Thailand’s Personal Data Protection Act (PDPA) Explained

By: Anokhy Desai CIPP/US, CIPT, CIPM Anokhy Desai CIPP/US, CIPT, CIPM | Updated on: February 15, 2024

Generate a Free Privacy Policy
What-Is-Thailand-Personal-Data-Protection Act-PDPA-01

According to recent studies, 162 countries have enacted data privacy laws — in Thailand, that law is the Personal Data Protection Act (PDPA).

Thailand’s PDPA applies to businesses both inside and outside the country and gives individuals rights over how their personal information is collected and used.

In this guide, you’ll learn everything you need to know about Thailand’s data protection law, including who it applies to, what it requires, and the penalties for violating it.

Table of Contents
  1. What Is Thailand’s Personal Data Protection Act (PDPA)?
  2. Thailand’s PDPA Key Terms and Definitions
  3. What Does Thailand’s Personal Data Protection Act Cover?
  4. Requirements of Thailand’s Personal Data Protection Act
  5. Thailand’s PDPA vs. Global Data Privacy Laws: Similarities and Differences
  6. How Does Thailand’s PDPA Impact Consumers?
  7. How Does Thailand’s PDPA Impact Businesses?
  8. Who Must Comply With Thailand’s PDPA?
  9. How Can Businesses Comply With Thailand’s PDPA?
  10. How Is Thailand’s PDPA Enforced?
  11. Fines and Penalties Under Thailand’s Personal Data Protection Act
  12. How Does Termly Help With Thailand’s PDPA Compliance?
  13. Are There Other Privacy Related Laws in Thailand?
  14. Summary

What Is Thailand’s Personal Data Protection Act (PDPA)?

Thailand’s Personal Data Protection Act is the primary consumer data protection law that protects individuals in Thailand.

It describes the rights individuals have over their personal information, outlines specific guidelines entities must follow to legally collect and use consumer information, and lists the penalties for violating those requirements.

When Did Thailand’s PDPA Take Effect?

Signed in 2019, Thailand’s Personal Data Protection Act officially took effect on June 1, 2022.

Thailand’s PDPA Key Terms and Definitions

To help you understand how to comply with Thailand’s PDPA, we’ve included the definitions of some key terms as they appear in the English translation of the law below:

What Does Thailand’s Personal Data Protection Act Cover?

Thailand’s PDPA covers the personal information of natural persons in Thailand.

It also covers the collection and processing of personal data by controllers or processors based in Thailand, regardless of where the collected data comes from.

Requirements of Thailand’s Personal Data Protection Act

There are several requirements that businesses complying with Thailand’s PDPA must follow.

Lawful Bases for Processing Data

Under Thailand’s PDPA, entities can legally process personal data for the following reasons:

Consent

According to Thailand’s data privacy law, consent must be explicitly given in a written statement or electronically when possible.

When requesting user consent, a covered entity must provide a notification or disclosure about the data processing.

The user must then freely agree to the processing of their own accord and retain the right to easily withdraw consent at any time.

Appointing a Data Protection Officer (DPO)

Thailand’s PDPA requires entities to appoint a data protection officer who’s responsible for:

  • Giving entities advice for complying with Thailand’s PDPA;
  • Investigating if the controller and/or processor fully comply with the law;
  • Coordinating with the regulatory authorities who enforce the law as needed; and
  • Maintaining confidentiality regarding all personal data acquired while working as a DPO.

Data processors and controllers must also provide users with contact information for their DPO.

Data Retention Obligations

Entities must inform users about how long they retain data at or before the point of data collection.

If unable to provide a date, the entity must explain the process used to determine how long the data will be kept.

Processing Special Categories of Personal Data

To process special categories of data — like sensitive personal information — the entity must obtain explicit consent from the data subject.

However, data controllers may collect information related to criminal records if authorized by an official authority.

Contractual Obligations

Controllers and processors under Thailand’s PDPA must enter into a contractual agreement that requires both parties to follow all requirements outlined by the law.

Part of the agreement must include the maintenance of personal data records and activities and compliance with rules set forth by the Personal Data Protection Committee (PDPC).

Thailand’s PDPA vs. Global Data Privacy Laws: Similarities and Differences

Several data privacy laws exist around the world, including the following:

  • The California Consumer Privacy Act (CCPA)
  • Europe’s General Data Protection Regulation (GDPR)
  • Argentina’s Personal Data Protection Act (Argentina PDPA)
  • Brazil’s General Data Protection Law (LGPD)
  • Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
  • South Africa’s Protection of Personal Information Act (POPIA)
  • Australia’s Privacy Act 1988 (the Privacy Act)
  • New Zealand’s Privacy Act 2020

You can compare Thailand’s PDPA to the other global privacy laws in the table below.

Data Privacy Law Requires opt-in consent* Mandates publishing a privacy policy  Outlines contractual obligations with third parties Holds businesses accountable for data security Has specific requirements for international data transfers Requires additional guidelines for categories of sensitive (special) information
Thailand PDPA
Argentina PDPA
CCPA
GDPR
LGPD
PIPEDA
POPIA
Privacy Act 1988
Privacy Act 2020

*With some exceptions for some laws.

How Does Thailand’s PDPA Impact Consumers?

Thailand’s PDPA impacts consumers by granting them certain rights over how their personal data gets collected and used, including the right to:

  • Access their personal data
  • Obtain a portable copy of their data
  • Rectify incomplete data about them
  • Delete or have a controller de-identify their information
  • Opt out of certain data processing activities, including direct marketing
  • Withdraw consent at any time
  • Lodge a complaint to a data authority

Users also have the right to be informed about what data is being collected about them, why it is being collected, and what that data’s retention period is.

Who Does Thailand’s PDPA Apply To?

The Personal Data Protection Act applies to the data of any natural, living person in Thailand.

However, any data collected and used in a household or personal context is exempt.

How Does Thailand’s PDPA Impact Businesses?

Thailand’s PDPA impacts businesses in more ways than just the lawful bases and data retention requirements previously mentioned — it also affects privacy and cookie policies.

How Does Thailand’s PDPA Affect My Privacy Policy?

According to Thailand’s PDPA, businesses must inform individuals about the following details before or at the point of data collection:

  • The purpose of the data collection
  • The retention period
  • The rights the individual has over their information

An easy way to meet this guidance is to present your users with a privacy policy that meets these notification requirements.

Once individuals are already informed about the collection, they do not have to be presented with such a notice again.

How Does Thailand’s PDPA Affect My Cookie Policy?

Thailand’s PDPA affects your cookie policy because users protected by the law have the right to be informed of data collection at or before the point of collection, and internet cookies collect personal data from users.

You must ensure your users are aware of what cookies your website uses, what they do, and why you use them before they’re placed on their browsers.

To meet this requirement, you should present your users with an accurate cookie policy.

Who Must Comply With Thailand’s PDPA?

Any business in Thailand that collects and processes personal data must comply with the Personal Data Protection Act.

Businesses outside of Thailand that offer goods or services to individuals in the country and monitor their online behavior must also comply with the act, regardless of whether a financial transaction occurs.

Who Is Exempt From Thailand’s PDPA?

The following entities are exempt from following Thailand’s PDPA:\

How Can Businesses Comply With Thailand’s PDPA?

To comply with Thailand’s PDPA, businesses should update their privacy policies and cookie policies to meet all requirements for properly informing users about data collection.

Implementing a consent management platform with a properly configured consent banner enables you to meet opt-in and opt-out requirements outlined by the law.

Finally, to make it easy to receive and respond to requests from users to follow through on their rights, put a Data Subject Access Request (DSAR) form on your site.

How Is Thailand’s PDPA Enforced?

In Thailand, the PDPA is enforced by the Personal Data Protection Committee (PDPC).

The PDPC also drafts and releases sub-regulations and guidelines for the law.

They can determine how entities should interpret PDPA compliance, issue notifications to those who violate the law, and establish future rules or guidelines.

Fines and Penalties Under Thailand’s Personal Data Protection Act

Violating Thailand’s PDPA can lead to fines of up to THB 5 million ($145,000) and criminal penalties.

Businesses might also be forced to cease all data processing activities.

How Does Termly Help With Thailand’s PDPA Compliance?

Termly offers a Consent Management Platform (CMP) that businesses can configure to meet the opt-in and opt-out consent requirements required by Thailand’s PDPA.

Our team is also working on updates to our Privacy Policy Generator, so it will include the necessary information to comply with the notification requirements outlined by Thailand’s privacy law.

Vetted by our legal team and data privacy experts, our Generator asks simple questions about your business and data processing activities and builds a unique policy based on your answers.

Check back to learn when these updates are live.

While the PDPA is the most significant data privacy law in Thailand, a few other pieces of legislation exist, including the following:

Summary

Thailand’s Personal Data Protection Act is a comprehensive law that gives individuals in the country more control over how their data is collected, processed, and used.

If you’re subject to the PDPA, update your privacy policy to meet the notification requirements outlined by the law.

With resources like our Privacy Policy Generator, complying with data privacy laws has never been easier.

Anokhy Desai CIPP/US, CIPT, CIPM
More about the author

Written by Anokhy Desai CIPP/US, CIPT, CIPM

Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author

Related Articles

Explore more resources