What is the Personal Data Protection Act (PDPA) of Thailand?
The Personal Data Protection Act, B.E. 2562 (2019), often referred to by its acronym, PDPA, is Thailand’s comprehensive data privacy and protection law. Enacted to safeguard the personal data of individuals, it is heavily influenced by international privacy standards, most notably the European Union’s General Data Protection Regulation (GDPR). The PDPA establishes a framework for the collection, use, disclosure, and cross-border transfer of personal data by organizations operating in Thailand or handling the personal data of Thai residents and is relevant to virtually every industry and function that handles personal data.
The PDPA marks a significant legislative shift, moving Thailand from having sectoral or fragmented data protection rules to an overarching, unified legal framework.
The PDPA applies to both Data Controllers (entities that determine the purposes and means of processing personal data) and Data Processors (entities that process personal data on behalf of a Data Controller) that are located in Thailand. Crucially, it also has extra-territorial scope, meaning it applies to organizations outside of Thailand if they process the personal data of data subjects located in Thailand by offering goods or services to them, or monitoring their behavior in Thailand.
While the PDPA is the primary data protection law, organizations must also comply with related laws such as the Cybersecurity Act (CSA) B.E. 2562 (2019), which governs cyber threat response and critical infrastructure protection, and various regulations from the Ministry of Digital Economy and Society (MDES) and the Bank of Thailand (BoT) regarding specific sectors.
The PDPA was initially published in the Royal Gazette on May 27, 2019, with a two-year transition period. However, due to the COVID-19 pandemic, the full enforcement of the key provisions of the PDPA was postponed several times. The PDPA officially came into full effect on June 1, 2022, meaning all organizations subject to the Act are now required to be compliant. The implementing regulations and guidelines issued by the Office of the Personal Data Protection Committee (PDPC) are continuously being released and refined.
What are the Requirements for the PDPA?
Compliance with the PDPA is not a one-time event but an ongoing process that requires organizational commitment and the implementation of specific controls. The primary body responsible for enforcing the PDPA, issuing guidelines, and hearing complaints is the Office of the Personal Data Protection Committee (PDPC).
Basic Organizational Requirements
| Requirement Area | Description |
|---|---|
| Lawful Basis for Processing | Personal data must be processed based on a legitimate ground, primarily Consent. Other grounds include contractual necessity, legitimate interest, public interest, vital interest, and legal obligation. |
| Data Subject Rights | Organizations must establish mechanisms to honor data subjects’ rights, including the right to access, correction, erasure (right to be forgotten), restriction of processing, data portability, and objection to processing. |
| Data Controller & Processor Obligations | Data Controllers are responsible for ensuring compliance and must have a legal basis for processing. Data Processors must process data only according to the Controller’s instructions. Both must implement security measures. |
| Data Protection Officer (DPO) | Certain organizations (e.g., those processing sensitive data or engaging in large-scale processing) must appoint a DPO to oversee compliance. |
| Security Measures | Implement appropriate security measures to prevent unauthorized or unlawful loss, access, use, alteration, or disclosure of personal data. |
| Data Breach Notification | Organizations must notify the PDPC within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subjects. Affected data subjects must also be notified if the breach is high-risk. |
| Records of Processing Activities (ROPA) | Data Controllers and Data Processors must maintain ROPA detailing processing activities. |
Why Should You Be PDPA Compliant?
Compliance with the PDPA is not just a legal burden; it is a fundamental pillar of modern business operations, offering significant competitive and financial advantages while mitigating severe risks.
Benefits and Advantages of Compliance
- Enhanced Customer Trust and Loyalty: Demonstrating a commitment to protecting customer data builds trust, which is a powerful competitive differentiator, especially in the digital economy.
- Facilitation of International Business: As the PDPA aligns closely with GDPR, compliance simplifies cross-border data transfers with regions like the EU and ensures the organization meets the standards expected by international partners and clients.
- Operational Efficiency: The compliance process mandates data mapping and inventory, which leads to better data governance, clearer data flows, and improved internal organizational structure.
- Improved Security Posture: Implementing the required technical and organizational security measures inherently enhances the organization’s overall cybersecurity resilience against external threats.
- Brand Reputation: Proactive compliance protects the brand reputation from the severe negative publicity associated with data breaches or regulatory actions.
Disadvantages and Risks of Non-Compliance
Failing to comply with the PDPA exposes an organization to significant legal, financial, and reputational consequences.
| Consequence Type | Details |
|---|---|
| Administrative Fines | Up to THB 5 million (approximately $135,000 USD) for failure to comply with certain provisions, such as neglecting to appoint a DPO or failing to maintain ROPA. |
| Civil Liability | Compensation to the data subject for actual damages suffered due to non-compliance. Punitive damages can be awarded up to twice the amount of the actual damages. |
| Criminal Penalties | Up to one year imprisonment and/or fines up to THB 5 million for unlawful use or disclosure of sensitive personal data or for activities related to seeking illegal benefits. |
| Reputational Damage | Loss of public trust, negative media coverage, and damage to brand equity, leading to customer churn and difficulty in attracting new business partners. |
| Business Limitations | Regulatory action can lead to temporary or permanent suspension of data processing activities, severely limiting business operations, especially for data-driven services. |
How to Achieve Compliance?
Achieving PDPA compliance requires a structured, continuous, and auditable GRC program. The Centraleyes platform is designed to automate and streamline this process, enabling organizations to rapidly assess, remediate, and maintain their compliance posture.
The Centraleyes Platform provides significant value for PDPA compliance by accelerating time-to-compliance through automation across several key areas. Our PDPA Questionnaire provides immediate gap analysis by scoring current compliance levels against PDPA requirements. Centraleyes also offers pre-built templates for essential PDPA documentation, including a Privacy Notice template, a Data Breach Notification template, a Record of Processing Activities (ROPA) template and more.
By leveraging the Centraleyes platform, organizations can move from manual, fragmented compliance efforts to a unified, automated GRC program. The platform provides a clear, actionable roadmap, allowing organizations to efficiently track their progress and achieve PDPA compliance sooner by focusing resources on high-priority risks, thereby minimizing financial penalties and bolstering customer trust.
