Global Data Privacy Guide |
|
Thailand |
|
| (Asia Pacific) Firm Tilleke & Gibbins Updated 23 Jul 2025 | |
| 1. What is the key legislation? | The key personal data protection legislation in Thailand is the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), which became fully effective and enforceable on June 1, 2022. |
| 2. What are the key decisions applying that legislation? | In August 2024, the Personal Data Protection Committee (“PDPC”) announced the imposition of an administrative fine on the retail company for the first time in the amount of THB 7 million for failure to (a) appoint a data protection officer, (b) implement adequate security measures, and (c) comply with the data breach notification obligation. |
| 1. How are “personal data” and “sensitive data” defined? | The term “personal data” is defined under the PDPA as any data pertaining to a living individual that enables identification of said individual, whether directly or indirectly. There is no reference to the term “sensitive data” in the PDPA. However, Section 26 of the PDPA provides the list of personal data which is subject to different requirements in terms of legal bases, i.e. personal data pertaining to ethnicity, race, political opinions, doctrinal, religious or philosophical beliefs, sexual behavior, criminal records, health records, disability, labor union, genetic data, biometric data, or any other data which may affect the Data Subject in the same manner as prescribed by the PDPC. |
| 2. How is the defined data protected? | The PDPA imposes various obligations for the collection, use, disclosure, transfer, deletion, and/or otherwise processing of personal data. See Question 5 for more information. |
| 3. Who is subject to privacy obligations? | The PDPA imposes obligations on two main key players, which are data controller (i.e. a person or legal entity who/which having authority to make determination on the collection, use or disclosure of personal data) and data processor (i.e. a person or legal entity who/which collects, uses or discloses personal data for or on behalf of the data controller). Data controllers and data processors located in Thailand must comply with the PDPA regardless of where the collection, use or disclosure of personal data takes place. The PDPA also has extraterritorial effect which means that data controllers and data processors in other jurisdictions will also be obligated to comply with the PDPA if they collect, use or disclose personal data of the data subject in Thailand to (a) offer him/her goods or services, irrespective of whether payment is made or not; or (b) monitor his/her behavior which takes place in Thailand. The PDPA does provide exemptions from being subject to its provisions – for example, when the processing is for personal interest or household activity of that person, when the act is carried out by the government agencies responsible for maintaining state stability (including anti-money laundering and cybersecurity), and others. |
| 4. How is “data processing” defined? | The PDPA does not define nor refer to the term “data processing.” However, it could be referred to the collection, use, disclosure, transfer, retention, deletion, and/or otherwise processing of personal data. |
| 5. What are the principles applicable to personal data processing? | The principles applicable to personal data processing under the PDPA include data minimization, purpose limitation, accuracy, storage limitation, lawfulness, fairness, and transparency. These principles are not expressly indicated in the PDPA itself; however, these principles can be implied from the provisions of the PDPA. |
| 6. How is the processing of personal data regulated? | In general, the PDPA only permits the processing of personal data where the lawful basis can be identified – for example, consent, legitimate interest, contractual obligations, legal obligations, etc. |
| 7. How are storage, security and retention of personal data regulated? | The PDPA does not set out specific regulations for the storage of personal data. However, it does impose requirements on the security and retention of personal data. The PDPA provides that the data controller must implement adequate personal data protection measures to prevent loss, unauthorized or unlawful access, use, modification, alteration, or disclosure of personal data, and to review such measures when necessary or when there is a change in technology. The security measures must at least satisfy the minimum standards prescribed by the PDPC. With regard to the retention of personal data, the PDPA does not impose a specific period for which personal data is to be retained; however, it does impose an obligation on the data controller to implement a monitoring system (1) for the deletion or destruction of personal data at the end of its retention period; (2) when it is no longer necessary or relevant for the purposes for which it has been collected; (3) as requested by the data subjects; or (4) when the consent is withdrawn by data subject, unless otherwise exempted. |
| 8. What are the data subjects' rights under the data legislation? | Subject to the conditions of the PDPA, the data subjects are entitled to the right to access, right to data portability, right to erasure, right to object, right to suspension, right to rectification, right to withdraw consent and right to lodge a complaint to the authority. |
| 9. What are the consent requirements for data subjects? | For the consent to be valid and binding, consent request must be made in accordance with the requirements under the PDPA – for example, consent request must be made in writing or via electronic means, unless impossible by its nature; consent request must use plain language; consent request must not be conditional for the entering into contract or provision of service which is not relevant; consent request must be made prior to or at the time of collection, use or disclosure of personal data, etc. |
| 10. How is authorization for use of data handled? | To use personal data, there must be an appropriate lawful basis. Any use of personal data which does not rely on consent must be recorded in the record of processing activities (“RoPA”). The PDPA further stipulates that the use of personal data must also be limited to the scope of purposes which have been informed to the data subjects unless it is otherwise permitted by the PDPA. Further to the above, any person or legal entity receiving personal data from the data controller must not use or disclose personal data for purposes other than those for which have been informed to the data controller to acquire such data. It should also be noted that the PDPC’s Notification Re: Security Measures of the Data Controller B.E. 2565 (2022) stipulates that the security measures to be implemented in relation to the use of personal data must at least consist of access control, identity proofing and authentication, user access management, user responsibilities, audit trails, etc. |
| 11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers? | Yes, the PDPA regulates cross-border transfers by imposing restrictions and requirements. Generally, a cross-border transfer is permitted if the destination country or the international organization that receives the personal data has adequate personal data protection standards in place, or if the cross-border transfer falls within any of the permitted activities prescribed by the PDPA – for example, when the data subject has been informed of the inadequacy of the personal protection standards of the destination country or the international organization and has granted consent to the cross-border transfer, or when an intra-group policy has been implemented for the cross-border transfer of personal data among group companies and has been examined and certified by the Office of the PDPC, or when the contractual clause is entered into. |
| 12. How are data "incidents" and "breaches" defined? | According to the PDPC’s Notification Re: the Rules and Procedures For Personal Data Breach Notification B.E. 2565 (2022), "personal data breach" is defined as "any breach of security that leads to loss, or unauthorized or unlawful access, use, change, alteration, or disclosure of personal data, whether such breach occurs intentionally, willfully, by negligence, without authorization or unlawfully, computer crime, cyber threat, any mistake, accident, or any other reasons. |
| 13. Are there any notification requirements for incidents and/or data breaches? | Yes, there are notification requirements for data breaches under the PDPA:
|
| 14. Who is/are the privacy regulator(s)? | The Office of the PDPC is the regulator under the PDPA. |
| 15. What are the consequences of a data breach? | A data breach occurs from inadequate security measures. Failure to implement adequate security measures that at least meet the minimum standards set forth by the PDPA could result in liabilities and penalties. See Question 22 for more information. |
| 16. How is electronic marketing regulated? | From the PDPA perspective, similar requirements and obligations apply to the processing of personal data for the electronic marketing purpose. Apart from the PDPA, it should be noted that sending electronic marketing is regarded as an offence under the Computer Crimes Act B.E. 2550 (2007) for causing disturbance to the recipient. Sending such electronic marketing will not be considered an offense if (a) consent has been obtained from the recipient; and (b) each electronic marketing communication contains marks, details and procedures for which the recipient can easily opt out/unsubscribe from receiving such communication. |
| 17. Are there sector-specific or industry-specific privacy requirements? | Yes, apart from the PDPA, other industry-specific legislations are prescribing personal data protection requirements and obligations – for example, the National Health Act B.E. 2550 (2007) and the Mental Health Act B.E. 2551 (2008) which apply to the healthcare industry, the Notification of the National Broadcasting and Telecommunications Commission Re: Measures to Protect Telecommunications Service Users’ Rights Regarding Personal Data, Privacy Rights, and Freedom of Telecommunications which was issued by virtue of the Telecommunications Business Act B.E. 2544 (2001) which applies to the telecommunication business industry, and the Credit Business Information Business Act B.E. 2545 (2002) which applies to financial industry. |
| 18. What are the requirements for appointing Data Protection Officers or similar roles? | Obligation to appoint a DPO becomes mandatory under any of the following circumstances:
|
| 19. What are the record-keeping and documentation obligations? | The PDPA imposes obligations on the data controllers and data processors to maintain the RoPA, either in written or electronic form. The RoPA must at least contain the information required by the PDPA. Certain data controllers and data processors may be exempted from the RoPA requirement – for example, if they are small or medium-sized businesses in accordance with the law on the small and medium-sized enterprise promotion. However, the exemptions are subject to further conditions prescribed by the PDPA. |
| 20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)? | The PDPA does not impose requirements for conducting DPIAs. |
| 21. What are the requirements for third-party vendor management and data sharing? | Where the data controller will disclose personal data to a third party, the PDPA imposes obligations on the data controller to ensure that such third party will not use or disclose the received personal data unlawfully or without authorization. Apart from the above, for the relationship between data controller and data processor, the PDPA requires that there must be an agreement between them to ensure that the data processor will process personal data in accordance with its obligations under the PDPA. |
| 22. What are the penalties and enforcement mechanisms for non-compliance? | Non-compliance with, or violation of, the PDPA could result in the following penalties and/or liabilities:
|
| 23. What are the ongoing compliance and audit requirements? | Currently, the PDPA does not have specific provisions on the audit requirements. In relation to the ongoing compliance, the data controllers and data processors must ensure compliance with the obligations and requirements under the PDPA throughout the period that they are processing personal data. |
| 24. Are there any recent developments or expected reforms? | The PDPC now becomes highly active in enforcing the PDPA against the offender, particularly where there is a data breach incident. Hence, it is crucial for all businesses to reassess their operations and ensure that they remain in compliance with the PDPA. There have been discussions that the PDPA might be revised in the near future. |
Global Data Privacy Guide
The key personal data protection legislation in Thailand is the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), which became fully effective and enforceable on June 1, 2022.
In August 2024, the Personal Data Protection Committee (“PDPC”) announced the imposition of an administrative fine on the retail company for the first time in the amount of THB 7 million for failure to (a) appoint a data protection officer, (b) implement adequate security measures, and (c) comply with the data breach notification obligation.
The term “personal data” is defined under the PDPA as any data pertaining to a living individual that enables identification of said individual, whether directly or indirectly. There is no reference to the term “sensitive data” in the PDPA. However, Section 26 of the PDPA provides the list of personal data which is subject to different requirements in terms of legal bases, i.e. personal data pertaining to ethnicity, race, political opinions, doctrinal, religious or philosophical beliefs, sexual behavior, criminal records, health records, disability, labor union, genetic data, biometric data, or any other data which may affect the Data Subject in the same manner as prescribed by the PDPC.
The PDPA imposes various obligations for the collection, use, disclosure, transfer, deletion, and/or otherwise processing of personal data. See Question 5 for more information.
The PDPA imposes obligations on two main key players, which are data controller (i.e. a person or legal entity who/which having authority to make determination on the collection, use or disclosure of personal data) and data processor (i.e. a person or legal entity who/which collects, uses or discloses personal data for or on behalf of the data controller).
Data controllers and data processors located in Thailand must comply with the PDPA regardless of where the collection, use or disclosure of personal data takes place. The PDPA also has extraterritorial effect which means that data controllers and data processors in other jurisdictions will also be obligated to comply with the PDPA if they collect, use or disclose personal data of the data subject in Thailand to (a) offer him/her goods or services, irrespective of whether payment is made or not; or (b) monitor his/her behavior which takes place in Thailand.
The PDPA does provide exemptions from being subject to its provisions – for example, when the processing is for personal interest or household activity of that person, when the act is carried out by the government agencies responsible for maintaining state stability (including anti-money laundering and cybersecurity), and others.
The PDPA does not define nor refer to the term “data processing.” However, it could be referred to the collection, use, disclosure, transfer, retention, deletion, and/or otherwise processing of personal data.
The principles applicable to personal data processing under the PDPA include data minimization, purpose limitation, accuracy, storage limitation, lawfulness, fairness, and transparency. These principles are not expressly indicated in the PDPA itself; however, these principles can be implied from the provisions of the PDPA.
In general, the PDPA only permits the processing of personal data where the lawful basis can be identified – for example, consent, legitimate interest, contractual obligations, legal obligations, etc.
The PDPA does not set out specific regulations for the storage of personal data. However, it does impose requirements on the security and retention of personal data.
The PDPA provides that the data controller must implement adequate personal data protection measures to prevent loss, unauthorized or unlawful access, use, modification, alteration, or disclosure of personal data, and to review such measures when necessary or when there is a change in technology. The security measures must at least satisfy the minimum standards prescribed by the PDPC.
With regard to the retention of personal data, the PDPA does not impose a specific period for which personal data is to be retained; however, it does impose an obligation on the data controller to implement a monitoring system (1) for the deletion or destruction of personal data at the end of its retention period; (2) when it is no longer necessary or relevant for the purposes for which it has been collected; (3) as requested by the data subjects; or (4) when the consent is withdrawn by data subject, unless otherwise exempted.
Subject to the conditions of the PDPA, the data subjects are entitled to the right to access, right to data portability, right to erasure, right to object, right to suspension, right to rectification, right to withdraw consent and right to lodge a complaint to the authority.
For the consent to be valid and binding, consent request must be made in accordance with the requirements under the PDPA – for example, consent request must be made in writing or via electronic means, unless impossible by its nature; consent request must use plain language; consent request must not be conditional for the entering into contract or provision of service which is not relevant; consent request must be made prior to or at the time of collection, use or disclosure of personal data, etc.
To use personal data, there must be an appropriate lawful basis. Any use of personal data which does not rely on consent must be recorded in the record of processing activities (“RoPA”). The PDPA further stipulates that the use of personal data must also be limited to the scope of purposes which have been informed to the data subjects unless it is otherwise permitted by the PDPA.
Further to the above, any person or legal entity receiving personal data from the data controller must not use or disclose personal data for purposes other than those for which have been informed to the data controller to acquire such data.
It should also be noted that the PDPC’s Notification Re: Security Measures of the Data Controller B.E. 2565 (2022) stipulates that the security measures to be implemented in relation to the use of personal data must at least consist of access control, identity proofing and authentication, user access management, user responsibilities, audit trails, etc.
Yes, the PDPA regulates cross-border transfers by imposing restrictions and requirements. Generally, a cross-border transfer is permitted if the destination country or the international organization that receives the personal data has adequate personal data protection standards in place, or if the cross-border transfer falls within any of the permitted activities prescribed by the PDPA – for example, when the data subject has been informed of the inadequacy of the personal protection standards of the destination country or the international organization and has granted consent to the cross-border transfer, or when an intra-group policy has been implemented for the cross-border transfer of personal data among group companies and has been examined and certified by the Office of the PDPC, or when the contractual clause is entered into.
According to the PDPC’s Notification Re: the Rules and Procedures For Personal Data Breach Notification B.E. 2565 (2022), "personal data breach" is defined as "any breach of security that leads to loss, or unauthorized or unlawful access, use, change, alteration, or disclosure of personal data, whether such breach occurs intentionally, willfully, by negligence, without authorization or unlawfully, computer crime, cyber threat, any mistake, accident, or any other reasons.
Yes, there are notification requirements for data breaches under the PDPA:
- Data controllers must notify the Office of the PDPC of a data breach without delay and within 72 hours upon becoming aware of the breach, unless such a breach has no risk of affecting the rights and freedoms of an individual. If the risk is high, apart from notifying the Office of the PDPC, the data controller must also notify the data subject of said breach, together with remedial action, without delay.
- The data processor must notify the data controller of a data breach without delay and within 72 hours upon becoming aware of the breach.
The Office of the PDPC is the regulator under the PDPA.
A data breach occurs from inadequate security measures. Failure to implement adequate security measures that at least meet the minimum standards set forth by the PDPA could result in liabilities and penalties. See Question 22 for more information.
From the PDPA perspective, similar requirements and obligations apply to the processing of personal data for the electronic marketing purpose.
Apart from the PDPA, it should be noted that sending electronic marketing is regarded as an offence under the Computer Crimes Act B.E. 2550 (2007) for causing disturbance to the recipient. Sending such electronic marketing will not be considered an offense if (a) consent has been obtained from the recipient; and (b) each electronic marketing communication contains marks, details and procedures for which the recipient can easily opt out/unsubscribe from receiving such communication.
Yes, apart from the PDPA, other industry-specific legislations are prescribing personal data protection requirements and obligations – for example, the National Health Act B.E. 2550 (2007) and the Mental Health Act B.E. 2551 (2008) which apply to the healthcare industry, the Notification of the National Broadcasting and Telecommunications Commission Re: Measures to Protect Telecommunications Service Users’ Rights Regarding Personal Data, Privacy Rights, and Freedom of Telecommunications which was issued by virtue of the Telecommunications Business Act B.E. 2544 (2001) which applies to the telecommunication business industry, and the Credit Business Information Business Act B.E. 2545 (2002) which applies to financial industry.
Obligation to appoint a DPO becomes mandatory under any of the following circumstances:
- The data controller or data processor is a state agency as prescribed by the PDPC;
- The activities of the data controller or data processor in relation to the processing of the personal data require “regular monitoring of the personal data or the system” by reason of “having large-scale personal data;” or
- The core activity of the data controller or data processor is related to the processing of sensitive personal data (i.e., the categories of personal data listed in Section 26 of the PDPA).
The PDPA imposes obligations on the data controllers and data processors to maintain the RoPA, either in written or electronic form. The RoPA must at least contain the information required by the PDPA.
Certain data controllers and data processors may be exempted from the RoPA requirement – for example, if they are small or medium-sized businesses in accordance with the law on the small and medium-sized enterprise promotion. However, the exemptions are subject to further conditions prescribed by the PDPA.
The PDPA does not impose requirements for conducting DPIAs.
Where the data controller will disclose personal data to a third party, the PDPA imposes obligations on the data controller to ensure that such third party will not use or disclose the received personal data unlawfully or without authorization.
Apart from the above, for the relationship between data controller and data processor, the PDPA requires that there must be an agreement between them to ensure that the data processor will process personal data in accordance with its obligations under the PDPA.
Non-compliance with, or violation of, the PDPA could result in the following penalties and/or liabilities:
- Civil liabilities: Actual damages and, in certain cases, punitive damages not exceeding twice the amount of actual damages.
- Administrative Penalties: Fine not exceeding THB 5 million, depending on the offence committed. For a non-severe offense, an administrative order will first be imposed, e.g., a rectification order, suspension order, etc. In case of severe offense or failure to comply with the administrative order, an administrative fine will be imposed.
- Criminal Penalties: Imprisonment for a term not exceeding 1 year and/or a fine not exceeding THB 1 million. For a legal entity, if the offence is committed due to the act or omission of its director, manager, or person responsible for its operation, such person will also be subject to the same criminal penalties.
Currently, the PDPA does not have specific provisions on the audit requirements. In relation to the ongoing compliance, the data controllers and data processors must ensure compliance with the obligations and requirements under the PDPA throughout the period that they are processing personal data.
The PDPC now becomes highly active in enforcing the PDPA against the offender, particularly where there is a data breach incident. Hence, it is crucial for all businesses to reassess their operations and ensure that they remain in compliance with the PDPA.
There have been discussions that the PDPA might be revised in the near future.