Overview: What Are GDPR and PDPA?

GDPR (General Data Protection Regulation) is the European Union’s robust privacy law enforced since 2018, setting a global benchmark for data protection. PDPA (Personal Data Protection Act) is Thailand’s national data privacy law, effective June 2022, modeled closely on GDPR but tailored to local context. Both aim to protect individuals’ personal data and ensure transparent data processing.

Key Similarities and Differences

Similarities:

• Consent Requirement: Both laws require clear consent before collecting or using personal data.

• User Rights: Individuals can access, correct, delete, and object to the use of their personal data.

• DPO Requirement: Both mandate a Data Protection Officer for high-risk or large-scale processing.

• Breach Notification: Mandatory breach notifications within strict timeframes (GDPR: 72 hours, PDPA: “as soon as practicable”).

Differences:

• Territorial Scope: GDPR applies to any organization processing EU residents’ data, globally. PDPA applies only to data of Thai residents.

• Regulatory Body: GDPR is enforced by national DPAs and coordinated by the EDPB; PDPA is regulated by Thailand’s PDPC.

• Fines: GDPR imposes fines up to €20 million or 4% of global turnover. PDPA’s maximum fine is THB 5 million (≈€130,000).

• Legal Basis for Processing: GDPR offers multiple legal bases; PDPA leans heavily on explicit consent.

Why This Comparison Matters

Understanding both helps multinational companies harmonize compliance efforts across jurisdictions and reduce legal risk. While similar in principle, execution and enforcement differ—making localized compliance strategies essential.