particularly for cross-border data transfers and Binding Corporate Rules (BCRs).

Broad protections across all platforms

The PDPA comprehensively regulates the collection, use, and disclosure of personal data in online, offline, and paper-based contexts.

It applies to all businesses operating in Thailand, or offering services to people in Thailand, including those outsourcing data to third parties. Additionally, it provides specific exemptions for personal or household activities, public security, and mass media operations conducted in line with professional ethics.

The broad protections aim to align with evolving digital economy standards, ensuring relevance in global trade and data processing frameworks.

Let’s look more at the PDPA to understand its similarities and differences with other local, national, and international data management standards.

Unique principles

Like many of the newer data protection laws, PDPA leverages several of the same principles as the European Union’s General Data Protection Regulation (GDPR). Both laws try to limit the nature of personal data and how long an organization can hold it.

Because of PDPA’s similarity to GDPR, a company doing business in the EU will be familiar with most of the PDPA’s provisions. It will be able to adjust its compliance program to PDPA’s specific requirements. For example, under both laws, organizations have 72 hours to notify customers of a data breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Understanding each law

There are a few critical differences that businesses operating or planning to operate in Thailand must understand.

Enforcement and penalties

Failure to meet PDPA laws can result in criminal, civil, and administrative penalties. The most egregious violations involving sensitive personal data and unauthorized disclosure are punishable by up to a year in prison.

The amount of the penalty varies according to the nature of the violation of the law.

While many sources state that the maximum administrative fine under the PDPA is Baht 5 million, in November 2024 the PDPC fined a prominent Thai IT distributor Baht 7 million (approximately $204,000 USD) for violating PDPA principles, including:

In addition to financial penalties, the company was ordered to overhaul its data protection framework within 30 days and provide weekly updates to the PDPC.

This case underscores the importance of PDPA compliance for businesses.

Data breach management

Organizations must adopt comprehensive incident response plans, including breach notification procedures and swift corrective actions.

The PDPC’s phased notification process allows for timely updates as more information becomes available. Businesses should also establish clear escalation protocols for handling breaches to ensure rapid response.

Comply with Thailand’s PDPA with Blancco

Contact us to learn more about the critical role of data destruction in the PDPA, including how Blancco’s data erasure solutions can support you in erasing end-of-life personal data.

First published in 2023. Updated in 2025 to reflect recent changes.

Experience the Blancco Difference.

Get in touch with Blancco Thailand to learn more.