The Personal Data Protection Act (PDPA) is Thailand’s comprehensive privacy law, enforced since June 1, 2022. Modeled after the GDPR, it governs how organizations collect, use, and disclose personal data of individuals in Thailand. PDPA applies to any business—local or international—that processes data of Thai residents for commercial purposes, regardless of physical location.

Key Compliance Requirements

To comply with PDPA Thailand, organizations must:

• Obtain Consent: Clear, informed consent is required before collecting or using personal data, especially for sensitive categories like health, biometrics, or religious beliefs.

• Provide User Rights: Individuals have the right to access, correct, delete their data, and withdraw consent at any time.

• Appoint a DPO: Certain companies must designate a Data Protection Officer (DPO), particularly those processing large volumes or sensitive data.

• Implement Safeguards: Businesses must adopt reasonable technical and organizational security measures to protect data from loss, misuse, or unauthorized access.

• Notify Breaches: Data breaches must be reported to the regulator within 72 hours.

Violations may result in administrative fines up to THB 5 million, and in some cases, criminal penalties.

Why It Matters

PDPA Thailand strengthens data privacy rights and holds businesses accountable for how they use personal information. Non-compliance risks not only fines but also reputational harm. Aligning with PDPA ensures ethical data use, builds consumer trust, and avoids regulatory scrutiny.